diff --git a/.github/workflows/build-and-release.yml b/.github/workflows/build-and-release.yml index b3b7afd..dfbd826 100644 --- a/.github/workflows/build-and-release.yml +++ b/.github/workflows/build-and-release.yml @@ -21,7 +21,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - run: GOPROXY=direct GOSUMDB=off GO111MODULE=on go build . docker: name: Docker build and push diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index a733f12..f6922fa 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -15,7 +15,7 @@ jobs: steps: - uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - uses: actions/checkout@master - name: golangci-lint uses: golangci/golangci-lint-action@v3 @@ -42,7 +42,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - run: GOPROXY=https://proxy.golang.org,direct GOSUMDB=off GO111MODULE=on go install github.com/kisielk/errcheck@latest; /home/runner/go/bin/errcheck -tags draft ./... error_code_check: name: Error code utility check @@ -55,7 +55,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - run: | errWillHave="level=error" GOPROXY=https://proxy.golang.org,direct GOSUMDB=off GO111MODULE=on go install github.com/layer5io/meshkit/cmd/errorutil; @@ -77,7 +77,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - uses: dominikh/staticcheck-action@v1.2.0 with: install-go: false @@ -93,7 +93,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - run: GOPROXY=https://proxy.golang.org,direct GOSUMDB=off GO111MODULE=on go vet -tags draft ./... sec_check: name: Security check @@ -123,7 +123,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - name: Create cluster using KinD uses: engineerd/setup-kind@v0.5.0 with: diff --git a/.github/workflows/component-generator.yml b/.github/workflows/component-generator.yml index 01008a7..8a74c2a 100644 --- a/.github/workflows/component-generator.yml +++ b/.github/workflows/component-generator.yml @@ -18,7 +18,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - name: Run adapter to create components run: | touch log.txt diff --git a/.github/workflows/error-ref-publisher.yml b/.github/workflows/error-ref-publisher.yml index 4ddc031..6be808b 100644 --- a/.github/workflows/error-ref-publisher.yml +++ b/.github/workflows/error-ref-publisher.yml @@ -21,7 +21,7 @@ jobs: - name: Setup Go uses: actions/setup-go@v4 with: - go-version: 1.21 + go-version: 1.23 - name: Run utility run: | diff --git a/Dockerfile b/Dockerfile index 01c9db8..eb93586 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM golang:1.21 as build-env +FROM golang:1.23 as build-env ARG VERSION ARG GIT_COMMITSHA diff --git a/go.mod b/go.mod index da44364..485db4a 100644 --- a/go.mod +++ b/go.mod @@ -1,6 +1,6 @@ module github.com/layer5io/meshery-cilium -go 1.19 +go 1.23 replace github.com/kudobuilder/kuttl => github.com/layer5io/kuttl v0.4.1-0.20200723152044-916f10574334 diff --git a/go.sum b/go.sum index 6fbc095..5729f34 100644 --- a/go.sum +++ b/go.sum @@ -8,7 +8,9 @@ cloud.google.com/go v0.46.3/go.mod h1:a6bKKbmY7er1mI7TEI4lsAkts/mkhTSZK8w33B4RAg cloud.google.com/go v0.110.10 h1:LXy9GEO+timppncPIAZoOj3l58LIU9k+kn48AN7IO3Y= cloud.google.com/go/bigquery v1.0.1/go.mod h1:i/xbL2UlR5RvWAURpBYZTtm/cXjCha9lbfbpx4poX+o= cloud.google.com/go/compute v1.23.3 h1:6sVlXXBmbd7jNX0Ipq0trII3e4n1/MsADLK6a+aiVlk= +cloud.google.com/go/compute v1.23.3/go.mod h1:VCgBUoMnIVIR0CscqQiPJLAG25E3ZRZMzcFZeQ+h8CI= cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY= +cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA= cloud.google.com/go/datastore v1.0.0/go.mod h1:LXYbyblFSglQ5pkeyhO+Qmw7ukd3C+pD7TKLgZqpHYE= cloud.google.com/go/pubsub v1.0.1/go.mod h1:R0Gpsv3s54REJCy4fxDixWD93lHJMoZTyQ2kNxGRt3I= cuelang.org/go v0.6.0 h1:dJhgKCog+FEZt7OwAYV1R+o/RZPmE8aqFoptmxSWyr8= @@ -32,6 +34,7 @@ github.com/BurntSushi/toml v1.3.2 h1:o7IhLm0Msx3BaB+n3Ag7L8EVlByGnpq14C4YWiu/gL8 github.com/BurntSushi/toml v1.3.2/go.mod h1:CxXYINrC8qIiEnFrOxCa7Jy5BFHlXnUU2pbicEuybxQ= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/DATA-DOG/go-sqlmock v1.5.0 h1:Shsta01QNfFxHCfpW6YH2STWB0MudeXXEWMr20OEh60= +github.com/DATA-DOG/go-sqlmock v1.5.0/go.mod h1:f/Ixk793poVmq4qj/V1dPUg2JEAKC73Q5eFN3EC/SaM= github.com/MakeNowJust/heredoc v1.0.0 h1:cXCdzVdstXyiTqTvfqk9SDHpKNjxuom+DOlyEeQ4pzQ= github.com/MakeNowJust/heredoc v1.0.0/go.mod h1:mG5amYoWBHf8vpLOuehzbGGw0EHxpZZ6lCpQ4fNJ8LE= github.com/Masterminds/goutils v1.1.1 h1:5nUrii3FMTL5diU80unEVvNevw1nH4+ZV4DSLVJLSYI= @@ -60,14 +63,17 @@ github.com/PuerkitoBio/purell v1.1.1/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/PuerkitoBio/urlesc v0.0.0-20170810143723-de5bf2ad4578/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE= github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d h1:UrqY+r/OJnIp5u0s1SbQ8dVfLCZJsnvazdBP5hS4iRs= +github.com/Shopify/logrus-bugsnag v0.0.0-20171204204709-577dee27f20d/go.mod h1:HI8ITrYtUY+O+ZhtlqUnD8+KwNPOyugEhfP9fdUIaEQ= github.com/agnivade/levenshtein v1.0.1/go.mod h1:CURSv5d9Uaml+FovSIICkLbAUZ9S4RqaHDIsdSBg7lM= github.com/alecthomas/template v0.0.0-20160405071501-a0175ee3bccc/go.mod h1:LOuyumcjzFXgccqObfd/Ljyb9UuFJ6TxHnclSeseNhc= github.com/alecthomas/units v0.0.0-20151022065526-2efee857e7cf/go.mod h1:ybxpYRFXyAe+OPACYpWeL0wqObRcbAqCMya13uyzqw0= github.com/alessio/shellescape v0.0.0-20190409004728-b115ca0f9053/go.mod h1:xW8sBma2LE3QxFSzCnH9qe6gAE2yO9GvQaWwX89HxbE= github.com/andreyvit/diff v0.0.0-20170406064948-c7f18ee00883/go.mod h1:rCTlJbsFo29Kk6CurOXKm700vrz8f0KW0JNfpkRJY/8= github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be h1:9AeTilPcZAjCFIImctFaOjnTIavg87rW78vTPkQqLI8= +github.com/anmitsu/go-shlex v0.0.0-20200514113438-38f4b401e2be/go.mod h1:ySMOLuWl6zY27l47sB3qLNK6tF2fkHG55UZxx8oIVo4= github.com/armon/consul-api v0.0.0-20180202201655-eb2c6b5be1b6/go.mod h1:grANhF5doyWs3UAsr3K4I6qtAmlQcZDesFNEHPZAzj8= github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5 h1:0CwZNZbxp69SHPdPJAN/hZIm0C4OItdklCFmMRWYpio= +github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkYZB8zMSxRWpUBQtwG5a7fFgvEO+odwuTv2gs= github.com/asaskevich/govalidator v0.0.0-20180720115003-f9ffefc3facf/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20200428143746-21a406dcc535 h1:4daAzAu0S6Vi7/lbWECcX0j45yZReDZ56BQsrVBOEEY= @@ -79,9 +85,13 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r github.com/bgentry/speakeasy v0.1.0/go.mod h1:+zsyZBPWlz7T6j88CTgSN5bM796AkVf0kBD4zp0CCIs= github.com/blang/semver v3.5.0+incompatible/go.mod h1:kRBLl5iJ+tD4TcOOxsy/0fnwebNt5EWlYSAyrTnjyyk= github.com/bshuster-repo/logrus-logstash-hook v1.0.0 h1:e+C0SB5R1pu//O4MQ3f9cFuPGoOVeF2fE4Og9otCc70= +github.com/bshuster-repo/logrus-logstash-hook v1.0.0/go.mod h1:zsTqEiSzDgAa/8GZR7E1qaXrhYNDKBYy5/dWPTIflbk= github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd h1:rFt+Y/IK1aEZkEHchZRSq9OQbsSzIT/OrI8YFFmRIng= +github.com/bugsnag/bugsnag-go v0.0.0-20141110184014-b1d153021fcd/go.mod h1:2oa8nejYd4cQ/b0hMIopN0lCRxU0bueqREvZLWFrtK8= github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b h1:otBG+dV+YK+Soembjv71DPz3uX/V/6MMlSyD9JBQ6kQ= +github.com/bugsnag/osext v0.0.0-20130617224835-0dd3f918b21b/go.mod h1:obH5gd0BsqsP2LwDJ9aOkm/6J86V6lyAXCoQWGw3K50= github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0 h1:nvj0OLI3YqYXer/kZD8Ri1aaunCxIEsOst1BVJswV0o= +github.com/bugsnag/panicwrap v0.0.0-20151223152923-e2c28503fcd0/go.mod h1:D/8v3kj0zr8ZAKg1AQ6crr+5VwKN5eIywRkfhyM/+dE= github.com/bwesterb/go-ristretto v1.2.3/go.mod h1:fUIoIZaG73pV5biE2Blr2xEzDoMj7NFEuV9ekS419A0= github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqylYbM= github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE= @@ -99,14 +109,17 @@ github.com/cloudflare/circl v1.3.3 h1:fE/Qz0QdIGqeWfnwq0RE0R7MI51s0M2E4Ga9kq5AEM github.com/cloudflare/circl v1.3.3/go.mod h1:5XYMA4rFBvNIrhs50XuiBJ15vF2pZn4nnUKZrLbUZFA= github.com/cncf/udpa/go v0.0.0-20191209042840-269d4d468f6f/go.mod h1:M8M6+tZqaGXZJjfX53e64911xZQV5JYwmTeXPW+k8Sc= github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4 h1:/inchEIKaYC1Akx+H+gqO04wryn5h75LSazbRlnya1k= +github.com/cncf/xds/go v0.0.0-20230607035331-e9ce68804cb4/go.mod h1:eXthEFrGJvWHgFFCl3hGmgk+/aYT6PnTQLykKQRLhEs= github.com/cockroachdb/apd/v3 v3.2.1 h1:U+8j7t0axsIgvQUqthuNm82HIrYXodOV2iWLWtEaIwg= github.com/cockroachdb/apd/v3 v3.2.1/go.mod h1:klXJcjp+FffLTHlhIG69tezTDvdP065naDsHzKhYSqc= github.com/cockroachdb/datadriven v0.0.0-20190809214429-80d97fb3cbaa/go.mod h1:zn76sxSg3SzpJ0PPJaLDCu+Bu0Lg3sKTORVIj19EIF8= github.com/containerd/cgroups v1.1.0 h1:v8rEWFl6EoqHB+swVNjVoCJE8o3jX7e8nqBGPLaDFBM= +github.com/containerd/cgroups v1.1.0/go.mod h1:6ppBcbh/NOOUU+dMKrykgaBnK9lCIBxHqJDGwsa1mIw= github.com/containerd/containerd v1.2.9/go.mod h1:bC6axHOhabU15QhwfG7w5PipXdVtMXFTttgp+kVtyUA= github.com/containerd/containerd v1.7.11 h1:lfGKw3eU35sjV0aG2eYZTiwFEY1pCzxdzicHP3SZILw= github.com/containerd/containerd v1.7.11/go.mod h1:5UluHxHTX2rdvYuZ5OJTC5m/KJNs0Zs9wVoJm9zf5ZE= github.com/containerd/continuity v0.4.2 h1:v3y/4Yz5jwnvqPKJJ+7Wf93fyWoCB3F5EclWG023MDM= +github.com/containerd/continuity v0.4.2/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I= github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo= github.com/coreos/bbolt v1.3.2/go.mod h1:iRUV2dpdMOn7Bo10OQBFzIJO9kkE559Wcmn+qkEiiKk= @@ -126,6 +139,7 @@ github.com/cpuguy83/go-md2man/v2 v2.0.3/go.mod h1:tgQtvFlXSQOSOSIRvRPT7W67SCa46t github.com/creack/pty v1.1.7/go.mod h1:lj5s0c3V2DBrqTV7llrYr5NG6My20zk30Fl46Y7DoTY= github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ33E= github.com/creack/pty v1.1.18 h1:n56/Zwd5o6whRC5PMGretI4IdRLlmBXYNjScPaBgsbY= +github.com/creack/pty v1.1.18/go.mod h1:MOBLtS5ELjhRRrroQr9kyvTxUAFNvYEK993ew/Vr4O4= github.com/cyphar/filepath-securejoin v0.2.4 h1:Ugdm7cg7i6ZK6x3xDF1oEu1nfkyfH53EtKeQYTC3kyg= github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxGGx79pTxQpKOJNYHHl4= github.com/davecgh/go-spew v0.0.0-20151105211317-5215b55f46b2/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= @@ -136,6 +150,7 @@ github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc/go.mod h1:J7Y8Yc github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= github.com/dgryski/go-sip13 v0.0.0-20181026042036-e10d5fee7954/go.mod h1:vAd38F8PWV+bWy6jNmig1y/TA+kYO4g3RSRF0IAv0no= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= +github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= github.com/docker/cli v24.0.6+incompatible h1:fF+XCQCgJjjQNIMjzaSmiKJSCcfcXb3TWTcc7GAneOY= github.com/docker/cli v24.0.6+incompatible/go.mod h1:JLrzqnKDaYBop7H2jaqPtU4hHvMKP+vjCwu2uszcLI8= github.com/docker/distribution v2.7.1+incompatible/go.mod h1:J2gT2udsDAN96Uj4KfcMRqY0/ypR+oyYUYmja8H+y+w= @@ -150,6 +165,7 @@ github.com/docker/docker-credential-helpers v0.7.0/go.mod h1:rETQfLdHNT3foU5kuNk github.com/docker/go-connections v0.4.0 h1:El9xVISelRB7BuFusrZozjnkIM5YnzCViNKohAFqRJQ= github.com/docker/go-connections v0.4.0/go.mod h1:Gbd7IOopHjR8Iph03tsViu4nIes5XhDvyHbTtUxmeec= github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c h1:+pKlWGMw7gf6bQ+oDZB4KHQFypsfjYlq/C4rfL7D3g8= +github.com/docker/go-events v0.0.0-20190806004212-e31b211e4f1c/go.mod h1:Uw6UezgYA44ePAFQYUehOuCzmy5zmg/+nl2ZfMWGkpA= github.com/docker/go-metrics v0.0.1 h1:AgB/0SvBxihN0X8OR4SjsblXkbMvalQ8cjmtKQ2rQV8= github.com/docker/go-metrics v0.0.1/go.mod h1:cG1hvH2utMXtqgqqYE9plW6lDxS3/5ayHzueweSI3Vw= github.com/docker/go-units v0.3.3/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= @@ -157,6 +173,7 @@ github.com/docker/go-units v0.4.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDD github.com/docker/go-units v0.5.0 h1:69rxXcBk27SvSaaxTtLh/8llcHD8vYHT7WSdRZ/jvr4= github.com/docker/go-units v0.5.0/go.mod h1:fgPhTUdO+D/Jk86RDLlptpiXQzgHJF7gydDDbaIK4Dk= github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1 h1:ZClxb8laGDf5arXfYcAtECDFgAgHklGI8CxgjHnXKJ4= +github.com/docker/libtrust v0.0.0-20150114040149-fa567046d9b1/go.mod h1:cyGadeNEkKy96OOhEzfZl+yxihPEzKnqJwvfuSUqbZE= github.com/docker/spdystream v0.0.0-20160310174837-449fdfce4d96/go.mod h1:Qh8CwZgvJUkLughtfhJv5dyTYa91l1fOUCrgjqmcifM= github.com/docopt/docopt-go v0.0.0-20180111231733-ee0de3bc6815/go.mod h1:WwZ+bS3ebgob9U8Nd0kOddGdZWjyMGR8Wziv+TBNwSE= github.com/dustin/go-humanize v0.0.0-20171111073723-bb3d318650d4/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25KnS6fMYU6eOk= @@ -164,11 +181,13 @@ github.com/dustin/go-humanize v1.0.0/go.mod h1:HtrtbFcZ19U5GC7JDqmcUSB87Iq5E25Kn github.com/dustinkirkland/golang-petname v0.0.0-20191129215211-8e5a1ed0cff0/go.mod h1:V+Qd57rJe8gd4eiGzZyg4h54VLHmYVVw54iMnlAMrF8= github.com/elazarl/goproxy v0.0.0-20170405201442-c4fc26588b6e/go.mod h1:/Zj4wYkgs4iZTTu3o/KG3Itv/qCCa8VVMlb3i9OVuzc= github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a h1:mATvB/9r/3gvcejNsXKSkQ6lcIaNec2nyfOdlTBR2lU= +github.com/elazarl/goproxy v0.0.0-20230808193330-2592e75ae04a/go.mod h1:Ro8st/ElPeALwNFlcTpWmkr6IoMFfkjXAvTHpevnDsM= github.com/emicklei/go-restful v0.0.0-20170410110728-ff4f55a20633/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful v2.9.5+incompatible/go.mod h1:otzb+WCGbkyDHkqmQmT5YD2WR4BBwUdeQoFo8l/7tVs= github.com/emicklei/go-restful/v3 v3.11.0 h1:rAQeMHw1c7zTmncogyy8VvRZwtkmkZ4FxERmMY4rD+g= github.com/emicklei/go-restful/v3 v3.11.0/go.mod h1:6n3XBCmQQb25CM2LCACGz8ukIrRry+4bhvbpWn3mrbc= github.com/emicklei/proto v1.10.0 h1:pDGyFRVV5RvV+nkBK9iy3q67FBy9Xa7vwrOTE+g5aGw= +github.com/emicklei/proto v1.10.0/go.mod h1:rn1FgRS/FANiZdD2djyH7TMA9jdRDcYQ9IEN9yvjX0A= github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc= github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= @@ -176,6 +195,7 @@ github.com/envoyproxy/go-control-plane v0.9.1-0.20191026205805-5f8ba28d4473/go.m github.com/envoyproxy/go-control-plane v0.9.4/go.mod h1:6rpuAdCZL397s3pYoYcLgu1mIlRU8Am5FuJP05cCM98= github.com/envoyproxy/protoc-gen-validate v0.1.0/go.mod h1:iSmxcyjqTsJpI2R4NaDN7+kN2VEUnK/pcBlmesArF7c= github.com/envoyproxy/protoc-gen-validate v1.0.2 h1:QkIBuU5k+x7/QXPvPPnWXWlCdaBFApVqftFV6k087DA= +github.com/envoyproxy/protoc-gen-validate v1.0.2/go.mod h1:GpiZQP3dDbg4JouG/NNS7QWXpgx6x8QiMKdmN72jogE= github.com/evanphx/json-patch v4.2.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk= github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI= @@ -188,7 +208,9 @@ github.com/fatih/color v1.14.1/go.mod h1:2oHN61fhTpgcxD3TSWCgKDiH1+x4OiDVVGH8Wlg github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg= github.com/felixge/httpsnoop v1.0.4/go.mod h1:m8KPJKqk1gH5J9DgRY2ASl2lWCfGKXixSwevea8zH2U= github.com/foxcpp/go-mockdns v1.0.0 h1:7jBqxd3WDWwi/6WhDvacvH1XsN3rOLXyHM1uhvIx6FI= +github.com/foxcpp/go-mockdns v1.0.0/go.mod h1:lgRN6+KxQBawyIghpnl5CezHFGS9VLzvtVlwxvzXTQ4= github.com/frankban/quicktest v1.14.6 h1:7Xjx+VpznH+oBnejlPUj8oUpdxnVs4f8XU8WnHkI4W8= +github.com/frankban/quicktest v1.14.6/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo= github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ= github.com/fsnotify/fsnotify v1.7.0 h1:8JEhPFa5W2WU7YfeZzPNqzMP6Lwt7L2715Ggo0nosvA= @@ -196,6 +218,7 @@ github.com/fsnotify/fsnotify v1.7.0/go.mod h1:40Bi/Hjc2AVfZrqy+aj+yEI+/bRxZnMJyT github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/gliderlabs/ssh v0.3.5 h1:OcaySEmAQJgyYcArR+gGGTHCyE7nvhEMTlYY+Dp8CpY= +github.com/gliderlabs/ssh v0.3.5/go.mod h1:8XB4KraRrX39qHhT6yxPsHedjA08I/uBVwj4xC+/+z4= github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/globalsign/mgo v0.0.0-20181015135952-eeefdecb41b8/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= @@ -205,6 +228,7 @@ github.com/go-git/gcfg v1.5.1-0.20230307220236-3a3c6141e376/go.mod h1:an3vInlBmS github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+mTU= github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow= github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4= +github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII= github.com/go-git/go-git/v5 v5.11.0 h1:XIZc1p+8YzypNr34itUfSvYJcv+eYdTnTvOZ2vD3cA4= github.com/go-git/go-git/v5 v5.11.0/go.mod h1:6GFcX2P3NM7FPBfpePbpLd21XxsgdAt+lKqXmCUiUCY= github.com/go-gorp/gorp/v3 v3.1.0 h1:ItKF/Vbuj31dmV4jxA1qblpSwkl9g1typ24xoe70IGs= @@ -269,14 +293,19 @@ github.com/go-openapi/validate v0.18.0/go.mod h1:Uh4HdOzKt19xGIGm1qHf/ofbX1YQ4Y+ github.com/go-openapi/validate v0.19.2/go.mod h1:1tRCw7m3jtI8eNWEEliiAqUIcBztB2KDnRCRMUi7GTA= github.com/go-openapi/validate v0.19.5/go.mod h1:8DJv2CVJQ6kGNpFW6eV9N3JviE1C85nY1c2z52x1Gk4= github.com/go-quicktest/qt v1.100.0 h1:I7iSLgIwNp0E0UnSvKJzs7ig0jg/Iq83zsZjtQNW7jY= +github.com/go-quicktest/qt v1.100.0/go.mod h1:leyLsQ4jksGmF1KaQEyabnqGIiJTbOU5S46QegToEj4= github.com/go-sql-driver/mysql v1.6.0 h1:BCTh4TKNUYmOmMUcQ3IipzF5prigylS7XXjEkfCHuOE= github.com/go-sql-driver/mysql v1.6.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI= +github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/gobuffalo/flect v0.2.0/go.mod h1:W3K3X9ksuZfir8f/LrfVtWmCDQFfayuylOJ7sz/Fj80= github.com/gobuffalo/logger v1.0.6 h1:nnZNpxYo0zx+Aj9RfMPBm+x9zAU2OayFh/xrAWi34HU= +github.com/gobuffalo/logger v1.0.6/go.mod h1:J31TBEHR1QLV2683OXTAItYIg8pv2JMHnF/quuAbMjs= github.com/gobuffalo/packd v1.0.1 h1:U2wXfRr4E9DH8IdsDLlRFwTZTK7hLfq9qT/QHXGVe/0= +github.com/gobuffalo/packd v1.0.1/go.mod h1:PP2POP3p3RXGz7Jh6eYEf93S7vA2za6xM7QT85L4+VY= github.com/gobuffalo/packr/v2 v2.8.3 h1:xE1yzvnO56cUC0sTpKR3DIbxZgB54AftTFMhB2XEWlY= +github.com/gobuffalo/packr/v2 v2.8.3/go.mod h1:0SahksCVcx4IMnigTjiFuyldmTrdTctXsOdiU5KwbKc= github.com/gobwas/glob v0.2.3 h1:A4xDbljILXROh+kObIiy5kIaPYD8e96x1tgBhUI5J+Y= github.com/gobwas/glob v0.2.3/go.mod h1:d3Ez4x06l9bZtSvzIay5+Yzi0fmZzPgnTbPcKjJAkT8= github.com/gogo/protobuf v1.1.1/go.mod h1:r8qH/GZQm5c6nD/R0oafs1akxWv10x8SbQlK7atdtwQ= @@ -310,6 +339,7 @@ github.com/golang/protobuf v1.5.2/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiu github.com/golang/protobuf v1.5.3 h1:KhyjKVUg7Usr/dYsdSqoFveMYd5ko72D+zANwlG1mmg= github.com/golang/protobuf v1.5.3/go.mod h1:XVQd3VNwM+JqD3oG2Ue2ip4fOMUkwXdXDdiuN0vRsmY= github.com/gomodule/redigo v1.8.2 h1:H5XSIre1MB5NbPYFp+i1NBbb5qN1W8Y8YAQoAYbkm8k= +github.com/gomodule/redigo v1.8.2/go.mod h1:P9dn9mFrCBvWhGE1wpxx6fgq7BAeLBk+UUUzlpkBYO0= github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ= github.com/google/btree v1.0.1 h1:gK4Kx5IaGY9CD5sPJ36FHiBJ6ZXl0kilRiiCj+jdYp4= @@ -339,6 +369,7 @@ github.com/google/martian v2.1.0+incompatible/go.mod h1:9I4somxYTbIHy5NJKHRl3wXi github.com/google/pprof v0.0.0-20181206194817-3ea8567a2e57/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20190515194954-54271f7e092f/go.mod h1:zfwlbNMJ+OItoe0UupaVj+oy1omPYYDuagoSzA8v9mc= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec= +github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510 h1:El6M4kTTCOh6aBiKaUGG7oYTSPP8MxqL4YI3kZKwcP4= github.com/google/shlex v0.0.0-20191202100458-e7afc7fbc510/go.mod h1:pupxD2MaaD3pAXIBCelhxNneeOaAeabZDe5s4K6zSpQ= @@ -354,6 +385,7 @@ github.com/gophercloud/gophercloud v0.1.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEo github.com/gophercloud/gophercloud v0.2.0/go.mod h1:vxM41WHh5uqHVBMZHzuwNOHh8XEoIEcSTewFxm1c5g8= github.com/gorilla/context v1.1.1/go.mod h1:kBGZzfjB9CEq2AlWe17Uuf7NDRt0dE0s8S51q0aT7Yg= github.com/gorilla/handlers v1.5.1 h1:9lRY6j8DEeeBT10CvO9hGW0gmky0BprnvDI5vfhUHH4= +github.com/gorilla/handlers v1.5.1/go.mod h1:t8XrUpc4KVXb7HGyJ4/cEnwQiaxrX/hz1Zv/4g96P1Q= github.com/gorilla/mux v1.6.2/go.mod h1:1lud6UwP+6orDFRuTfBEV8e9/aOM/c4fVVCaMa2zaAs= github.com/gorilla/mux v1.8.1 h1:TuBL49tXwgrFYWhqrNgrUNEY92u81SPhu7sTdzQEiWY= github.com/gorilla/mux v1.8.1/go.mod h1:AKf9I4AEqPTmMytcMc0KkNouC66V3BtZ4qD5fmWSiMQ= @@ -379,6 +411,7 @@ github.com/hashicorp/go-multierror v1.1.1/go.mod h1:iw975J/qwKPdAO1clOe2L8331t/9 github.com/hashicorp/golang-lru v0.5.0/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.1/go.mod h1:/m3WP610KZHVQ1SGc6re/UDhFvYD7pJ4Ao+sR/qLZy8= github.com/hashicorp/golang-lru v0.5.4 h1:YDjusn29QI/Das2iO9M0BHnIbxPeyuCHsjMW+lJfyTc= +github.com/hashicorp/golang-lru v0.5.4/go.mod h1:iADmTwqILo4mZ8BN3D2Q6+9jd8WM5uGBxy+E8yxSoD4= github.com/hashicorp/hcl v1.0.0 h1:0Anlzjpi4vEasTeNFn2mLJgTSwt0+6sfsiTG8qcWGx4= github.com/hashicorp/hcl v1.0.0/go.mod h1:E5yfLk+7swimpb2L/Alb/PJmXilQ/rhwaUYs4T20WEQ= github.com/hpcloud/tail v1.0.0/go.mod h1:ab1qPbhIpdTxEkNHXyeSf5vhxWSCs/tWer42PpOxQnU= @@ -420,6 +453,7 @@ github.com/json-iterator/go v1.1.12/go.mod h1:e30LSqwooZae/UwlEbR2852Gd8hjQvJoHm github.com/jstemmer/go-junit-report v0.0.0-20190106144839-af01ea7f8024/go.mod h1:6v2b51hI/fHJwM22ozAgKL4VKDeJcHhJFhtBdhmNjmU= github.com/julienschmidt/httprouter v1.2.0/go.mod h1:SYymIcj16QtmaHHD7aYtjjsJG7VTCxuUUipMqKk8s4w= github.com/karrick/godirwalk v1.16.1 h1:DynhcF+bztK8gooS0+NDJFrdNZjJ3gzVzC545UNA9iw= +github.com/karrick/godirwalk v1.16.1/go.mod h1:j4mkqPuvaLI8mp1DroR3P6ad7cyYd4c1qeJ3RV7ULlk= github.com/kevinburke/ssh_config v1.2.0 h1:x584FjTGwHzMwvHx18PXxbBVzfnxogHaAReU4gf13a4= github.com/kevinburke/ssh_config v1.2.0/go.mod h1:CT57kijsi8u/K/BOFA39wgDQJ9CxiF4nAY/ojJ6r6mM= github.com/kisielk/errcheck v1.1.0/go.mod h1:EZBBE59ingxPouuu3KfxchcWSUPOHkagtvWXihfKN4Q= @@ -434,6 +468,7 @@ github.com/kr/logfmt v0.0.0-20140226030751-b84e30acd515/go.mod h1:+0opPa2QZZtGFB github.com/kr/pretty v0.1.0/go.mod h1:dAy3ld7l9f0ibDNOQOHHMYYIIbhfbHSm3C4ZsoJORNo= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pretty v0.3.1 h1:flRD4NNwYAUpkphVc1HcthR4KEIFJ65n8Mw5qdRn3LE= +github.com/kr/pretty v0.3.1/go.mod h1:hoEshYVHaxMs3cyo3Yncou5ZscifuDolrwPKZanG3xk= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= github.com/kr/pty v1.1.5/go.mod h1:9r2w37qlBe7rQ6e1fg1S/9xpWHSnaqNdHD3WcMdbPDA= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= @@ -470,8 +505,11 @@ github.com/mailru/easyjson v0.7.0/go.mod h1:KAzv3t3aY1NaHWoQz1+4F1ccyAH66Jk7yos7 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= github.com/markbates/errx v1.1.0 h1:QDFeR+UP95dO12JgW+tgi2UVfo0V8YBHiUIOaeBPiEI= +github.com/markbates/errx v1.1.0/go.mod h1:PLa46Oex9KNbVDZhKel8v1OT7hD5JZ2eI7AHhA0wswc= github.com/markbates/oncer v1.0.0 h1:E83IaVAHygyndzPimgUYJjbshhDTALZyXxvk9FOlQRY= +github.com/markbates/oncer v1.0.0/go.mod h1:Z59JA581E9GP6w96jai+TGqafHPW+cPfRxz2aSZ0mcI= github.com/markbates/safe v1.0.1 h1:yjZkbvRM6IzKj9tlu/zMJLS0n/V351OZWRnF3QfaUxI= +github.com/markbates/safe v1.0.1/go.mod h1:nAqgmRi7cY2nqMc92/bSEeQA+R4OheNU2T1kNSCBdG0= github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU= github.com/mattn/go-colorable v0.1.2/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE= @@ -494,6 +532,7 @@ github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5 github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg= github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k= github.com/miekg/dns v1.1.25 h1:dFwPR6SfLtrSwgDcIq2bcU/gVutB4sNApq2HBdqcakg= +github.com/miekg/dns v1.1.25/go.mod h1:bPDLeHnStXmXAq1m/Ch/hvfNHr14JKNPMBo3VZKjuso= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= @@ -511,6 +550,7 @@ github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQ github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= github.com/moby/spdystream v0.2.0/go.mod h1:f7i0iNDQJ059oMTcWxx8MA/zKFIuD/lY+0GqbN2Wy8c= github.com/moby/sys/mountinfo v0.6.2 h1:BzJjoreD5BMFNmD9Rus6gdd1pLuecOFPt8wC+Vygl78= +github.com/moby/sys/mountinfo v0.6.2/go.mod h1:IJb6JQeOklcdMU9F5xQ8ZALD+CUr5VlGpwtX+VE0rpI= github.com/moby/term v0.5.0 h1:xt8Q1nalod/v7BqbG21f8mQPqH+xAaC9C3N3wfWbVP0= github.com/moby/term v0.5.0/go.mod h1:8FzsFHVUBGZdbDsJw/ot+X+d5HLUbvklYLJ9uGfcI3Y= github.com/modern-go/concurrent v0.0.0-20180228061459-e0a39a4cb421/go.mod h1:6dJC0mAP4ikYIbvyc7fijjWJddQyLn8Ig3JB5CqoB9Q= @@ -544,6 +584,7 @@ github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108 github.com/onsi/ginkgo v1.14.1 h1:jMU0WaQrP0a/YAEq8eJmJKjBoMs+pClEr1vDMlM/Do4= github.com/onsi/ginkgo v1.14.1/go.mod h1:iSB4RoI2tjJc9BBv4NKIKWKya62Rps+oPG/Lv9klQyY= github.com/onsi/ginkgo/v2 v2.9.4 h1:xR7vG4IXt5RWx6FfIjyAtsoMAtnc3C/rFXBBd2AjZwE= +github.com/onsi/ginkgo/v2 v2.9.4/go.mod h1:gCQYp2Q+kSoIj7ykSVb9nskRSsR6PUj4AiLywzIhbKM= github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA= github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= @@ -551,6 +592,7 @@ github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoT github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.2/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.27.10 h1:naR28SdDFlqrG6kScpT8VWpu1xWY5nJRCF3XaYyBjhI= +github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3evPbQ0M= github.com/opencontainers/go-digest v1.0.0-rc1/go.mod h1:cMLVZDEM3+U2I4VmLI6N8jQYUd2OVphdqWwCJHrFt2s= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= @@ -565,6 +607,7 @@ github.com/pelletier/go-toml/v2 v2.1.0/go.mod h1:tJU2Z3ZkXwnxa4DPO899bsyIoywizdU github.com/peterbourgon/diskv v2.0.1+incompatible h1:UBdAOUP5p4RWqPBg048CAvpKN+vxiaj6gdUUzhl4XmI= github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU= github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5 h1:Ii+DKncOVM8Cu1Hc+ETb5K+23HdAMvESYE3ZJ5b5cMI= +github.com/phayes/freeport v0.0.0-20220201140144-74d24b5ae9f5/go.mod h1:iIss55rKnNBTvrwdmkUpLnDpZoAHvWaiq5+iMmen4AE= github.com/pjbgf/sha1cd v0.3.0 h1:4D5XXmUUBUl/xQ6IjCkEAbqXskkq/4O7LmGn0AqMDs4= github.com/pjbgf/sha1cd v0.3.0/go.mod h1:nZ1rrWOcGJ5uZgEEVL1VUM9iRQiZvWdbZjkKyFzPPsI= github.com/pkg/errors v0.8.0/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= @@ -575,7 +618,9 @@ github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINE github.com/pmezard/go-difflib v0.0.0-20151028094244-d8ed2627bdf0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U= +github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/poy/onpar v1.1.2 h1:QaNrNiZx0+Nar5dLgTVp5mXkyoVFIbepjyEoGSnhbAY= +github.com/poy/onpar v1.1.2/go.mod h1:6X8FLNoxyr9kkmnlqpK6LSoiOtrO6MICtWwEuWkLjzg= github.com/pquerna/cachecontrol v0.0.0-20171018203845-0dec1b30a021/go.mod h1:prYjPmNq4d1NPVmpShWobRqXY3q7Vp+80DqgxxUrUIA= github.com/prometheus/client_golang v0.9.1/go.mod h1:7SWBe2y4D6OKWSNQJUaRYU/AaXPKyh/dDVn+NZz0KFw= github.com/prometheus/client_golang v0.9.3/go.mod h1:/TN21ttK/J9q6uSwhBd54HahCDft0ttaMvbicHlPoso= @@ -602,10 +647,12 @@ github.com/prometheus/procfs v0.12.0 h1:jluTpSng7V9hY0O2R9DzzJHYb2xULk9VTR1V1R/k github.com/prometheus/procfs v0.12.0/go.mod h1:pcuDEFsWDnvcgNzo4EEweacyhjeA9Zk3cnaOZAZEfOo= github.com/prometheus/tsdb v0.7.1/go.mod h1:qhTCs0VvXwvX/y3TZrWD7rabWM+ijKTux40TwIPHuXU= github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0 h1:sadMIsgmHpEOGbUs6VtHBXRR1OHevnj7hLx9ZcdNGW4= +github.com/protocolbuffers/txtpbfmt v0.0.0-20230328191034-3462fbc510c0/go.mod h1:jgxiZysxFPM+iWKwQwPR+y+Jvo54ARd4EisXxKYpB5c= github.com/remyoudompheng/bigfft v0.0.0-20170806203942-52369c62f446/go.mod h1:uYEyJGbgTkfkS4+E/PavXkNJcbFIpEtjt2B0KDQ5+9M= github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg= github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4= github.com/rogpeppe/go-internal v1.11.0 h1:cWPaGQEPrBb5/AsnsZesgZZ9yb1OQ+GOISoDNXVBh4M= +github.com/rogpeppe/go-internal v1.11.0/go.mod h1:ddIwULY96R17DhadqLgMfk9H9tvdUzkipdSkR5nkCZA= github.com/rubenv/sql-migrate v1.5.2 h1:bMDqOnrJVV/6JQgQ/MxOpU+AdO8uzYYA/TxFUBzFtS0= github.com/rubenv/sql-migrate v1.5.2/go.mod h1:H38GW8Vqf8F0Su5XignRyaRcbXbJunSWxs+kmzlg0Is= github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g= @@ -703,8 +750,11 @@ github.com/yuin/goldmark v1.1.27/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9de github.com/yuin/goldmark v1.2.1/go.mod h1:3hX8gzYuyVAZsxl0MRgGTJEmQBFcNTphYh9decYSb74= github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43 h1:+lm10QQTNSBd8DVTNGHx7o/IKu9HYDvLMffDhbyLccI= +github.com/yvasiyarov/go-metrics v0.0.0-20140926110328-57bccd1ccd43/go.mod h1:aX5oPXxHm3bOH+xeAttToC8pqch2ScQN/JoXYupl6xs= github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50 h1:hlE8//ciYMztlGpl/VA+Zm1AcTPHYkHJPbHqE6WJUXE= +github.com/yvasiyarov/gorelic v0.0.0-20141212073537-a9bba5b9ab50/go.mod h1:NUSPSUX/bi6SeDMUh6brw0nXpxHnc96TguQh0+r/ssA= github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f h1:ERexzlUfuTvpE74urLSbIQW0Z/6hF9t8U4NsJLaioAY= +github.com/yvasiyarov/newrelic_platform_go v0.0.0-20140908184405-b21fdbd4370f/go.mod h1:GlGEuHIJweS1mbCqG+7vt2nvWLzLLnRHbXz5JKd/Qbg= go.etcd.io/bbolt v1.3.2/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU= go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg= @@ -714,6 +764,7 @@ go.mongodb.org/mongo-driver v1.1.2/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qL go.opencensus.io v0.21.0/go.mod h1:mSImk1erAIZhrmZN+AvHh14ztQfjbGwt4TtuofqLduU= go.opencensus.io v0.22.0/go.mod h1:+kGneAE2xo2IficOXnaByMWTGM9T73dGwxeWcUqIpI8= go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0= +go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0 h1:RsQi0qJ2imFfCvZabqzM9cNXBG8k6gXMv1A0cXRmH6A= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.45.0/go.mod h1:vsh3ySueQCiKPxFLvjWC4Z135gIa34TQ/NSqkDTZYUM= go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.46.1 h1:aFJWCqJMNjENlcleuuOkGAPH82y0yULBScfXcIEdS24= @@ -1031,6 +1082,7 @@ gorm.io/gorm v1.25.5/go.mod h1:hbnx/Oo0ChWMn1BIhpy1oYozzpM15i4YPuHDmfYtwg8= gotest.tools v2.2.0+incompatible h1:VsBPFP1AI068pPrMxtb/S8Zkgf9xEmTLJjfM+P5UIEo= gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw= gotest.tools/v3 v3.4.0 h1:ZazjZUfuVeZGLAmlKKuyv3IKP5orXcwtOwDQH6YVr6o= +gotest.tools/v3 v3.4.0/go.mod h1:CtbdzLSsqVhDgMtKsx03ird5YTGB3ar27v0u/yKBW5g= helm.sh/helm/v3 v3.13.2 h1:IcO9NgmmpetJODLZhR3f3q+6zzyXVKlRizKFwbi7K8w= helm.sh/helm/v3 v3.13.2/go.mod h1:GIHDwZggaTGbedevTlrQ6DB++LBN6yuQdeGj0HNaDx0= honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4= diff --git a/main.go b/main.go index cb548f3..824269a 100644 --- a/main.go +++ b/main.go @@ -54,7 +54,6 @@ func main() { // Initialize Logger instance log, err := logger.New(serviceName, logger.Options{ Format: logger.SyslogLogFormat, - DebugLevel: isDebug(), }) if err != nil { fmt.Println(err) diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumclusterwideenvoyconfig.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumclusterwideenvoyconfig.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..85397ae --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumclusterwideenvoyconfig.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumClusterwideEnvoyConfig","apiVersion":"cilium.io/v2","displayName":"Cilium Clusterwide Envoy Config","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"properties\": {\n \"backendServices\": {\n \"description\": \"BackendServices specifies Kubernetes services whose backends\\nare automatically synced to Envoy using EDS. Traffic for these\\nservices is not forwarded to an Envoy listener. This allows an\\nEnvoy listener load balance traffic to these backends while\\nnormal Cilium service load balancing takes care of balancing\\ntraffic for these services at the same time.\",\n \"items\": {\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of a destination Kubernetes service that identifies traffic\\nto be redirected.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the Kubernetes service namespace.\\nIn CiliumEnvoyConfig namespace defaults to the namespace of the CEC,\\nIn CiliumClusterwideEnvoyConfig namespace defaults to \\\"default\\\".\",\n \"type\": \"string\"\n },\n \"number\": {\n \"description\": \"Ports is a set of port numbers, which can be used for filtering in case of underlying\\nis exposing multiple port numbers.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"nodeSelector\": {\n \"description\": \"NodeSelector is a label selector that determines to which nodes\\nthis configuration applies.\\nIf nil, then this config applies to all nodes.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"resources\": {\n \"description\": \"Envoy xDS resources, a list of the following Envoy resource types:\\ntype.googleapis.com/envoy.config.listener.v3.Listener,\\ntype.googleapis.com/envoy.config.route.v3.RouteConfiguration,\\ntype.googleapis.com/envoy.config.cluster.v3.Cluster,\\ntype.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment, and\\ntype.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret.\",\n \"items\": {\n \"type\": \"object\",\n \"x-kubernetes-preserve-unknown-fields\": true\n },\n \"type\": \"array\"\n },\n \"services\": {\n \"description\": \"Services specifies Kubernetes services for which traffic is\\nforwarded to an Envoy listener for L7 load balancing. Backends\\nof these services are automatically synced to Envoy usign EDS.\",\n \"items\": {\n \"properties\": {\n \"listener\": {\n \"description\": \"Listener specifies the name of the Envoy listener the\\nservice traffic is redirected to. The listener must be\\nspecified in the Envoy 'resources' of the same\\nCiliumEnvoyConfig.\\n\\nIf omitted, the first listener specified in 'resources' is\\nused.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the name of a destination Kubernetes service that identifies traffic\\nto be redirected.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the Kubernetes service namespace.\\nIn CiliumEnvoyConfig namespace this is overridden to the namespace of the CEC,\\nIn CiliumClusterwideEnvoyConfig namespace defaults to \\\"default\\\".\",\n \"type\": \"string\"\n },\n \"ports\": {\n \"description\": \"Ports is a set of service's frontend ports that should be redirected to the Envoy\\nlistener. By default all frontend ports of the service are redirected.\",\n \"items\": {\n \"type\": \"integer\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"resources\"\n ],\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium Clusterwide Envoy Config\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumclusterwidenetworkpolicy.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumclusterwidenetworkpolicy.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..c2d0850 --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumclusterwidenetworkpolicy.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumClusterwideNetworkPolicy","apiVersion":"cilium.io/v2","displayName":"Cilium Clusterwide Network Policy","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumClusterwideNetworkPolicy is a Kubernetes third-party resource with an\\nmodified version of CiliumNetworkPolicy which is cluster scoped rather than\\nnamespace scoped.\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"description\": \"Spec is the desired Cilium specific rule specification.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"endpointSelector\": {}\n },\n \"required\": [\n \"endpointSelector\"\n ]\n },\n {\n \"properties\": {\n \"nodeSelector\": {}\n },\n \"required\": [\n \"nodeSelector\"\n ]\n }\n ],\n \"properties\": {\n \"description\": {\n \"description\": \"Description is a free form string, it can be used by the creator of\\nthe rule to store human readable explanation of the purpose of this\\nrule. Rules cannot be identified by comment.\",\n \"type\": \"string\"\n },\n \"egress\": {\n \"description\": \"Egress is a list of EgressRule which are enforced at egress.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toFQDNs\": {\n \"description\": \"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\\nfrom DNS resolution of `ToFQDN.MatchName`s are added to the same\\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\\nL7 rules within this EgressRule will also apply to these IPs.\\nThe DNS -\\u003e IP mapping is re-resolved periodically from within the\\ncilium-agent, and the IPs in the DNS response are effected in the policy\\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\\nToFQDN counts as an egress rule and will enforce egress policy when\\nPolicyEnforcment=default.\\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\\nToFQDN rule will not apply to that IP.\\nNote: ToFQDN cannot occur in the same policy as other To* rules.\",\n \"items\": {\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nconnect to.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"egressDeny\": {\n \"description\": \"EgressDeny is a list of EgressDenyRule which are enforced at egress.\\nAny rule inserted here will be denied regardless of the allowed egress\\nrules in the 'egress' field.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressDenyRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is not allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to connect\\nto.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is not allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"enableDefaultDeny\": {\n \"description\": \"EnableDefaultDeny determines whether this policy configures the\\nsubject endpoint(s) to have a default deny mode. If enabled,\\nthis causes all traffic not explicitly allowed by a network policy\\nto be dropped.\\n\\nIf not specified, the default is true for each traffic direction\\nthat has rules, and false otherwise. For example, if a policy\\nonly has Ingress or IngressDeny rules, then the default for\\ningress is true and egress is false.\\n\\nIf multiple policies apply to an endpoint, that endpoint's default deny\\nwill be enabled if any policy requests it.\\n\\nThis is useful for creating broad-based network policies that will not\\ncause endpoints to enter default-deny mode.\",\n \"properties\": {\n \"egress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto egress traffic.\",\n \"type\": \"boolean\"\n },\n \"ingress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto ingress traffic.\",\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n },\n \"endpointSelector\": {\n \"description\": \"EndpointSelector selects all endpoints which should be subject to\\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\\nare mutually exclusive.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"ingress\": {\n \"description\": \"Ingress is a list of IngressRule which are enforced at ingress.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"ingressDeny\": {\n \"description\": \"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\\nAny rule inserted here will be denied regardless of the allowed ingress\\nrules in the 'ingress' field.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressDenyRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"labels\": {\n \"description\": \"Labels is a list of optional strings which can be used to\\nre-identify the rule or to store metadata. It is possible to lookup\\nor delete strings based on labels. Labels are not required to be\\nunique, multiple rules can have overlapping or identical labels.\",\n \"items\": {\n \"description\": \"Label is the Cilium's representation of a container label.\",\n \"properties\": {\n \"key\": {\n \"type\": \"string\"\n },\n \"source\": {\n \"description\": \"Source can be one of the above values (e.g.: LabelSourceContainer).\",\n \"type\": \"string\"\n },\n \"value\": {\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"key\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"nodeSelector\": {\n \"description\": \"NodeSelector selects all nodes which should be subject to this rule.\\nEndpointSelector and NodeSelector cannot be both empty and are mutually\\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"type\": \"object\"\n },\n \"specs\": {\n \"description\": \"Specs is a list of desired Cilium specific rule specification.\",\n \"items\": {\n \"description\": \"Rule is a policy rule which must be applied to all endpoints which match the\\nlabels contained in the endpointSelector\\n\\nEach rule is split into an ingress section which contains all rules\\napplicable at ingress, and an egress section applicable at egress. For rule\\ntypes such as `L4Rule` and `CIDR` which can be applied at both ingress and\\negress, both ingress and egress side have to either specifically allow the\\nconnection or one side has to be omitted.\\n\\nEither ingress, egress, or both can be provided. If both ingress and egress\\nare omitted, the rule has no effect.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"endpointSelector\": {}\n },\n \"required\": [\n \"endpointSelector\"\n ]\n },\n {\n \"properties\": {\n \"nodeSelector\": {}\n },\n \"required\": [\n \"nodeSelector\"\n ]\n }\n ],\n \"properties\": {\n \"description\": {\n \"description\": \"Description is a free form string, it can be used by the creator of\\nthe rule to store human readable explanation of the purpose of this\\nrule. Rules cannot be identified by comment.\",\n \"type\": \"string\"\n },\n \"egress\": {\n \"description\": \"Egress is a list of EgressRule which are enforced at egress.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toFQDNs\": {\n \"description\": \"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\\nfrom DNS resolution of `ToFQDN.MatchName`s are added to the same\\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\\nL7 rules within this EgressRule will also apply to these IPs.\\nThe DNS -\\u003e IP mapping is re-resolved periodically from within the\\ncilium-agent, and the IPs in the DNS response are effected in the policy\\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\\nToFQDN counts as an egress rule and will enforce egress policy when\\nPolicyEnforcment=default.\\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\\nToFQDN rule will not apply to that IP.\\nNote: ToFQDN cannot occur in the same policy as other To* rules.\",\n \"items\": {\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nconnect to.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"egressDeny\": {\n \"description\": \"EgressDeny is a list of EgressDenyRule which are enforced at egress.\\nAny rule inserted here will be denied regardless of the allowed egress\\nrules in the 'egress' field.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressDenyRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is not allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to connect\\nto.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is not allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"enableDefaultDeny\": {\n \"description\": \"EnableDefaultDeny determines whether this policy configures the\\nsubject endpoint(s) to have a default deny mode. If enabled,\\nthis causes all traffic not explicitly allowed by a network policy\\nto be dropped.\\n\\nIf not specified, the default is true for each traffic direction\\nthat has rules, and false otherwise. For example, if a policy\\nonly has Ingress or IngressDeny rules, then the default for\\ningress is true and egress is false.\\n\\nIf multiple policies apply to an endpoint, that endpoint's default deny\\nwill be enabled if any policy requests it.\\n\\nThis is useful for creating broad-based network policies that will not\\ncause endpoints to enter default-deny mode.\",\n \"properties\": {\n \"egress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto egress traffic.\",\n \"type\": \"boolean\"\n },\n \"ingress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto ingress traffic.\",\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n },\n \"endpointSelector\": {\n \"description\": \"EndpointSelector selects all endpoints which should be subject to\\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\\nare mutually exclusive.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"ingress\": {\n \"description\": \"Ingress is a list of IngressRule which are enforced at ingress.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"ingressDeny\": {\n \"description\": \"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\\nAny rule inserted here will be denied regardless of the allowed ingress\\nrules in the 'ingress' field.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressDenyRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"labels\": {\n \"description\": \"Labels is a list of optional strings which can be used to\\nre-identify the rule or to store metadata. It is possible to lookup\\nor delete strings based on labels. Labels are not required to be\\nunique, multiple rules can have overlapping or identical labels.\",\n \"items\": {\n \"description\": \"Label is the Cilium's representation of a container label.\",\n \"properties\": {\n \"key\": {\n \"type\": \"string\"\n },\n \"source\": {\n \"description\": \"Source can be one of the above values (e.g.: LabelSourceContainer).\",\n \"type\": \"string\"\n },\n \"value\": {\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"key\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"nodeSelector\": {\n \"description\": \"NodeSelector selects all nodes which should be subject to this rule.\\nEndpointSelector and NodeSelector cannot be both empty and are mutually\\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"status\": {\n \"description\": \"Status is the status of the Cilium policy rule.\\n\\nThe reason this field exists in this structure is due a bug in the k8s\\ncode-generator that doesn't create a `UpdateStatus` method because the\\nfield does not exist in the structure.\",\n \"properties\": {\n \"conditions\": {\n \"items\": {\n \"properties\": {\n \"lastTransitionTime\": {\n \"description\": \"The last time the condition transitioned from one status to another.\",\n \"format\": \"date-time\",\n \"type\": \"string\"\n },\n \"message\": {\n \"description\": \"A human readable message indicating details about the transition.\",\n \"type\": \"string\"\n },\n \"reason\": {\n \"description\": \"The reason for the condition's last transition.\",\n \"type\": \"string\"\n },\n \"status\": {\n \"description\": \"The status of the condition, one of True, False, or Unknown\",\n \"type\": \"string\"\n },\n \"type\": {\n \"description\": \"The type of the policy condition\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"status\",\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-map-keys\": [\n \"type\"\n ],\n \"x-kubernetes-list-type\": \"map\"\n },\n \"derivativePolicies\": {\n \"additionalProperties\": {\n \"description\": \"CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a\\nspecific node.\",\n \"properties\": {\n \"annotations\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"Annotations corresponds to the Annotations in the ObjectMeta of the CNP\\nthat have been realized on the node for CNP. That is, if a CNP has been\\nimported and has been assigned annotation X=Y by the user,\\nAnnotations in CiliumNetworkPolicyNodeStatus will be X=Y once the\\nCNP that was imported corresponding to Annotation X=Y has been realized on\\nthe node.\",\n \"type\": \"object\"\n },\n \"enforcing\": {\n \"description\": \"Enforcing is set to true once all endpoints present at the time the\\npolicy has been imported are enforcing this policy.\",\n \"type\": \"boolean\"\n },\n \"error\": {\n \"description\": \"Error describes any error that occurred when parsing or importing the\\npolicy, or realizing the policy for the endpoints to which it applies\\non the node.\",\n \"type\": \"string\"\n },\n \"lastUpdated\": {\n \"description\": \"LastUpdated contains the last time this status was updated\",\n \"format\": \"date-time\",\n \"type\": \"string\"\n },\n \"localPolicyRevision\": {\n \"description\": \"Revision is the policy revision of the repository which first implemented\\nthis policy.\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"ok\": {\n \"description\": \"OK is true when the policy has been parsed and imported successfully\\ninto the in-memory policy repository on the node.\",\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"DerivativePolicies is the status of all policies derived from the Cilium\\npolicy\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium Clusterwide Network Policy\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumegressgatewaypolicy.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumegressgatewaypolicy.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..a4b59da --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumegressgatewaypolicy.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumEgressGatewayPolicy","apiVersion":"cilium.io/v2","displayName":"Cilium Egress Gateway Policy","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"properties\": {\n \"destinationCIDRs\": {\n \"description\": \"DestinationCIDRs is a list of destination CIDRs for destination IP addresses.\\nIf a destination IP matches any one CIDR, it will be selected.\",\n \"items\": {\n \"pattern\": \"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\/([0-9]|[1-2][0-9]|3[0-2])$\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"egressGateway\": {\n \"description\": \"EgressGateway is the gateway node responsible for SNATing traffic.\",\n \"properties\": {\n \"egressIP\": {\n \"description\": \"EgressIP is the source IP address that the egress traffic is SNATed\\nwith.\\n\\nExample:\\nWhen set to \\\"192.168.1.100\\\", matching egress traffic will be\\nredirected to the node matching the NodeSelector field and SNATed\\nwith IP address 192.168.1.100.\\n\\nWhen none of the Interface or EgressIP fields is specified, the\\npolicy will use the first IPv4 assigned to the interface with the\\ndefault route.\",\n \"format\": \"ipv4\",\n \"type\": \"string\"\n },\n \"interface\": {\n \"description\": \"Interface is the network interface to which the egress IP address\\nthat the traffic is SNATed with is assigned.\\n\\nExample:\\nWhen set to \\\"eth1\\\", matching egress traffic will be redirected to the\\nnode matching the NodeSelector field and SNATed with the first IPv4\\naddress assigned to the eth1 interface.\\n\\nWhen none of the Interface or EgressIP fields is specified, the\\npolicy will use the first IPv4 assigned to the interface with the\\ndefault route.\",\n \"type\": \"string\"\n },\n \"nodeSelector\": {\n \"description\": \"This is a label selector which selects the node that should act as\\negress gateway for the given policy.\\nIn case multiple nodes are selected, only the first one in the\\nlexical ordering over the node names will be used.\\nThis field follows standard label selector semantics.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"nodeSelector\"\n ],\n \"type\": \"object\"\n },\n \"excludedCIDRs\": {\n \"description\": \"ExcludedCIDRs is a list of destination CIDRs that will be excluded\\nfrom the egress gateway redirection and SNAT logic.\\nShould be a subset of destinationCIDRs otherwise it will not have any\\neffect.\",\n \"items\": {\n \"pattern\": \"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\/([0-9]|[1-2][0-9]|3[0-2])$\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"selectors\": {\n \"description\": \"Egress represents a list of rules by which egress traffic is\\nfiltered from the source pods.\",\n \"items\": {\n \"properties\": {\n \"namespaceSelector\": {\n \"description\": \"Selects Namespaces using cluster-scoped labels. This field follows standard label\\nselector semantics; if present but empty, it selects all namespaces.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"podSelector\": {\n \"description\": \"This is a label selector which selects Pods. This field follows standard label\\nselector semantics; if present but empty, it selects all pods.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"destinationCIDRs\",\n \"egressGateway\",\n \"selectors\"\n ],\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium Egress Gateway Policy\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumendpoint.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumendpoint.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..cd2fadc --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumendpoint.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumEndpoint","apiVersion":"cilium.io/v2","displayName":"Cilium Endpoint","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumEndpoint is the status of a Cilium policy rule.\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"status\": {\n \"description\": \"EndpointStatus is the status of a Cilium endpoint.\",\n \"properties\": {\n \"controllers\": {\n \"description\": \"Controllers is the list of failing controllers for this endpoint.\",\n \"items\": {\n \"description\": \"ControllerStatus is the status of a failing controller.\",\n \"properties\": {\n \"configuration\": {\n \"description\": \"Configuration is the controller configuration\",\n \"properties\": {\n \"error-retry\": {\n \"description\": \"Retry on error\",\n \"type\": \"boolean\"\n },\n \"error-retry-base\": {\n \"description\": \"Base error retry back-off time\\nFormat: duration\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"interval\": {\n \"description\": \"Regular synchronization interval\\nFormat: duration\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the controller\",\n \"type\": \"string\"\n },\n \"status\": {\n \"description\": \"Status is the status of the controller\",\n \"properties\": {\n \"consecutive-failure-count\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"failure-count\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"last-failure-msg\": {\n \"type\": \"string\"\n },\n \"last-failure-timestamp\": {\n \"type\": \"string\"\n },\n \"last-success-timestamp\": {\n \"type\": \"string\"\n },\n \"success-count\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"uuid\": {\n \"description\": \"UUID is the UUID of the controller\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"encryption\": {\n \"description\": \"Encryption is the encryption configuration of the node\",\n \"properties\": {\n \"key\": {\n \"description\": \"Key is the index to the key to use for encryption or 0 if encryption is\\ndisabled.\",\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"external-identifiers\": {\n \"description\": \"ExternalIdentifiers is a set of identifiers to identify the endpoint\\napart from the pod name. This includes container runtime IDs.\",\n \"properties\": {\n \"cni-attachment-id\": {\n \"description\": \"ID assigned to this attachment by container runtime\",\n \"type\": \"string\"\n },\n \"container-id\": {\n \"description\": \"ID assigned by container runtime (deprecated, may not be unique)\",\n \"type\": \"string\"\n },\n \"container-name\": {\n \"description\": \"Name assigned to container (deprecated, may not be unique)\",\n \"type\": \"string\"\n },\n \"docker-endpoint-id\": {\n \"description\": \"Docker endpoint ID\",\n \"type\": \"string\"\n },\n \"docker-network-id\": {\n \"description\": \"Docker network ID\",\n \"type\": \"string\"\n },\n \"k8s-namespace\": {\n \"description\": \"K8s namespace for this endpoint (deprecated, may not be unique)\",\n \"type\": \"string\"\n },\n \"k8s-pod-name\": {\n \"description\": \"K8s pod name for this endpoint (deprecated, may not be unique)\",\n \"type\": \"string\"\n },\n \"pod-name\": {\n \"description\": \"K8s pod for this endpoint (deprecated, may not be unique)\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"health\": {\n \"description\": \"Health is the overall endpoint \\u0026 subcomponent health.\",\n \"properties\": {\n \"bpf\": {\n \"description\": \"bpf\",\n \"type\": \"string\"\n },\n \"connected\": {\n \"description\": \"Is this endpoint reachable\",\n \"type\": \"boolean\"\n },\n \"overallHealth\": {\n \"description\": \"overall health\",\n \"type\": \"string\"\n },\n \"policy\": {\n \"description\": \"policy\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"id\": {\n \"description\": \"ID is the cilium-agent-local ID of the endpoint.\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity\": {\n \"description\": \"Identity is the security identity associated with the endpoint\",\n \"properties\": {\n \"id\": {\n \"description\": \"ID is the numeric identity of the endpoint\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"labels\": {\n \"description\": \"Labels is the list of labels associated with the identity\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"log\": {\n \"description\": \"Log is the list of the last few warning and error log entries\",\n \"items\": {\n \"description\": \"EndpointStatusChange Indication of a change of status\\n\\nswagger:model EndpointStatusChange\",\n \"properties\": {\n \"code\": {\n \"description\": \"Code indicate type of status change\\nEnum: [\\\"ok\\\",\\\"failed\\\"]\",\n \"type\": \"string\"\n },\n \"message\": {\n \"description\": \"Status message\",\n \"type\": \"string\"\n },\n \"state\": {\n \"description\": \"state\",\n \"type\": \"string\"\n },\n \"timestamp\": {\n \"description\": \"Timestamp when status change occurred\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"named-ports\": {\n \"description\": \"NamedPorts List of named Layer 4 port and protocol pairs which will be used in Network\\nPolicy specs.\\n\\nswagger:model NamedPorts\",\n \"items\": {\n \"description\": \"Port Layer 4 port / protocol pair\\n\\nswagger:model Port\",\n \"properties\": {\n \"name\": {\n \"description\": \"Optional layer 4 port name\",\n \"type\": \"string\"\n },\n \"port\": {\n \"description\": \"Layer 4 port number\",\n \"type\": \"integer\"\n },\n \"protocol\": {\n \"description\": \"Layer 4 protocol\\nEnum: [\\\"TCP\\\",\\\"UDP\\\",\\\"SCTP\\\",\\\"ICMP\\\",\\\"ICMPV6\\\",\\\"ANY\\\"]\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"networking\": {\n \"description\": \"Networking is the networking properties of the endpoint.\",\n \"properties\": {\n \"addressing\": {\n \"description\": \"IP4/6 addresses assigned to this Endpoint\",\n \"items\": {\n \"description\": \"AddressPair is a pair of IPv4 and/or IPv6 address.\",\n \"properties\": {\n \"ipv4\": {\n \"type\": \"string\"\n },\n \"ipv6\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"node\": {\n \"description\": \"NodeIP is the IP of the node the endpoint is running on. The IP must\\nbe reachable between nodes.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"addressing\"\n ],\n \"type\": \"object\"\n },\n \"policy\": {\n \"description\": \"EndpointPolicy represents the endpoint's policy by listing all allowed\\ningress and egress identities in combination with L4 port and protocol.\",\n \"properties\": {\n \"egress\": {\n \"description\": \"EndpointPolicyDirection is the list of allowed identities per direction.\",\n \"properties\": {\n \"adding\": {\n \"description\": \"Deprecated\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"allowed\": {\n \"description\": \"AllowedIdentityList is a list of IdentityTuples that species peers that are\\nallowed.\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"denied\": {\n \"description\": \"DenyIdentityList is a list of IdentityTuples that species peers that are\\ndenied.\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"enforcing\": {\n \"type\": \"boolean\"\n },\n \"removing\": {\n \"description\": \"Deprecated\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"state\": {\n \"description\": \"EndpointPolicyState defines the state of the Policy mode: \\\"enforcing\\\", \\\"non-enforcing\\\", \\\"disabled\\\"\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"enforcing\"\n ],\n \"type\": \"object\"\n },\n \"ingress\": {\n \"description\": \"EndpointPolicyDirection is the list of allowed identities per direction.\",\n \"properties\": {\n \"adding\": {\n \"description\": \"Deprecated\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"allowed\": {\n \"description\": \"AllowedIdentityList is a list of IdentityTuples that species peers that are\\nallowed.\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"denied\": {\n \"description\": \"DenyIdentityList is a list of IdentityTuples that species peers that are\\ndenied.\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"enforcing\": {\n \"type\": \"boolean\"\n },\n \"removing\": {\n \"description\": \"Deprecated\",\n \"items\": {\n \"description\": \"IdentityTuple specifies a peer by identity, destination port and protocol.\",\n \"properties\": {\n \"dest-port\": {\n \"type\": \"integer\"\n },\n \"identity\": {\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"identity-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"protocol\": {\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"state\": {\n \"description\": \"EndpointPolicyState defines the state of the Policy mode: \\\"enforcing\\\", \\\"non-enforcing\\\", \\\"disabled\\\"\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"enforcing\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"state\": {\n \"description\": \"State is the state of the endpoint.\",\n \"enum\": [\n \"creating\",\n \"waiting-for-identity\",\n \"not-ready\",\n \"waiting-to-regenerate\",\n \"regenerating\",\n \"restoring\",\n \"ready\",\n \"disconnecting\",\n \"disconnected\",\n \"invalid\"\n ],\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium Endpoint\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumenvoyconfig.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumenvoyconfig.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..5688166 --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumenvoyconfig.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumEnvoyConfig","apiVersion":"cilium.io/v2","displayName":"Cilium Envoy Config","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"properties\": {\n \"backendServices\": {\n \"description\": \"BackendServices specifies Kubernetes services whose backends\\nare automatically synced to Envoy using EDS. Traffic for these\\nservices is not forwarded to an Envoy listener. This allows an\\nEnvoy listener load balance traffic to these backends while\\nnormal Cilium service load balancing takes care of balancing\\ntraffic for these services at the same time.\",\n \"items\": {\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of a destination Kubernetes service that identifies traffic\\nto be redirected.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the Kubernetes service namespace.\\nIn CiliumEnvoyConfig namespace defaults to the namespace of the CEC,\\nIn CiliumClusterwideEnvoyConfig namespace defaults to \\\"default\\\".\",\n \"type\": \"string\"\n },\n \"number\": {\n \"description\": \"Ports is a set of port numbers, which can be used for filtering in case of underlying\\nis exposing multiple port numbers.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"nodeSelector\": {\n \"description\": \"NodeSelector is a label selector that determines to which nodes\\nthis configuration applies.\\nIf nil, then this config applies to all nodes.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"resources\": {\n \"description\": \"Envoy xDS resources, a list of the following Envoy resource types:\\ntype.googleapis.com/envoy.config.listener.v3.Listener,\\ntype.googleapis.com/envoy.config.route.v3.RouteConfiguration,\\ntype.googleapis.com/envoy.config.cluster.v3.Cluster,\\ntype.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment, and\\ntype.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret.\",\n \"items\": {\n \"type\": \"object\",\n \"x-kubernetes-preserve-unknown-fields\": true\n },\n \"type\": \"array\"\n },\n \"services\": {\n \"description\": \"Services specifies Kubernetes services for which traffic is\\nforwarded to an Envoy listener for L7 load balancing. Backends\\nof these services are automatically synced to Envoy usign EDS.\",\n \"items\": {\n \"properties\": {\n \"listener\": {\n \"description\": \"Listener specifies the name of the Envoy listener the\\nservice traffic is redirected to. The listener must be\\nspecified in the Envoy 'resources' of the same\\nCiliumEnvoyConfig.\\n\\nIf omitted, the first listener specified in 'resources' is\\nused.\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the name of a destination Kubernetes service that identifies traffic\\nto be redirected.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the Kubernetes service namespace.\\nIn CiliumEnvoyConfig namespace this is overridden to the namespace of the CEC,\\nIn CiliumClusterwideEnvoyConfig namespace defaults to \\\"default\\\".\",\n \"type\": \"string\"\n },\n \"ports\": {\n \"description\": \"Ports is a set of service's frontend ports that should be redirected to the Envoy\\nlistener. By default all frontend ports of the service are redirected.\",\n \"items\": {\n \"type\": \"integer\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"resources\"\n ],\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium Envoy Config\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumexternalworkload.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumexternalworkload.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..9089941 --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumexternalworkload.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumExternalWorkload","apiVersion":"cilium.io/v2","displayName":"Cilium External Workload","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumExternalWorkload is a Kubernetes Custom Resource that\\ncontains a specification for an external workload that can join the\\ncluster. The name of the CRD is the FQDN of the external workload,\\nand it needs to match the name in the workload registration. The\\nlabels on the CRD object are the labels that will be used to\\nallocate a Cilium Identity for the external workload. If\\n'io.kubernetes.pod.namespace' or 'io.kubernetes.pod.name' labels\\nare not explicitly specified, they will be defaulted to 'default'\\nand \\u003cworkload name\\u003e, respectively. 'io.cilium.k8s.policy.cluster'\\nwill always be defined as the name of the current cluster, which\\ndefaults to \\\"default\\\".\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"description\": \"Spec is the desired configuration of the external Cilium workload.\",\n \"properties\": {\n \"ipv4-alloc-cidr\": {\n \"description\": \"IPv4AllocCIDR is the range of IPv4 addresses in the CIDR format that the external workload can\\nuse to allocate IP addresses for the tunnel device and the health endpoint.\",\n \"pattern\": \"^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\\\\/([0-9]|[1-2][0-9]|3[0-2])$\",\n \"type\": \"string\"\n },\n \"ipv6-alloc-cidr\": {\n \"description\": \"IPv6AllocCIDR is the range of IPv6 addresses in the CIDR format that the external workload can\\nuse to allocate IP addresses for the tunnel device and the health endpoint.\",\n \"pattern\": \"^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"status\": {\n \"description\": \"Status is the most recent status of the external Cilium workload.\\nIt is a read-only field.\",\n \"properties\": {\n \"id\": {\n \"description\": \"ID is the numeric identity allocated for the external workload.\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"ip\": {\n \"description\": \"IP is the IP address of the workload. Empty if the workload has not registered.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium External Workload\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumidentity.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumidentity.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..f479269 --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumidentity.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumIdentity","apiVersion":"cilium.io/v2","displayName":"Cilium Identity","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumIdentity is a CRD that represents an identity managed by Cilium.\\nIt is intended as a backing store for identity allocation, acting as the\\nglobal coordination backend, and can be used in place of a KVStore (such as\\netcd).\\nThe name of the CRD is the numeric identity and the labels on the CRD object\\nare the kubernetes sourced labels seen by cilium. This is currently the\\nonly label source possible when running under kubernetes. Non-kubernetes\\nlabels are filtered but all labels, from all sources, are places in the\\nSecurityLabels field. These also include the source and are used to define\\nthe identity.\\nThe labels under metav1.ObjectMeta can be used when searching for\\nCiliumIdentity instances that include particular labels. This can be done\\nwith invocations such as:\\n\\n\\tkubectl get ciliumid -l 'foo=bar'\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"security-labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"SecurityLabels is the source-of-truth set of labels for this identity.\",\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\",\n \"security-labels\"\n ],\n \"title\": \"Cilium Identity\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumlocalredirectpolicy.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumlocalredirectpolicy.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..6d8cb92 --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumlocalredirectpolicy.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumLocalRedirectPolicy","apiVersion":"cilium.io/v2","displayName":"Cilium Local Redirect Policy","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumLocalRedirectPolicy is a Kubernetes Custom Resource that contains a\\nspecification to redirect traffic locally within a node.\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"description\": \"Spec is the desired behavior of the local redirect policy.\",\n \"properties\": {\n \"description\": {\n \"description\": \"Description can be used by the creator of the policy to describe the\\npurpose of this policy.\",\n \"type\": \"string\"\n },\n \"redirectBackend\": {\n \"description\": \"RedirectBackend specifies backend configuration to redirect traffic to.\\nIt can not be empty.\",\n \"properties\": {\n \"localEndpointSelector\": {\n \"description\": \"LocalEndpointSelector selects node local pod(s) where traffic is redirected to.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of L4 ports with protocol of node local pod(s) where traffic\\nis redirected to.\\nWhen multiple ports are specified, the ports must be named.\",\n \"items\": {\n \"description\": \"PortInfo specifies L4 port number and name along with the transport protocol\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is a port name, which must contain at least one [a-z],\\nand may also contain [0-9] and '-' anywhere except adjacent to another\\n'-' or in the beginning or the end.\",\n \"pattern\": \"^([0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"port\": {\n \"description\": \"Port is an L4 port number. The string will be strictly parsed as a single uint16.\",\n \"pattern\": \"^()([1-9]|[1-5]?[0-9]{2,4}|6[1-4][0-9]{3}|65[1-4][0-9]{2}|655[1-2][0-9]|6553[1-5])$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol.\\nAccepted values: \\\"TCP\\\", \\\"UDP\\\"\",\n \"enum\": [\n \"TCP\",\n \"UDP\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\",\n \"protocol\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"localEndpointSelector\",\n \"toPorts\"\n ],\n \"type\": \"object\",\n \"x-kubernetes-validations\": [\n {\n \"message\": \"redirectBackend is immutable\",\n \"rule\": \"self == oldSelf\"\n }\n ]\n },\n \"redirectFrontend\": {\n \"description\": \"RedirectFrontend specifies frontend configuration to redirect traffic from.\\nIt can not be empty.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"addressMatcher\": {}\n },\n \"required\": [\n \"addressMatcher\"\n ]\n },\n {\n \"properties\": {\n \"serviceMatcher\": {}\n },\n \"required\": [\n \"serviceMatcher\"\n ]\n }\n ],\n \"properties\": {\n \"addressMatcher\": {\n \"description\": \"AddressMatcher is a tuple {IP, port, protocol} that matches traffic to be\\nredirected.\",\n \"properties\": {\n \"ip\": {\n \"description\": \"IP is a destination ip address for traffic to be redirected.\\n\\nExample:\\nWhen it is set to \\\"169.254.169.254\\\", traffic destined to\\n\\\"169.254.169.254\\\" is redirected.\",\n \"pattern\": \"((^\\\\s*((([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\\\\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]))\\\\s*$)|(^\\\\s*((([0-9A-Fa-f]{1,4}:){7}([0-9A-Fa-f]{1,4}|:))|(([0-9A-Fa-f]{1,4}:){6}(:[0-9A-Fa-f]{1,4}|((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){1,2})|:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3})|:))|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){1,3})|((:[0-9A-Fa-f]{1,4})?:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){1,4})|((:[0-9A-Fa-f]{1,4}){0,2}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){1,5})|((:[0-9A-Fa-f]{1,4}){0,3}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){1,6})|((:[0-9A-Fa-f]{1,4}){0,4}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:))|(:(((:[0-9A-Fa-f]{1,4}){1,7})|((:[0-9A-Fa-f]{1,4}){0,5}:((25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)(\\\\.(25[0-5]|2[0-4]\\\\d|1\\\\d\\\\d|[1-9]?\\\\d)){3}))|:)))(%.+)?\\\\s*$))\",\n \"type\": \"string\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination L4 ports with protocol for traffic\\nto be redirected.\\nWhen multiple ports are specified, the ports must be named.\\n\\nExample:\\nWhen set to Port: \\\"53\\\" and Protocol: UDP, traffic destined to port '53'\\nwith UDP protocol is redirected.\",\n \"items\": {\n \"description\": \"PortInfo specifies L4 port number and name along with the transport protocol\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is a port name, which must contain at least one [a-z],\\nand may also contain [0-9] and '-' anywhere except adjacent to another\\n'-' or in the beginning or the end.\",\n \"pattern\": \"^([0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"port\": {\n \"description\": \"Port is an L4 port number. The string will be strictly parsed as a single uint16.\",\n \"pattern\": \"^()([1-9]|[1-5]?[0-9]{2,4}|6[1-4][0-9]{3}|65[1-4][0-9]{2}|655[1-2][0-9]|6553[1-5])$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol.\\nAccepted values: \\\"TCP\\\", \\\"UDP\\\"\",\n \"enum\": [\n \"TCP\",\n \"UDP\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\",\n \"protocol\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"ip\",\n \"toPorts\"\n ],\n \"type\": \"object\"\n },\n \"serviceMatcher\": {\n \"description\": \"ServiceMatcher specifies Kubernetes service and port that matches\\ntraffic to be redirected.\",\n \"properties\": {\n \"namespace\": {\n \"description\": \"Namespace is the Kubernetes service namespace.\\nThe service namespace must match the namespace of the parent Local\\nRedirect Policy. For Cluster-wide Local Redirect Policy, this\\ncan be any namespace.\",\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"description\": \"Name is the name of a destination Kubernetes service that identifies traffic\\nto be redirected.\\nThe service type needs to be ClusterIP.\\n\\nExample:\\nWhen this field is populated with 'serviceName:myService', all the traffic\\ndestined to the cluster IP of this service at the (specified)\\nservice port(s) will be redirected.\",\n \"type\": \"string\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination service L4 ports with protocol for\\ntraffic to be redirected. If not specified, traffic for all the service\\nports will be redirected.\\nWhen multiple ports are specified, the ports must be named.\",\n \"items\": {\n \"description\": \"PortInfo specifies L4 port number and name along with the transport protocol\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is a port name, which must contain at least one [a-z],\\nand may also contain [0-9] and '-' anywhere except adjacent to another\\n'-' or in the beginning or the end.\",\n \"pattern\": \"^([0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"port\": {\n \"description\": \"Port is an L4 port number. The string will be strictly parsed as a single uint16.\",\n \"pattern\": \"^()([1-9]|[1-5]?[0-9]{2,4}|6[1-4][0-9]{3}|65[1-4][0-9]{2}|655[1-2][0-9]|6553[1-5])$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol.\\nAccepted values: \\\"TCP\\\", \\\"UDP\\\"\",\n \"enum\": [\n \"TCP\",\n \"UDP\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\",\n \"protocol\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"required\": [\n \"namespace\",\n \"serviceName\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-validations\": [\n {\n \"message\": \"redirectFrontend is immutable\",\n \"rule\": \"self == oldSelf\"\n }\n ]\n },\n \"skipRedirectFromBackend\": {\n \"default\": false,\n \"description\": \"SkipRedirectFromBackend indicates whether traffic matching RedirectFrontend\\nfrom RedirectBackend should skip redirection, and hence the traffic will\\nbe forwarded as-is.\\n\\nThe default is false which means traffic matching RedirectFrontend will\\nget redirected from all pods, including the RedirectBackend(s).\\n\\nExample: If RedirectFrontend is configured to \\\"169.254.169.254:80\\\" as the traffic\\nthat needs to be redirected to backends selected by RedirectBackend, if\\nSkipRedirectFromBackend is set to true, traffic going to \\\"169.254.169.254:80\\\"\\nfrom such backends will not be redirected back to the backends. Instead,\\nthe matched traffic from the backends will be forwarded to the original\\ndestination \\\"169.254.169.254:80\\\".\",\n \"type\": \"boolean\",\n \"x-kubernetes-validations\": [\n {\n \"message\": \"skipRedirectFromBackend is immutable\",\n \"rule\": \"self == oldSelf\"\n }\n ]\n }\n },\n \"required\": [\n \"redirectBackend\",\n \"redirectFrontend\"\n ],\n \"type\": \"object\"\n },\n \"status\": {\n \"description\": \"Status is the most recent status of the local redirect policy.\\nIt is a read-only field.\",\n \"properties\": {\n \"ok\": {\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium Local Redirect Policy\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumnetworkpolicy.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumnetworkpolicy.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..a8f20ff --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumnetworkpolicy.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumNetworkPolicy","apiVersion":"cilium.io/v2","displayName":"Cilium Network Policy","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumNetworkPolicy is a Kubernetes third-party resource with an extended\\nversion of NetworkPolicy.\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"description\": \"Spec is the desired Cilium specific rule specification.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"endpointSelector\": {}\n },\n \"required\": [\n \"endpointSelector\"\n ]\n },\n {\n \"properties\": {\n \"nodeSelector\": {}\n },\n \"required\": [\n \"nodeSelector\"\n ]\n }\n ],\n \"properties\": {\n \"description\": {\n \"description\": \"Description is a free form string, it can be used by the creator of\\nthe rule to store human readable explanation of the purpose of this\\nrule. Rules cannot be identified by comment.\",\n \"type\": \"string\"\n },\n \"egress\": {\n \"description\": \"Egress is a list of EgressRule which are enforced at egress.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toFQDNs\": {\n \"description\": \"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\\nfrom DNS resolution of `ToFQDN.MatchName`s are added to the same\\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\\nL7 rules within this EgressRule will also apply to these IPs.\\nThe DNS -\\u003e IP mapping is re-resolved periodically from within the\\ncilium-agent, and the IPs in the DNS response are effected in the policy\\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\\nToFQDN counts as an egress rule and will enforce egress policy when\\nPolicyEnforcment=default.\\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\\nToFQDN rule will not apply to that IP.\\nNote: ToFQDN cannot occur in the same policy as other To* rules.\",\n \"items\": {\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nconnect to.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"egressDeny\": {\n \"description\": \"EgressDeny is a list of EgressDenyRule which are enforced at egress.\\nAny rule inserted here will be denied regardless of the allowed egress\\nrules in the 'egress' field.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressDenyRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is not allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to connect\\nto.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is not allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"enableDefaultDeny\": {\n \"description\": \"EnableDefaultDeny determines whether this policy configures the\\nsubject endpoint(s) to have a default deny mode. If enabled,\\nthis causes all traffic not explicitly allowed by a network policy\\nto be dropped.\\n\\nIf not specified, the default is true for each traffic direction\\nthat has rules, and false otherwise. For example, if a policy\\nonly has Ingress or IngressDeny rules, then the default for\\ningress is true and egress is false.\\n\\nIf multiple policies apply to an endpoint, that endpoint's default deny\\nwill be enabled if any policy requests it.\\n\\nThis is useful for creating broad-based network policies that will not\\ncause endpoints to enter default-deny mode.\",\n \"properties\": {\n \"egress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto egress traffic.\",\n \"type\": \"boolean\"\n },\n \"ingress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto ingress traffic.\",\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n },\n \"endpointSelector\": {\n \"description\": \"EndpointSelector selects all endpoints which should be subject to\\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\\nare mutually exclusive.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"ingress\": {\n \"description\": \"Ingress is a list of IngressRule which are enforced at ingress.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"ingressDeny\": {\n \"description\": \"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\\nAny rule inserted here will be denied regardless of the allowed ingress\\nrules in the 'ingress' field.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressDenyRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"labels\": {\n \"description\": \"Labels is a list of optional strings which can be used to\\nre-identify the rule or to store metadata. It is possible to lookup\\nor delete strings based on labels. Labels are not required to be\\nunique, multiple rules can have overlapping or identical labels.\",\n \"items\": {\n \"description\": \"Label is the Cilium's representation of a container label.\",\n \"properties\": {\n \"key\": {\n \"type\": \"string\"\n },\n \"source\": {\n \"description\": \"Source can be one of the above values (e.g.: LabelSourceContainer).\",\n \"type\": \"string\"\n },\n \"value\": {\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"key\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"nodeSelector\": {\n \"description\": \"NodeSelector selects all nodes which should be subject to this rule.\\nEndpointSelector and NodeSelector cannot be both empty and are mutually\\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"type\": \"object\"\n },\n \"specs\": {\n \"description\": \"Specs is a list of desired Cilium specific rule specification.\",\n \"items\": {\n \"description\": \"Rule is a policy rule which must be applied to all endpoints which match the\\nlabels contained in the endpointSelector\\n\\nEach rule is split into an ingress section which contains all rules\\napplicable at ingress, and an egress section applicable at egress. For rule\\ntypes such as `L4Rule` and `CIDR` which can be applied at both ingress and\\negress, both ingress and egress side have to either specifically allow the\\nconnection or one side has to be omitted.\\n\\nEither ingress, egress, or both can be provided. If both ingress and egress\\nare omitted, the rule has no effect.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"endpointSelector\": {}\n },\n \"required\": [\n \"endpointSelector\"\n ]\n },\n {\n \"properties\": {\n \"nodeSelector\": {}\n },\n \"required\": [\n \"nodeSelector\"\n ]\n }\n ],\n \"properties\": {\n \"description\": {\n \"description\": \"Description is a free form string, it can be used by the creator of\\nthe rule to store human readable explanation of the purpose of this\\nrule. Rules cannot be identified by comment.\",\n \"type\": \"string\"\n },\n \"egress\": {\n \"description\": \"Egress is a list of EgressRule which are enforced at egress.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toFQDNs\": {\n \"description\": \"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result\\nfrom DNS resolution of `ToFQDN.MatchName`s are added to the same\\nEgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and\\nL7 rules within this EgressRule will also apply to these IPs.\\nThe DNS -\\u003e IP mapping is re-resolved periodically from within the\\ncilium-agent, and the IPs in the DNS response are effected in the policy\\nfor selected pods as-is (i.e. the list of IPs is not modified in any way).\\nNote: An explicit rule to allow for DNS traffic is needed for the pods, as\\nToFQDN counts as an egress rule and will enforce egress policy when\\nPolicyEnforcment=default.\\nNote: If the resolved IPs are IPs within the kubernetes cluster, the\\nToFQDN rule will not apply to that IP.\\nNote: ToFQDN cannot occur in the same policy as other To* rules.\",\n \"items\": {\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nconnect to.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"egressDeny\": {\n \"description\": \"EgressDeny is a list of EgressDenyRule which are enforced at egress.\\nAny rule inserted here will be denied regardless of the allowed egress\\nrules in the 'egress' field.\\nIf omitted or empty, this rule does not apply at egress.\",\n \"items\": {\n \"description\": \"EgressDenyRule contains all rule types which can be applied at egress, i.e.\\nnetwork traffic that originates inside the endpoint and exits the endpoint\\nselected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members of the structure are specified, then all members\\n must match in order for the rule to take effect. The exception to this\\n rule is the ToRequires member; the effects of any Requires field in any\\n rule will apply to all other rules as well.\\n\\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are\\n mutually exclusive. Only one of these members may be present within an\\n individual rule.\",\n \"properties\": {\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to connect to.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" is not allowed to initiate\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toCIDR\": {\n \"description\": \"ToCIDR is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections. Only connections destined for\\noutside of the cluster and not targeting the host will be subject\\nto CIDR rules. This will match on the destination IP address of\\noutgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet\\nwith no ExcludeCIDRs is equivalent. Overlaps are allowed between\\nToCIDR and ToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toCIDRSet\": {\n \"description\": \"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule\\nis allowed to initiate connections to in addition to connections\\nwhich are allowed via ToEndpoints, along with a list of subnets contained\\nwithin their corresponding IP block to which traffic should not be\\nallowed. This will match on the destination IP address of outgoing\\nconnections. Adding a prefix into ToCIDR or into ToCIDRSet with no\\nExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and\\nToCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=database-proxy\\\" is allowed to\\ninitiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toEndpoints\": {\n \"description\": \"ToEndpoints is a list of endpoints identified by an EndpointSelector to\\nwhich the endpoints subject to the rule are allowed to communicate.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" can communicate with any\\nendpoint carrying the label \\\"role=backend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toEntities\": {\n \"description\": \"ToEntities is a list of special entities to which the endpoint subject\\nto the rule is allowed to initiate connections. Supported entities are\\n`world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,\\n`health`,`unmanaged` and `all`.\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"toGroups\": {\n \"description\": \"ToGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\ntoGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toNodes\": {\n \"description\": \"ToNodes is a list of nodes identified by an\\nEndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to connect\\nto.\\n\\nExample:\\nAny endpoint with the label \\\"role=frontend\\\" is not allowed to initiate\\nconnections to destination port 8080/tcp\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toRequires\": {\n \"description\": \"ToRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be able to connect to other\\nendpoints. These additional constraints do no by itself grant access\\nprivileges and must always be accompanied with at least one matching\\nToEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires any endpoint to which it\\ncommunicates to also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"toServices\": {\n \"description\": \"ToServices is a list of services to which the endpoint subject\\nto the rule is allowed to initiate connections.\\nCurrently Cilium only supports toServices for K8s services without\\nselectors.\\n\\nExample:\\nAny endpoint with the label \\\"app=backend-app\\\" is allowed to\\ninitiate connections to all cidrs backing the \\\"external-service\\\" service\",\n \"items\": {\n \"description\": \"Service wraps around selectors for services\",\n \"properties\": {\n \"k8sService\": {\n \"description\": \"K8sService selects service by name and namespace pair\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"serviceName\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"k8sServiceSelector\": {\n \"description\": \"K8sServiceSelector selects services by k8s labels and namespace\",\n \"properties\": {\n \"namespace\": {\n \"type\": \"string\"\n },\n \"selector\": {\n \"description\": \"ServiceSelector is a label selector for k8s services\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"selector\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"enableDefaultDeny\": {\n \"description\": \"EnableDefaultDeny determines whether this policy configures the\\nsubject endpoint(s) to have a default deny mode. If enabled,\\nthis causes all traffic not explicitly allowed by a network policy\\nto be dropped.\\n\\nIf not specified, the default is true for each traffic direction\\nthat has rules, and false otherwise. For example, if a policy\\nonly has Ingress or IngressDeny rules, then the default for\\ningress is true and egress is false.\\n\\nIf multiple policies apply to an endpoint, that endpoint's default deny\\nwill be enabled if any policy requests it.\\n\\nThis is useful for creating broad-based network policies that will not\\ncause endpoints to enter default-deny mode.\",\n \"properties\": {\n \"egress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto egress traffic.\",\n \"type\": \"boolean\"\n },\n \"ingress\": {\n \"description\": \"Whether or not the endpoint should have a default-deny rule applied\\nto ingress traffic.\",\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n },\n \"endpointSelector\": {\n \"description\": \"EndpointSelector selects all endpoints which should be subject to\\nthis rule. EndpointSelector and NodeSelector cannot be both empty and\\nare mutually exclusive.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"ingress\": {\n \"description\": \"Ingress is a list of IngressRule which are enforced at ingress.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"authentication\": {\n \"description\": \"Authentication is the required authentication type for the allowed traffic, if any.\",\n \"properties\": {\n \"mode\": {\n \"description\": \"Mode is the required authentication mode for the allowed traffic, if any.\",\n \"enum\": [\n \"disabled\",\n \"required\",\n \"test-always-fail\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"mode\"\n ],\n \"type\": \"object\"\n },\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can only accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortRule is a list of ports/protocol combinations with optional Layer 7\\nrules which must be met.\",\n \"properties\": {\n \"listener\": {\n \"description\": \"listener specifies the name of a custom Envoy listener to which this traffic should be\\nredirected to.\",\n \"properties\": {\n \"envoyConfig\": {\n \"description\": \"EnvoyConfig is a reference to the CEC or CCEC resource in which\\nthe listener is defined.\",\n \"properties\": {\n \"kind\": {\n \"description\": \"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or\\nCiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,\\nrespectively. The only case this is currently explicitly needed is when referring to a\\nCiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener\\nfrom a cluster scoped policy is not allowed.\",\n \"enum\": [\n \"CiliumEnvoyConfig\",\n \"CiliumClusterwideEnvoyConfig\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where\\nthe listener is defined in.\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"name\": {\n \"description\": \"Name is the name of the listener.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"priority\": {\n \"description\": \"Priority for this Listener that is used when multiple rules would apply different\\nlisteners to a policy map entry. Behavior of this is implementation dependent.\",\n \"maximum\": 100,\n \"minimum\": 1,\n \"type\": \"integer\"\n }\n },\n \"required\": [\n \"envoyConfig\",\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"originatingTLS\": {\n \"description\": \"OriginatingTLS is the TLS context for the connections originated by\\nthe L7 proxy. For egress policy this specifies the client-side TLS\\nparameters for the upstream connection originating from the L7 proxy\\nto the remote destination. For ingress policy this specifies the\\nclient-side TLS parameters for the connection from the L7 proxy to\\nthe local endpoint.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n },\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n },\n \"rules\": {\n \"description\": \"Rules is a list of additional port level rules which must be met in\\norder for the PortRule to allow the traffic. If omitted or empty,\\nno layer 7 rules are enforced.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"http\": {}\n },\n \"required\": [\n \"http\"\n ]\n },\n {\n \"properties\": {\n \"kafka\": {}\n },\n \"required\": [\n \"kafka\"\n ]\n },\n {\n \"properties\": {\n \"dns\": {}\n },\n \"required\": [\n \"dns\"\n ]\n },\n {\n \"properties\": {\n \"l7proto\": {}\n },\n \"required\": [\n \"l7proto\"\n ]\n }\n ],\n \"properties\": {\n \"dns\": {\n \"description\": \"DNS-specific rules.\",\n \"items\": {\n \"description\": \"PortRuleDNS is a list of allowed DNS lookups.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"matchName\": {}\n },\n \"required\": [\n \"matchName\"\n ]\n },\n {\n \"properties\": {\n \"matchPattern\": {}\n },\n \"required\": [\n \"matchPattern\"\n ]\n }\n ],\n \"properties\": {\n \"matchName\": {\n \"description\": \"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added\\nwhen missing.\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_]+[.]?)+$\",\n \"type\": \"string\"\n },\n \"matchPattern\": {\n \"description\": \"MatchPattern allows using wildcards to match DNS names. All wildcards are\\ncase insensitive. The wildcards are:\\n- \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in\\nthe pattern. As a special case a \\\"*\\\" as the leftmost character, without a\\nfollowing \\\".\\\" matches all subdomains as well as the name to the right.\\nA trailing \\\".\\\" is automatically added when missing.\\n\\nExamples:\\n`*.cilium.io` matches subomains of cilium at that level\\n www.cilium.io and blog.cilium.io match, cilium.io and google.com do not\\n`*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\"\\n except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match,\\n www.cilium.io and blog.cilium.io does not\\nsub*.cilium.io matches subdomains of cilium where the subdomain component\\nbegins with \\\"sub\\\"\\n sub.cilium.io and subdomain.cilium.io match, www.cilium.io,\\n blog.cilium.io, cilium.io and google.com do not\",\n \"maxLength\": 255,\n \"pattern\": \"^([-a-zA-Z0-9_*]+[.]?)+$\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"http\": {\n \"description\": \"HTTP specific rules.\",\n \"items\": {\n \"description\": \"PortRuleHTTP is a list of HTTP protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule does not have any\\neffect.\\n\\nAll fields of this type are extended POSIX regex as defined by IEEE Std\\n1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax)\\nmatched against the path of an incoming request. Currently it can contain\\ncharacters disallowed from the conventional \\\"path\\\" part of a URL as defined\\nby RFC 3986.\",\n \"properties\": {\n \"headerMatches\": {\n \"description\": \"HeaderMatches is a list of HTTP headers which must be\\npresent and match against the given values. Mismatch field can be used\\nto specify what to do when there is no match.\",\n \"items\": {\n \"description\": \"HeaderMatch extends the HeaderValue for matching requirement of a\\nnamed header field against an immediate string, a secret value, or\\na regex. If none of the optional fields is present, then the\\nheader value is not matched, only presence of the header is enough.\",\n \"properties\": {\n \"mismatch\": {\n \"description\": \"Mismatch identifies what to do in case there is no match. The default is\\nto drop the request. Otherwise the overall rule is still considered as\\nmatching, but the mismatches are logged in the access log.\",\n \"enum\": [\n \"LOG\",\n \"ADD\",\n \"DELETE\",\n \"REPLACE\"\n ],\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name identifies the header.\",\n \"minLength\": 1,\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret refers to a secret that contains the value to be matched against.\\nThe secret must only contain one entry. If the referred secret does not\\nexist, and there is no \\\"Value\\\" specified, the match will fail.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"value\": {\n \"description\": \"Value matches the exact value of the header. Can be specified either\\nalone or together with \\\"Secret\\\"; will be used as the header value if the\\nsecret can not be found in the latter case.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"headers\": {\n \"description\": \"Headers is a list of HTTP headers which must be present in the\\nrequest. If omitted or empty, requests are allowed regardless of\\nheaders present.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"host\": {\n \"description\": \"Host is an extended POSIX regex matched against the host header of a\\nrequest. Examples:\\n\\n- foo.bar.com will match the host fooXbar.com or foo-bar.com\\n- foo\\\\.bar\\\\.com will only match the host foo.bar.com\\n\\nIf omitted or empty, the value of the host header is ignored.\",\n \"format\": \"idn-hostname\",\n \"type\": \"string\"\n },\n \"method\": {\n \"description\": \"Method is an extended POSIX regex matched against the method of a\\nrequest, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ...\\n\\nIf omitted or empty, all methods are allowed.\",\n \"type\": \"string\"\n },\n \"path\": {\n \"description\": \"Path is an extended POSIX regex matched against the path of a\\nrequest. Currently it can contain characters disallowed from the\\nconventional \\\"path\\\" part of a URL as defined by RFC 3986.\\n\\nIf omitted or empty, all paths are all allowed.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"kafka\": {\n \"description\": \"Kafka-specific rules.\",\n \"items\": {\n \"description\": \"PortRule is a list of Kafka protocol constraints. All fields are\\noptional, if all fields are empty or missing, the rule will match all\\nKafka messages.\",\n \"properties\": {\n \"apiKey\": {\n \"description\": \"APIKey is a case-insensitive string matched against the key of a\\nrequest, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al\\nReference: https://kafka.apache.org/protocol#protocol_api_keys\\n\\nIf omitted or empty, and if Role is not specified, then all keys are allowed.\",\n \"type\": \"string\"\n },\n \"apiVersion\": {\n \"description\": \"APIVersion is the version matched against the api version of the\\nKafka message. If set, it has to be a string representing a positive\\ninteger.\\n\\nIf omitted or empty, all versions are allowed.\",\n \"type\": \"string\"\n },\n \"clientID\": {\n \"description\": \"ClientID is the client identifier as provided in the request.\\n\\nFrom Kafka protocol documentation:\\nThis is a user supplied identifier for the client application. The\\nuser can use any identifier they like and it will be used when\\nlogging errors, monitoring aggregates, etc. For example, one might\\nwant to monitor not just the requests per second overall, but the\\nnumber coming from each client application (each of which could\\nreside on multiple servers). This id acts as a logical grouping\\nacross all requests from a particular client.\\n\\nIf omitted or empty, all client identifiers are allowed.\",\n \"type\": \"string\"\n },\n \"role\": {\n \"description\": \"Role is a case-insensitive string and describes a group of API keys\\nnecessary to perform certain higher-level Kafka operations such as \\\"produce\\\"\\nor \\\"consume\\\". A Role automatically expands into all APIKeys required\\nto perform the specified higher-level operation.\\n\\nThe following values are supported:\\n - \\\"produce\\\": Allow producing to the topics specified in the rule\\n - \\\"consume\\\": Allow consuming from the topics specified in the rule\\n\\nThis field is incompatible with the APIKey field, i.e APIKey and Role\\ncannot both be specified in the same rule.\\n\\nIf omitted or empty, and if APIKey is not specified, then all keys are\\nallowed.\",\n \"enum\": [\n \"produce\",\n \"consume\"\n ],\n \"type\": \"string\"\n },\n \"topic\": {\n \"description\": \"Topic is the topic name contained in the message. If a Kafka request\\ncontains multiple topics, then all topics must be allowed or the\\nmessage will be rejected.\\n\\nThis constraint is ignored if the matched request message type\\ndoesn't contain any topic. Maximum size of Topic can be 249\\ncharacters as per recent Kafka spec and allowed characters are\\na-z, A-Z, 0-9, -, . and _.\\n\\nOlder Kafka versions had longer topic lengths of 255, but in Kafka 0.10\\nversion the length was changed from 255 to 249. For compatibility\\nreasons we are using 255.\\n\\nIf omitted or empty, all topics are allowed.\",\n \"maxLength\": 255,\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7\": {\n \"description\": \"Key-value pair rules.\",\n \"items\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as\\nprotocol constraints. All fields are optional, if all fields are empty or\\nmissing, the rule does not have any effect.\",\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"l7proto\": {\n \"description\": \"Name of the L7 protocol for which the Key-value pair rules apply.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"serverNames\": {\n \"description\": \"ServerNames is a list of allowed TLS SNI values. If not empty, then\\nTLS must be present and one of the provided SNIs must be indicated in the\\nTLS handshake.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"terminatingTLS\": {\n \"description\": \"TerminatingTLS is the TLS context for the connection terminated by\\nthe L7 proxy. For egress policy this specifies the server-side TLS\\nparameters to be applied on the connections originated from the local\\nendpoint and terminated by the L7 proxy. For ingress policy this specifies\\nthe server-side TLS parameters to be applied on the connections\\noriginated from a remote source and terminated by the L7 proxy.\",\n \"properties\": {\n \"certificate\": {\n \"description\": \"Certificate is the file name or k8s secret item name for the certificate\\nchain. If omitted, 'tls.crt' is assumed, if it exists. If given, the\\nitem must exist.\",\n \"type\": \"string\"\n },\n \"privateKey\": {\n \"description\": \"PrivateKey is the file name or k8s secret item name for the private key\\nmatching the certificate chain. If omitted, 'tls.key' is assumed, if it\\nexists. If given, the item must exist.\",\n \"type\": \"string\"\n },\n \"secret\": {\n \"description\": \"Secret is the secret that contains the certificates and private key for\\nthe TLS context.\\nBy default, Cilium will search in this secret for the following items:\\n - 'ca.crt' - Which represents the trusted CA to verify remote source.\\n - 'tls.crt' - Which represents the public key certificate.\\n - 'tls.key' - Which represents the private key matching the public key\\n certificate.\",\n \"properties\": {\n \"name\": {\n \"description\": \"Name is the name of the secret.\",\n \"type\": \"string\"\n },\n \"namespace\": {\n \"description\": \"Namespace is the namespace in which the secret exists. Context of use\\ndetermines the default value if left out (e.g., \\\"default\\\").\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"name\"\n ],\n \"type\": \"object\"\n },\n \"trustedCA\": {\n \"description\": \"TrustedCA is the file name or k8s secret item name for the trusted CA.\\nIf omitted, 'ca.crt' is assumed, if it exists. If given, the item must\\nexist.\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"secret\"\n ],\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"ingressDeny\": {\n \"description\": \"IngressDeny is a list of IngressDenyRule which are enforced at ingress.\\nAny rule inserted here will be denied regardless of the allowed ingress\\nrules in the 'ingress' field.\\nIf omitted or empty, this rule does not apply at ingress.\",\n \"items\": {\n \"description\": \"IngressDenyRule contains all rule types which can be applied at ingress,\\ni.e. network traffic that originates outside of the endpoint and\\nis entering the endpoint selected by the endpointSelector.\\n\\n - All members of this structure are optional. If omitted or empty, the\\n member will have no effect on the rule.\\n\\n - If multiple members are set, all of them need to match in order for\\n the rule to take effect. The exception to this rule is FromRequires field;\\n the effects of any Requires field in any rule will apply to all other\\n rules as well.\\n\\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually\\n exclusive. Only one of these members may be present within an individual\\n rule.\",\n \"properties\": {\n \"fromCIDR\": {\n \"description\": \"FromCIDR is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from. Only connections which\\ndo *not* originate from the cluster or from the local host are subject\\nto CIDR rules. In order to allow in-cluster connectivity, use the\\nFromEndpoints field. This will match on the source IP address of\\nincoming connections. Adding a prefix into FromCIDR or into\\nFromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are\\nallowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.3.9.1\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromCIDRSet\": {\n \"description\": \"FromCIDRSet is a list of IP blocks which the endpoint subject to the\\nrule is allowed to receive connections from in addition to FromEndpoints,\\nalong with a list of subnets contained within their corresponding IP block\\nfrom which traffic should not be allowed.\\nThis will match on the source IP address of incoming connections. Adding\\na prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is\\nequivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.\\n\\nExample:\\nAny endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive\\nconnections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\n \"items\": {\n \"description\": \"CIDRRule is a rule that specifies a CIDR prefix to/from which outside\\ncommunication is allowed, along with an optional list of subnets within that\\nCIDR prefix to/from which outside communication is not allowed.\",\n \"oneOf\": [\n {\n \"properties\": {\n \"cidr\": {}\n },\n \"required\": [\n \"cidr\"\n ]\n },\n {\n \"properties\": {\n \"cidrGroupRef\": {}\n },\n \"required\": [\n \"cidrGroupRef\"\n ]\n }\n ],\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is a CIDR prefix / IP Block.\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"cidrGroupRef\": {\n \"description\": \"CIDRGroupRef is a reference to a CiliumCIDRGroup object.\\nA CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to\\nthe rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive\\nconnections from.\",\n \"maxLength\": 253,\n \"pattern\": \"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\n \"type\": \"string\"\n },\n \"except\": {\n \"description\": \"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule\\nis not allowed to initiate connections to. These CIDR prefixes should be\\ncontained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not\\nsupported yet.\\nThese exceptions are only applied to the Cidr in this CIDRRule, and do not\\napply to any other CIDR prefixes in any other CIDRRules.\",\n \"items\": {\n \"description\": \"CIDR specifies a block of IP addresses.\\nExample: 192.0.2.1/32\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromEndpoints\": {\n \"description\": \"FromEndpoints is a list of endpoints identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\\n\\nExample:\\nAny endpoint with the label \\\"role=backend\\\" can be consumed by any\\nendpoint carrying the label \\\"role=frontend\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromEntities\": {\n \"description\": \"FromEntities is a list of special entities which the endpoint subject\\nto the rule is allowed to receive connections from. Supported entities are\\n`world`, `cluster` and `host`\",\n \"items\": {\n \"description\": \"Entity specifies the class of receiver/sender endpoints that do not have\\nindividual identities. Entities are used to describe \\\"outside of cluster\\\",\\n\\\"host\\\", etc.\",\n \"enum\": [\n \"all\",\n \"world\",\n \"cluster\",\n \"host\",\n \"init\",\n \"ingress\",\n \"unmanaged\",\n \"remote-node\",\n \"health\",\n \"none\",\n \"kube-apiserver\"\n ],\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"fromGroups\": {\n \"description\": \"FromGroups is a directive that allows the integration with multiple outside\\nproviders. Currently, only AWS is supported, and the rule can select by\\nmultiple sub directives:\\n\\nExample:\\nFromGroups:\\n- aws:\\n securityGroupsIds:\\n - 'sg-XXXXXXXXXXXXX'\",\n \"items\": {\n \"description\": \"Groups structure to store all kinds of new integrations that needs a new\\nderivative policy.\",\n \"properties\": {\n \"aws\": {\n \"description\": \"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\n \"properties\": {\n \"labels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"type\": \"object\"\n },\n \"region\": {\n \"type\": \"string\"\n },\n \"securityGroupsIds\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"securityGroupsNames\": {\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"fromNodes\": {\n \"description\": \"FromNodes is a list of nodes identified by an\\nEndpointSelector which are allowed to communicate with the endpoint\\nsubject to the rule.\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"fromRequires\": {\n \"description\": \"FromRequires is a list of additional constraints which must be met\\nin order for the selected endpoints to be reachable. These\\nadditional constraints do no by itself grant access privileges and\\nmust always be accompanied with at least one matching FromEndpoints.\\n\\nExample:\\nAny Endpoint with the label \\\"team=A\\\" requires consuming endpoint\\nto also carry the label \\\"team=A\\\".\",\n \"items\": {\n \"description\": \"EndpointSelector is a wrapper for k8s LabelSelector.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n },\n \"type\": \"array\"\n },\n \"icmps\": {\n \"description\": \"ICMPs is a list of ICMP rule identified by type number\\nwhich the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\ntype 8 ICMP connections.\",\n \"items\": {\n \"description\": \"ICMPRule is a list of ICMP fields.\",\n \"properties\": {\n \"fields\": {\n \"description\": \"Fields is a list of ICMP fields.\",\n \"items\": {\n \"description\": \"ICMPField is a ICMP field.\",\n \"properties\": {\n \"family\": {\n \"default\": \"IPv4\",\n \"description\": \"Family is a IP address version.\\nCurrently, we support `IPv4` and `IPv6`.\\n`IPv4` is set as default.\",\n \"enum\": [\n \"IPv4\",\n \"IPv6\"\n ],\n \"type\": \"string\"\n },\n \"type\": {\n \"anyOf\": [\n {\n \"type\": \"integer\"\n },\n {\n \"type\": \"string\"\n }\n ],\n \"description\": \"Type is a ICMP-type.\\nIt should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\").\\nAllowed ICMP types are:\\n Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest |\\n\\t\\t RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem |\\n\\t\\t\\t Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply\\n Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem |\\n\\t\\t\\t EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport |\\n\\t\\t\\t MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation |\\n\\t\\t\\t NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery |\\n\\t\\t\\t ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement |\\n\\t\\t\\t HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation |\\n\\t\\t\\t MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix |\\n\\t\\t\\t ExtendedEchoRequest | ExtendedEchoReply\",\n \"pattern\": \"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\n \"x-kubernetes-int-or-string\": true\n }\n },\n \"required\": [\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"maxItems\": 40,\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"toPorts\": {\n \"description\": \"ToPorts is a list of destination ports identified by port number and\\nprotocol which the endpoint subject to the rule is not allowed to\\nreceive connections on.\\n\\nExample:\\nAny endpoint with the label \\\"app=httpd\\\" can not accept incoming\\nconnections on port 80/tcp.\",\n \"items\": {\n \"description\": \"PortDenyRule is a list of ports/protocol that should be used for deny\\npolicies. This structure lacks the L7Rules since it's not supported in deny\\npolicies.\",\n \"properties\": {\n \"ports\": {\n \"description\": \"Ports is a list of L4 port/protocol\",\n \"items\": {\n \"description\": \"PortProtocol specifies an L4 port with an optional transport protocol\",\n \"properties\": {\n \"endPort\": {\n \"description\": \"EndPort can only be an L4 port number.\",\n \"format\": \"int32\",\n \"maximum\": 65535,\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"port\": {\n \"description\": \"Port can be an L4 port number, or a name in the form of \\\"http\\\"\\nor \\\"http-8080\\\".\",\n \"pattern\": \"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\n \"type\": \"string\"\n },\n \"protocol\": {\n \"description\": \"Protocol is the L4 protocol. If omitted or empty, any protocol\\nmatches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\"\\n\\nMatching on ICMP is not supported.\\n\\nNamed port specified for a container may narrow this down, but may not\\ncontradict this.\",\n \"enum\": [\n \"TCP\",\n \"UDP\",\n \"SCTP\",\n \"ANY\"\n ],\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"port\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"labels\": {\n \"description\": \"Labels is a list of optional strings which can be used to\\nre-identify the rule or to store metadata. It is possible to lookup\\nor delete strings based on labels. Labels are not required to be\\nunique, multiple rules can have overlapping or identical labels.\",\n \"items\": {\n \"description\": \"Label is the Cilium's representation of a container label.\",\n \"properties\": {\n \"key\": {\n \"type\": \"string\"\n },\n \"source\": {\n \"description\": \"Source can be one of the above values (e.g.: LabelSourceContainer).\",\n \"type\": \"string\"\n },\n \"value\": {\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"key\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"nodeSelector\": {\n \"description\": \"NodeSelector selects all nodes which should be subject to this rule.\\nEndpointSelector and NodeSelector cannot be both empty and are mutually\\nexclusive. Can only be used in CiliumClusterwideNetworkPolicies.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"enum\": [\n \"In\",\n \"NotIn\",\n \"Exists\",\n \"DoesNotExist\"\n ],\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"description\": \"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\n \"maxLength\": 63,\n \"pattern\": \"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"status\": {\n \"description\": \"Status is the status of the Cilium policy rule\",\n \"properties\": {\n \"conditions\": {\n \"items\": {\n \"properties\": {\n \"lastTransitionTime\": {\n \"description\": \"The last time the condition transitioned from one status to another.\",\n \"format\": \"date-time\",\n \"type\": \"string\"\n },\n \"message\": {\n \"description\": \"A human readable message indicating details about the transition.\",\n \"type\": \"string\"\n },\n \"reason\": {\n \"description\": \"The reason for the condition's last transition.\",\n \"type\": \"string\"\n },\n \"status\": {\n \"description\": \"The status of the condition, one of True, False, or Unknown\",\n \"type\": \"string\"\n },\n \"type\": {\n \"description\": \"The type of the policy condition\",\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"status\",\n \"type\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-map-keys\": [\n \"type\"\n ],\n \"x-kubernetes-list-type\": \"map\"\n },\n \"derivativePolicies\": {\n \"additionalProperties\": {\n \"description\": \"CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a\\nspecific node.\",\n \"properties\": {\n \"annotations\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"Annotations corresponds to the Annotations in the ObjectMeta of the CNP\\nthat have been realized on the node for CNP. That is, if a CNP has been\\nimported and has been assigned annotation X=Y by the user,\\nAnnotations in CiliumNetworkPolicyNodeStatus will be X=Y once the\\nCNP that was imported corresponding to Annotation X=Y has been realized on\\nthe node.\",\n \"type\": \"object\"\n },\n \"enforcing\": {\n \"description\": \"Enforcing is set to true once all endpoints present at the time the\\npolicy has been imported are enforcing this policy.\",\n \"type\": \"boolean\"\n },\n \"error\": {\n \"description\": \"Error describes any error that occurred when parsing or importing the\\npolicy, or realizing the policy for the endpoints to which it applies\\non the node.\",\n \"type\": \"string\"\n },\n \"lastUpdated\": {\n \"description\": \"LastUpdated contains the last time this status was updated\",\n \"format\": \"date-time\",\n \"type\": \"string\"\n },\n \"localPolicyRevision\": {\n \"description\": \"Revision is the policy revision of the repository which first implemented\\nthis policy.\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n },\n \"ok\": {\n \"description\": \"OK is true when the policy has been parsed and imported successfully\\ninto the in-memory policy repository on the node.\",\n \"type\": \"boolean\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"DerivativePolicies is the status of all policies derived from the Cilium\\npolicy\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\"\n ],\n \"title\": \"Cilium Network Policy\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumnode.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumnode.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..2efa797 --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumnode.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumNode","apiVersion":"cilium.io/v2","displayName":"Cilium Node","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumNode represents a node managed by Cilium. It contains a specification\\nto control various node specific configuration aspects and a status section\\nto represent the status of the node.\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"description\": \"Spec defines the desired specification/configuration of the node.\",\n \"properties\": {\n \"addresses\": {\n \"description\": \"Addresses is the list of all node addresses.\",\n \"items\": {\n \"description\": \"NodeAddress is a node address.\",\n \"properties\": {\n \"ip\": {\n \"description\": \"IP is an IP of a node\",\n \"type\": \"string\"\n },\n \"type\": {\n \"description\": \"Type is the type of the node address\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"alibaba-cloud\": {\n \"description\": \"AlibabaCloud is the AlibabaCloud IPAM specific configuration.\",\n \"properties\": {\n \"availability-zone\": {\n \"description\": \"AvailabilityZone is the availability zone to use when allocating\\nENIs.\",\n \"type\": \"string\"\n },\n \"cidr-block\": {\n \"description\": \"CIDRBlock is vpc ipv4 CIDR\",\n \"type\": \"string\"\n },\n \"instance-type\": {\n \"description\": \"InstanceType is the ECS instance type, e.g. \\\"ecs.g6.2xlarge\\\"\",\n \"type\": \"string\"\n },\n \"security-group-tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"SecurityGroupTags is the list of tags to use when evaluating which\\nsecurity groups to use for the ENI.\",\n \"type\": \"object\"\n },\n \"security-groups\": {\n \"description\": \"SecurityGroups is the list of security groups to attach to any ENI\\nthat is created and attached to the instance.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"vpc-id\": {\n \"description\": \"VPCID is the VPC ID to use when allocating ENIs.\",\n \"type\": \"string\"\n },\n \"vswitch-tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"VSwitchTags is the list of tags to use when evaluating which\\nvSwitch to use for the ENI.\",\n \"type\": \"object\"\n },\n \"vswitches\": {\n \"description\": \"VSwitches is the ID of vSwitch available for ENI\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"azure\": {\n \"description\": \"Azure is the Azure IPAM specific configuration.\",\n \"properties\": {\n \"interface-name\": {\n \"description\": \"InterfaceName is the name of the interface the cilium-operator\\nwill use to allocate all the IPs on\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"bootid\": {\n \"description\": \"BootID is a unique node identifier generated on boot\",\n \"type\": \"string\"\n },\n \"encryption\": {\n \"description\": \"Encryption is the encryption configuration of the node.\",\n \"properties\": {\n \"key\": {\n \"description\": \"Key is the index to the key to use for encryption or 0 if encryption is\\ndisabled.\",\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"eni\": {\n \"description\": \"ENI is the AWS ENI specific configuration.\",\n \"properties\": {\n \"availability-zone\": {\n \"description\": \"AvailabilityZone is the availability zone to use when allocating\\nENIs.\",\n \"type\": \"string\"\n },\n \"delete-on-termination\": {\n \"description\": \"DeleteOnTermination defines that the ENI should be deleted when the\\nassociated instance is terminated. If the parameter is not set the\\ndefault behavior is to delete the ENI on instance termination.\",\n \"type\": \"boolean\"\n },\n \"disable-prefix-delegation\": {\n \"description\": \"DisablePrefixDelegation determines whether ENI prefix delegation should be\\ndisabled on this node.\",\n \"type\": \"boolean\"\n },\n \"exclude-interface-tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"ExcludeInterfaceTags is the list of tags to use when excluding ENIs for\\nCilium IP allocation. Any interface matching this set of tags will not\\nbe managed by Cilium.\",\n \"type\": \"object\"\n },\n \"first-interface-index\": {\n \"description\": \"FirstInterfaceIndex is the index of the first ENI to use for IP\\nallocation, e.g. if the node has eth0, eth1, eth2 and\\nFirstInterfaceIndex is set to 1, then only eth1 and eth2 will be\\nused for IP allocation, eth0 will be ignored for PodIP allocation.\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"instance-id\": {\n \"description\": \"InstanceID is the AWS InstanceId of the node. The InstanceID is used\\nto retrieve AWS metadata for the node.\\n\\nOBSOLETE: This field is obsolete, please use Spec.InstanceID\",\n \"type\": \"string\"\n },\n \"instance-type\": {\n \"description\": \"InstanceType is the AWS EC2 instance type, e.g. \\\"m5.large\\\"\",\n \"type\": \"string\"\n },\n \"max-above-watermark\": {\n \"description\": \"MaxAboveWatermark is the maximum number of addresses to allocate\\nbeyond the addresses needed to reach the PreAllocate watermark.\\nGoing above the watermark can help reduce the number of API calls to\\nallocate IPs, e.g. when a new ENI is allocated, as many secondary\\nIPs as possible are allocated. Limiting the amount can help reduce\\nwaste of IPs.\\n\\nOBSOLETE: This field is obsolete, please use Spec.IPAM.MaxAboveWatermark\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"min-allocate\": {\n \"description\": \"MinAllocate is the minimum number of IPs that must be allocated when\\nthe node is first bootstrapped. It defines the minimum base socket\\nof addresses that must be available. After reaching this watermark,\\nthe PreAllocate and MaxAboveWatermark logic takes over to continue\\nallocating IPs.\\n\\nOBSOLETE: This field is obsolete, please use Spec.IPAM.MinAllocate\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"node-subnet-id\": {\n \"description\": \"NodeSubnetID is the subnet of the primary ENI the instance was brought up\\nwith. It is used as a sensible default subnet to create ENIs in.\",\n \"type\": \"string\"\n },\n \"pre-allocate\": {\n \"description\": \"PreAllocate defines the number of IP addresses that must be\\navailable for allocation in the IPAMspec. It defines the buffer of\\naddresses available immediately without requiring cilium-operator to\\nget involved.\\n\\nOBSOLETE: This field is obsolete, please use Spec.IPAM.PreAllocate\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"security-group-tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"SecurityGroupTags is the list of tags to use when evaliating what\\nAWS security groups to use for the ENI.\",\n \"type\": \"object\"\n },\n \"security-groups\": {\n \"description\": \"SecurityGroups is the list of security groups to attach to any ENI\\nthat is created and attached to the instance.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"subnet-ids\": {\n \"description\": \"SubnetIDs is the list of subnet ids to use when evaluating what AWS\\nsubnets to use for ENI and IP allocation.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"subnet-tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"SubnetTags is the list of tags to use when evaluating what AWS\\nsubnets to use for ENI and IP allocation.\",\n \"type\": \"object\"\n },\n \"use-primary-address\": {\n \"description\": \"UsePrimaryAddress determines whether an ENI's primary address\\nshould be available for allocations on the node\",\n \"type\": \"boolean\"\n },\n \"vpc-id\": {\n \"description\": \"VpcID is the VPC ID to use when allocating ENIs.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"health\": {\n \"description\": \"HealthAddressing is the addressing information for health connectivity\\nchecking.\",\n \"properties\": {\n \"ipv4\": {\n \"description\": \"IPv4 is the IPv4 address of the IPv4 health endpoint.\",\n \"type\": \"string\"\n },\n \"ipv6\": {\n \"description\": \"IPv6 is the IPv6 address of the IPv4 health endpoint.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"ingress\": {\n \"description\": \"IngressAddressing is the addressing information for Ingress listener.\",\n \"properties\": {\n \"ipv4\": {\n \"type\": \"string\"\n },\n \"ipv6\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"instance-id\": {\n \"description\": \"InstanceID is the identifier of the node. This is different from the\\nnode name which is typically the FQDN of the node. The InstanceID\\ntypically refers to the identifier used by the cloud provider or\\nsome other means of identification.\",\n \"type\": \"string\"\n },\n \"ipam\": {\n \"description\": \"IPAM is the address management specification. This section can be\\npopulated by a user or it can be automatically populated by an IPAM\\noperator.\",\n \"properties\": {\n \"ipv6-pool\": {\n \"additionalProperties\": {\n \"description\": \"AllocationIP is an IP which is available for allocation, or already\\nhas been allocated\",\n \"properties\": {\n \"owner\": {\n \"description\": \"Owner is the owner of the IP. This field is set if the IP has been\\nallocated. It will be set to the pod name or another identifier\\nrepresenting the usage of the IP\\n\\nThe owner field is left blank for an entry in Spec.IPAM.Pool and\\nfilled out as the IP is used and also added to Status.IPAM.Used.\",\n \"type\": \"string\"\n },\n \"resource\": {\n \"description\": \"Resource is set for both available and allocated IPs, it represents\\nwhat resource the IP is associated with, e.g. in combination with\\nAWS ENI, this will refer to the ID of the ENI\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"IPv6Pool is the list of IPv6 addresses available to the node for allocation.\\nWhen an IPv6 address is used, it will remain on this list but will be added to\\nStatus.IPAM.IPv6Used\",\n \"type\": \"object\"\n },\n \"max-above-watermark\": {\n \"description\": \"MaxAboveWatermark is the maximum number of addresses to allocate\\nbeyond the addresses needed to reach the PreAllocate watermark.\\nGoing above the watermark can help reduce the number of API calls to\\nallocate IPs, e.g. when a new ENI is allocated, as many secondary\\nIPs as possible are allocated. Limiting the amount can help reduce\\nwaste of IPs.\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"max-allocate\": {\n \"description\": \"MaxAllocate is the maximum number of IPs that can be allocated to the\\nnode. When the current amount of allocated IPs will approach this value,\\nthe considered value for PreAllocate will decrease down to 0 in order to\\nnot attempt to allocate more addresses than defined.\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"min-allocate\": {\n \"description\": \"MinAllocate is the minimum number of IPs that must be allocated when\\nthe node is first bootstrapped. It defines the minimum base socket\\nof addresses that must be available. After reaching this watermark,\\nthe PreAllocate and MaxAboveWatermark logic takes over to continue\\nallocating IPs.\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"podCIDRs\": {\n \"description\": \"PodCIDRs is the list of CIDRs available to the node for allocation.\\nWhen an IP is used, the IP will be added to Status.IPAM.Used\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"pool\": {\n \"additionalProperties\": {\n \"description\": \"AllocationIP is an IP which is available for allocation, or already\\nhas been allocated\",\n \"properties\": {\n \"owner\": {\n \"description\": \"Owner is the owner of the IP. This field is set if the IP has been\\nallocated. It will be set to the pod name or another identifier\\nrepresenting the usage of the IP\\n\\nThe owner field is left blank for an entry in Spec.IPAM.Pool and\\nfilled out as the IP is used and also added to Status.IPAM.Used.\",\n \"type\": \"string\"\n },\n \"resource\": {\n \"description\": \"Resource is set for both available and allocated IPs, it represents\\nwhat resource the IP is associated with, e.g. in combination with\\nAWS ENI, this will refer to the ID of the ENI\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"Pool is the list of IPv4 addresses available to the node for allocation.\\nWhen an IPv4 address is used, it will remain on this list but will be added to\\nStatus.IPAM.Used\",\n \"type\": \"object\"\n },\n \"pools\": {\n \"description\": \"Pools contains the list of assigned IPAM pools for this node.\",\n \"properties\": {\n \"allocated\": {\n \"description\": \"Allocated contains the list of pooled CIDR assigned to this node. The\\noperator will add new pod CIDRs to this field, whereas the agent will\\nremove CIDRs it has released.\",\n \"items\": {\n \"description\": \"IPAMPoolAllocation describes an allocation of an IPAM pool from the operator to the\\nnode. It contains the assigned PodCIDRs allocated from this pool\",\n \"properties\": {\n \"cidrs\": {\n \"description\": \"CIDRs contains a list of pod CIDRs currently allocated from this pool\",\n \"items\": {\n \"description\": \"IPAMPodCIDR is a pod CIDR\",\n \"format\": \"cidr\",\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"pool\": {\n \"description\": \"Pool is the name of the IPAM pool backing this allocation\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"pool\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"requested\": {\n \"description\": \"Requested contains a list of IPAM pool requests, i.e. indicates how many\\naddresses this node requests out of each pool listed here. This field\\nis owned and written to by cilium-agent and read by the operator.\",\n \"items\": {\n \"properties\": {\n \"needed\": {\n \"description\": \"Needed indicates how many IPs out of the above Pool this node requests\\nfrom the operator. The operator runs a reconciliation loop to ensure each\\nnode always has enough PodCIDRs allocated in each pool to fulfill the\\nrequested number of IPs here.\",\n \"properties\": {\n \"ipv4-addrs\": {\n \"description\": \"IPv4Addrs contains the number of requested IPv4 addresses out of a given\\npool\",\n \"type\": \"integer\"\n },\n \"ipv6-addrs\": {\n \"description\": \"IPv6Addrs contains the number of requested IPv6 addresses out of a given\\npool\",\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"pool\": {\n \"description\": \"Pool is the name of the IPAM pool backing this request\",\n \"minLength\": 1,\n \"type\": \"string\"\n }\n },\n \"required\": [\n \"pool\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"pre-allocate\": {\n \"description\": \"PreAllocate defines the number of IP addresses that must be\\navailable for allocation in the IPAMspec. It defines the buffer of\\naddresses available immediately without requiring cilium-operator to\\nget involved.\",\n \"minimum\": 0,\n \"type\": \"integer\"\n },\n \"static-ip-tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"StaticIPTags are used to determine the pool of IPs from which to\\nattribute a static IP to the node. For example in AWS this is used to\\nfilter Elastic IP Addresses.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"nodeidentity\": {\n \"description\": \"NodeIdentity is the Cilium numeric identity allocated for the node, if any.\",\n \"format\": \"int64\",\n \"type\": \"integer\"\n }\n },\n \"type\": \"object\"\n },\n \"status\": {\n \"description\": \"Status defines the realized specification/configuration and status\\nof the node.\",\n \"properties\": {\n \"alibaba-cloud\": {\n \"description\": \"AlibabaCloud is the AlibabaCloud specific status of the node.\",\n \"properties\": {\n \"enis\": {\n \"additionalProperties\": {\n \"description\": \"ENI represents an AlibabaCloud Elastic Network Interface\",\n \"properties\": {\n \"instance-id\": {\n \"description\": \"InstanceID is the InstanceID using this ENI\",\n \"type\": \"string\"\n },\n \"mac-address\": {\n \"description\": \"MACAddress is the mac address of the ENI\",\n \"type\": \"string\"\n },\n \"network-interface-id\": {\n \"description\": \"NetworkInterfaceID is the ENI id\",\n \"type\": \"string\"\n },\n \"primary-ip-address\": {\n \"description\": \"PrimaryIPAddress is the primary IP on ENI\",\n \"type\": \"string\"\n },\n \"private-ipsets\": {\n \"description\": \"PrivateIPSets is the list of all IPs on the ENI, including PrimaryIPAddress\",\n \"items\": {\n \"description\": \"PrivateIPSet is a nested struct in ecs response\",\n \"properties\": {\n \"primary\": {\n \"type\": \"boolean\"\n },\n \"private-ip-address\": {\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"security-groupids\": {\n \"description\": \"SecurityGroupIDs is the security group ids used by this ENI\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"Tags is the tags on this ENI\",\n \"type\": \"object\"\n },\n \"type\": {\n \"description\": \"Type is the ENI type Primary or Secondary\",\n \"type\": \"string\"\n },\n \"vpc\": {\n \"description\": \"VPC is the vpc to which the ENI belongs\",\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDRBlock is the VPC IPv4 CIDR\",\n \"type\": \"string\"\n },\n \"ipv6-cidr\": {\n \"description\": \"IPv6CIDRBlock is the VPC IPv6 CIDR\",\n \"type\": \"string\"\n },\n \"secondary-cidrs\": {\n \"description\": \"SecondaryCIDRs is the list of Secondary CIDRs associated with the VPC\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"vpc-id\": {\n \"description\": \"VPCID is the vpc to which the ENI belongs\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"vswitch\": {\n \"description\": \"VSwitch is the vSwitch the ENI is using\",\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDRBlock is the vSwitch IPv4 CIDR\",\n \"type\": \"string\"\n },\n \"ipv6-cidr\": {\n \"description\": \"IPv6CIDRBlock is the vSwitch IPv6 CIDR\",\n \"type\": \"string\"\n },\n \"vswitch-id\": {\n \"description\": \"VSwitchID is the vSwitch to which the ENI belongs\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"zone-id\": {\n \"description\": \"ZoneID is the zone to which the ENI belongs\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"ENIs is the list of ENIs on the node\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"azure\": {\n \"description\": \"Azure is the Azure specific status of the node.\",\n \"properties\": {\n \"interfaces\": {\n \"description\": \"Interfaces is the list of interfaces on the node\",\n \"items\": {\n \"description\": \"AzureInterface represents an Azure Interface\",\n \"properties\": {\n \"GatewayIP\": {\n \"description\": \"GatewayIP is the interface's subnet's default route\\n\\nOBSOLETE: This field is obsolete, please use Gateway field instead.\",\n \"type\": \"string\"\n },\n \"addresses\": {\n \"description\": \"Addresses is the list of all IPs associated with the interface,\\nincluding all secondary addresses\",\n \"items\": {\n \"description\": \"AzureAddress is an IP address assigned to an AzureInterface\",\n \"properties\": {\n \"ip\": {\n \"description\": \"IP is the ip address of the address\",\n \"type\": \"string\"\n },\n \"state\": {\n \"description\": \"State is the provisioning state of the address\",\n \"type\": \"string\"\n },\n \"subnet\": {\n \"description\": \"Subnet is the subnet the address belongs to\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n },\n \"cidr\": {\n \"description\": \"CIDR is the range that the interface belongs to.\",\n \"type\": \"string\"\n },\n \"gateway\": {\n \"description\": \"Gateway is the interface's subnet's default route\",\n \"type\": \"string\"\n },\n \"id\": {\n \"description\": \"ID is the identifier\",\n \"type\": \"string\"\n },\n \"mac\": {\n \"description\": \"MAC is the mac address\",\n \"type\": \"string\"\n },\n \"name\": {\n \"description\": \"Name is the name of the interface\",\n \"type\": \"string\"\n },\n \"security-group\": {\n \"description\": \"SecurityGroup is the security group associated with the interface\",\n \"type\": \"string\"\n },\n \"state\": {\n \"description\": \"State is the provisioning state\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"type\": \"array\"\n }\n },\n \"type\": \"object\"\n },\n \"eni\": {\n \"description\": \"ENI is the AWS ENI specific status of the node.\",\n \"properties\": {\n \"enis\": {\n \"additionalProperties\": {\n \"description\": \"ENI represents an AWS Elastic Network Interface\\n\\nMore details:\\nhttps://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html\",\n \"properties\": {\n \"addresses\": {\n \"description\": \"Addresses is the list of all secondary IPs associated with the ENI\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"availability-zone\": {\n \"description\": \"AvailabilityZone is the availability zone of the ENI\",\n \"type\": \"string\"\n },\n \"description\": {\n \"description\": \"Description is the description field of the ENI\",\n \"type\": \"string\"\n },\n \"id\": {\n \"description\": \"ID is the ENI ID\",\n \"type\": \"string\"\n },\n \"ip\": {\n \"description\": \"IP is the primary IP of the ENI\",\n \"type\": \"string\"\n },\n \"mac\": {\n \"description\": \"MAC is the mac address of the ENI\",\n \"type\": \"string\"\n },\n \"number\": {\n \"description\": \"Number is the interface index, it used in combination with\\nFirstInterfaceIndex\",\n \"type\": \"integer\"\n },\n \"prefixes\": {\n \"description\": \"Prefixes is the list of all /28 prefixes associated with the ENI\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"public-ip\": {\n \"description\": \"PublicIP is the public IP associated with the ENI\",\n \"type\": \"string\"\n },\n \"security-groups\": {\n \"description\": \"SecurityGroups are the security groups associated with the ENI\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"subnet\": {\n \"description\": \"Subnet is the subnet the ENI is associated with\",\n \"properties\": {\n \"cidr\": {\n \"description\": \"CIDR is the CIDR range associated with the subnet\",\n \"type\": \"string\"\n },\n \"id\": {\n \"description\": \"ID is the ID of the subnet\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"tags\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"Tags is the set of tags of the ENI. Used to detect ENIs which should\\nnot be managed by Cilium\",\n \"type\": \"object\"\n },\n \"vpc\": {\n \"description\": \"VPC is the VPC information to which the ENI is attached to\",\n \"properties\": {\n \"cidrs\": {\n \"description\": \"CIDRs is the list of CIDR ranges associated with the VPC\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\"\n },\n \"id\": {\n \"description\": \"/ ID is the ID of a VPC\",\n \"type\": \"string\"\n },\n \"primary-cidr\": {\n \"description\": \"PrimaryCIDR is the primary CIDR of the VPC\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"ENIs is the list of ENIs on the node\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n },\n \"ipam\": {\n \"description\": \"IPAM is the IPAM status of the node.\",\n \"properties\": {\n \"assigned-static-ip\": {\n \"description\": \"AssignedStaticIP is the static IP assigned to the node (ex: public Elastic IP address in AWS)\",\n \"type\": \"string\"\n },\n \"ipv6-used\": {\n \"additionalProperties\": {\n \"description\": \"AllocationIP is an IP which is available for allocation, or already\\nhas been allocated\",\n \"properties\": {\n \"owner\": {\n \"description\": \"Owner is the owner of the IP. This field is set if the IP has been\\nallocated. It will be set to the pod name or another identifier\\nrepresenting the usage of the IP\\n\\nThe owner field is left blank for an entry in Spec.IPAM.Pool and\\nfilled out as the IP is used and also added to Status.IPAM.Used.\",\n \"type\": \"string\"\n },\n \"resource\": {\n \"description\": \"Resource is set for both available and allocated IPs, it represents\\nwhat resource the IP is associated with, e.g. in combination with\\nAWS ENI, this will refer to the ID of the ENI\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"IPv6Used lists all IPv6 addresses out of Spec.IPAM.IPv6Pool which have been\\nallocated and are in use.\",\n \"type\": \"object\"\n },\n \"operator-status\": {\n \"description\": \"Operator is the Operator status of the node\",\n \"properties\": {\n \"error\": {\n \"description\": \"Error is the error message set by cilium-operator.\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"pod-cidrs\": {\n \"additionalProperties\": {\n \"properties\": {\n \"status\": {\n \"description\": \"Status describes the status of a pod CIDR\",\n \"enum\": [\n \"released\",\n \"depleted\",\n \"in-use\"\n ],\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"PodCIDRs lists the status of each pod CIDR allocated to this node.\",\n \"type\": \"object\"\n },\n \"release-ips\": {\n \"additionalProperties\": {\n \"description\": \"IPReleaseStatus defines the valid states in IP release handshake\",\n \"enum\": [\n \"marked-for-release\",\n \"ready-for-release\",\n \"do-not-release\",\n \"released\"\n ],\n \"type\": \"string\"\n },\n \"description\": \"ReleaseIPs tracks the state for every IPv4 address considered for release.\\nThe value can be one of the following strings:\\n* marked-for-release : Set by operator as possible candidate for IP\\n* ready-for-release : Acknowledged as safe to release by agent\\n* do-not-release : IP already in use / not owned by the node. Set by agent\\n* released : IP successfully released. Set by operator\",\n \"type\": \"object\"\n },\n \"release-ipv6s\": {\n \"additionalProperties\": {\n \"description\": \"IPReleaseStatus defines the valid states in IP release handshake\",\n \"enum\": [\n \"marked-for-release\",\n \"ready-for-release\",\n \"do-not-release\",\n \"released\"\n ],\n \"type\": \"string\"\n },\n \"description\": \"ReleaseIPv6s tracks the state for every IPv6 address considered for release.\\nThe value can be one of the following strings:\\n* marked-for-release : Set by operator as possible candidate for IP\\n* ready-for-release : Acknowledged as safe to release by agent\\n* do-not-release : IP already in use / not owned by the node. Set by agent\\n* released : IP successfully released. Set by operator\",\n \"type\": \"object\"\n },\n \"used\": {\n \"additionalProperties\": {\n \"description\": \"AllocationIP is an IP which is available for allocation, or already\\nhas been allocated\",\n \"properties\": {\n \"owner\": {\n \"description\": \"Owner is the owner of the IP. This field is set if the IP has been\\nallocated. It will be set to the pod name or another identifier\\nrepresenting the usage of the IP\\n\\nThe owner field is left blank for an entry in Spec.IPAM.Pool and\\nfilled out as the IP is used and also added to Status.IPAM.Used.\",\n \"type\": \"string\"\n },\n \"resource\": {\n \"description\": \"Resource is set for both available and allocated IPs, it represents\\nwhat resource the IP is associated with, e.g. in combination with\\nAWS ENI, this will refer to the ID of the ENI\",\n \"type\": \"string\"\n }\n },\n \"type\": \"object\"\n },\n \"description\": \"Used lists all IPv4 addresses out of Spec.IPAM.Pool which have been allocated\\nand are in use.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"metadata\",\n \"spec\"\n ],\n \"title\": \"Cilium Node\",\n \"type\": \"object\"\n}"} \ No newline at end of file diff --git a/templates/meshmodel/components/v1.17.0-pre.3/ciliumnodeconfig.meshery.layer5.io_meshmodel.json b/templates/meshmodel/components/v1.17.0-pre.3/ciliumnodeconfig.meshery.layer5.io_meshmodel.json new file mode 100644 index 0000000..c2e3708 --- /dev/null +++ b/templates/meshmodel/components/v1.17.0-pre.3/ciliumnodeconfig.meshery.layer5.io_meshmodel.json @@ -0,0 +1 @@ +{"kind":"CiliumNodeConfig","apiVersion":"cilium.io/v2","displayName":"Cilium Node Config","format":"JSON","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"model":{"name":"cilium_service_mesh","version":"v1.17.0-pre.3","displayName":"CILIUM_SERVICE_MESH","hostname":"","hostID":"00000000-0000-0000-0000-000000000000","displayhostname":"","category":{"name":"Cloud Native Network","metadata":null},"metadata":{"logoURL":"https://github.com/cncf/artwork/blob/master/projects/cilium/icon/white/cilium_icon-white.svg?short_path=d2fbc08","primaryColor":"#6B91C7","secondaryColor":"#9AB0CF","shape":"circle","svgColor":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#cbdd72;}.cls-2{fill:#98ca3f;}.cls-3{fill:#6389c6;}.cls-4{fill:#e8282b;}.cls-5{fill:#f8c519;}.cls-6{fill:#f07525;}.cls-7{fill:#8162aa;}.cls-8{fill:#373737;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M40.53139,62.5952h44.7715l22.38575,38.83793L85.30289,140.27106H40.53139L18.14564,101.43313Z\"/\u003e\u003cpath class=\"cls-2\" d=\"M40.53139,162.3871h44.7715l22.38575,38.56822L85.30289,239.52354H40.53139L18.14564,200.95532Z\"/\u003e\u003cpath class=\"cls-3\" d=\"M127.91673,211.47393h44.7715L195.074,250.04215l-22.38575,38.56822h-44.7715L105.531,250.04215Z\"/\u003e\u003cpath class=\"cls-4\" d=\"M127.91673,111.682h44.7715L195.074,150.52l-22.38575,38.83792h-44.7715L105.531,150.52Z\"/\u003e\u003cpath class=\"cls-5\" d=\"M127.91673,12.42954h44.7715L195.074,50.99776,172.68823,89.566h-44.7715L105.531,50.99776Z\"/\u003e\u003cpath class=\"cls-6\" d=\"M214.6278,62.5952h45.58062l22.79032,38.83793-22.79032,38.83793H214.6278l-22.79031-38.83793Z\"/\u003e\u003cpath class=\"cls-7\" d=\"M214.6278,162.3871h45.58062l22.79032,38.56822-22.79032,38.56822H214.6278l-22.79031-38.56822Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-8\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e","svgWhite":"\u003csvg id=\"Layer_1\" data-name=\"Layer 1\" xmlns=\"http://www.w3.org/2000/svg\" viewBox=\"0 0 300 304.21698\"\u003e\u003cdefs\u003e\u003cstyle\u003e.cls-1{fill:#fff;}\u003c/style\u003e\u003c/defs\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,104.66962h-53.4863L96.36091,150.94987l26.82731,45.95983h53.4863l27.03011-45.97708Zm-6.99407,79.91228H130.48651l-19.93464-33.56515,19.83322-34.01932h39.29536L189.497,151.01675Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,203.92211h-53.4863L96.36091,250.16028l26.82731,46.00191h53.4863l27.03011-46.00191Zm-6.99407,79.88853H130.48651l-19.93464-33.56621,19.83322-34.0382h39.29536l19.81652,34.0382Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M176.67452,5.41714h-53.4863l-26.82731,46.297,26.82731,45.94311h53.4863l27.03011-45.94311ZM169.68045,85.372H130.48651L110.55187,51.71411l19.83322-33.99495h39.29536l19.74909,33.995Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,154.29587h-53.503l-26.81058,46.2797L210.55683,246.536h53.503L291.09,200.57557Zm-7.07875,79.89986h-39.194L197.95391,200.643l19.83324-34.07433h39.194l19.83377,34.00691Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M264.05986,55.04338h-53.503l-26.81058,46.53377,26.81058,46.24573h53.503L291.09,101.57715Zm-7.07875,80.39667h-39.194l-19.83324-33.76149,19.83324-34.21837h39.194l19.83377,34.21837Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,154.29587H36.20743L9.515,200.57557,36.20743,246.536H89.4251l26.89419-45.96038Zm-7.02642,79.89986H43.40216L23.66818,200.643l19.734-34.07433H82.39868l19.734,34.07433Z\"/\u003e\u003cpath class=\"cls-1\" d=\"M89.4251,55.04338H36.20743L9.515,101.57715l26.69244,46.24573H89.4251l26.89419-46.24573Zm-7.02642,80.39667H43.40216l-19.734-33.79493,19.734-34.21892H82.39868l19.734,34.21892Z\"/\u003e\u003c/svg\u003e"},"components":null,"relationships":null},"schema":"{\n \"description\": \"CiliumNodeConfig is a list of configuration key-value pairs. It is applied to\\nnodes indicated by a label selector.\\n\\nIf multiple overrides apply to the same node, they will be ordered by name\\nwith later Overrides overwriting any conflicting keys.\",\n \"properties\": {\n \"apiVersion\": {\n \"description\": \"APIVersion defines the versioned schema of this representation of an object.\\nServers should convert recognized schemas to the latest internal value, and\\nmay reject unrecognized values.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\n \"type\": \"string\"\n },\n \"kind\": {\n \"description\": \"Kind is a string value representing the REST resource this object represents.\\nServers may infer this from the endpoint the client submits requests to.\\nCannot be updated.\\nIn CamelCase.\\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\n \"type\": \"string\"\n },\n \"metadata\": {\n \"type\": \"object\"\n },\n \"spec\": {\n \"description\": \"Spec is the desired Cilium configuration overrides for a given node\",\n \"properties\": {\n \"defaults\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"Defaults is treated the same as the cilium-config ConfigMap - a set\\nof key-value pairs parsed by the agent and operator processes.\\nEach key must be a valid config-map data field (i.e. a-z, A-Z, -, _, and .)\",\n \"type\": \"object\"\n },\n \"nodeSelector\": {\n \"description\": \"NodeSelector is a label selector that determines to which nodes\\nthis configuration applies.\\nIf not supplied, then this config applies to no nodes. If\\nempty, then it applies to all nodes.\",\n \"properties\": {\n \"matchExpressions\": {\n \"description\": \"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\n \"items\": {\n \"description\": \"A label selector requirement is a selector that contains values, a key, and an operator that\\nrelates the key and values.\",\n \"properties\": {\n \"key\": {\n \"description\": \"key is the label key that the selector applies to.\",\n \"type\": \"string\"\n },\n \"operator\": {\n \"description\": \"operator represents a key's relationship to a set of values.\\nValid operators are In, NotIn, Exists and DoesNotExist.\",\n \"type\": \"string\"\n },\n \"values\": {\n \"description\": \"values is an array of string values. If the operator is In or NotIn,\\nthe values array must be non-empty. If the operator is Exists or DoesNotExist,\\nthe values array must be empty. This array is replaced during a strategic\\nmerge patch.\",\n \"items\": {\n \"type\": \"string\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n }\n },\n \"required\": [\n \"key\",\n \"operator\"\n ],\n \"type\": \"object\"\n },\n \"type\": \"array\",\n \"x-kubernetes-list-type\": \"atomic\"\n },\n \"matchLabels\": {\n \"additionalProperties\": {\n \"type\": \"string\"\n },\n \"description\": \"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels\\nmap is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the\\noperator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\n \"type\": \"object\"\n }\n },\n \"type\": \"object\",\n \"x-kubernetes-map-type\": \"atomic\"\n }\n },\n \"required\": [\n \"defaults\",\n \"nodeSelector\"\n ],\n \"type\": \"object\"\n }\n },\n \"required\": [\n \"spec\"\n ],\n \"title\": \"Cilium Node Config\",\n \"type\": \"object\"\n}"} \ No newline at end of file