networking.gdc.goog/v1
Package v1 contains API Schema definitions for the networking v1 API group.
AuthorizationPolicyRef
Represents a reference to the generated authorization policy.
Appears in: - OrganizationNetworkPolicyStatus
| Field | Description |
|---|---|
name string |
The name of the referent. |
namespace string |
The namespace of the referent. |
BGPPeerInterface
Represents a reference to a BGP peer.
Appears in: - VPNBGPPeerSpec
| Field | Description |
|---|---|
name string |
The name of the BGP peer. |
ip string |
The IP address of the BGP peer. |
asn integer |
The Autonomous System Number. |
Backend
Identifies endpoints for a load balancer.
Appears in: - BackendList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
Backend |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec BackendSpec |
|
status BackendStatus |
BackendList
Contains list of Backends.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
BackendList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items Backend array |
BackendRef
Holds information about the backend.
Appears in: - BackendServiceSpec
| Field | Description |
|---|---|
name string |
A name of the referenced Backend object. The referenced Backend has to be in the same namespace as this backend service. This field is required. This field is immutable. |
BackendService
Represents a load balancer configuration.
Appears in: - BackendServiceList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
BackendService |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec BackendServiceSpec |
|
status BackendServiceStatus |
BackendServiceList
Contains a list of BackendService.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
BackendServiceList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items BackendService array |
BackendServicePolicy
Represents policies to be applied to one or more load balancers.
Appears in: - BackendServicePolicyList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
BackendServicePolicy |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec BackendServicePolicySpec |
|
status BackendServicePolicyStatus |
BackendServicePolicyList
Contains a list of BackendServicePolicy.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
BackendServicePolicyList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items BackendServicePolicy array |
BackendServicePolicySpec
Describes the attributes that a user expects from this backend policy.
Appears in: - BackendServicePolicy
| Field | Description |
|---|---|
sessionAffinity SessionAffinity |
The Session Affinity mode applied to the Backend Policy. This field is optional. This field is immutable. Allowed values: - NONE requests will be routed to any backend. This is the default value. - CLIENT_IP_DST_PORT_PROTO requests from the same 4-tuple (source IP, destination IP, destination port, protocol) will be routed to the same destination backend. If multiple policies match the same BackendProject, the policies are ORed. A Backend Service will have Session Affinity enabled if any of the policies affecting it has Session Affinity enabled. |
selectors LabelSelector |
A selector defining which BackendService(s) this policy is applied to. This field is required. This field is immutable. |
BackendServicePolicyStatus
Represents the status of the Backend Service Policy.
Appears in: - BackendServicePolicy
| Field | Description |
|---|---|
conditions Condition array |
A list of conditions describing the current state of the Backend Service Policy. Known condition types are: * "Ready" |
BackendServiceRef
Holds information about the backend.
Appears in: - ForwardingRuleExternalSpec - ForwardingRuleInternalSpec - ForwardingRuleSpecCommon
| Field | Description |
|---|---|
name string |
A name of the referenced backend service object. This field is required. This field is immutable. |
BackendServiceSpec
Describes the attributes that a user expects from this backend service.
Appears in: - BackendService
| Field | Description |
|---|---|
backendRefs BackendRef array |
A list of backends for this backend service. Only 1 Backend can be specified per Zone or per User Cluster. This field is optional. This field is mutable. |
targetPorts TargetPort array |
A list of target ports that this BackendService will translate. This field is optional. This field is immutable. |
healthCheckName string |
A name of the health check parameters object for this backend service. HealthCheck is applicable only for VM backends. It has to reference HealthCheck in the same namespace as this backend service. This field is optional. This field is immutable. |
BackendServiceStatus
Represents the status of BackendService.
Appears in: - BackendService
| Field | Description |
|---|---|
conditions Condition array |
A list of conditions describing the current state of the backend service. Known condition types are: * "Ready" |
forwardingRuleRefs ForwardingRuleRef array |
A list of forwarding rules using this backend service. |
BackendSpec
Describes the attributes that a user expects from backend.
Appears in: - Backend
| Field | Description |
|---|---|
clusterName string |
A name of cluster to which the scope of the defined selectors should be limited to. This does not apply to VM workloads. This field is optional. This field is immutable. |
endpointsLabels LabelSelector |
A selector defining which endpoints (Pods or VMs) to use for this backend. This field is required. This field is immutable. |
BackendStatus
Represents the status of backend.
Appears in: - Backend
| Field | Description |
|---|---|
conditions Condition array |
A list of conditions describing the current state of the backend. Known condition types are: * "Ready" |
CIDRRef
Holds information about the CIDR.
Appears in: - ForwardingRuleExternalSpec - ForwardingRuleInternalSpec - ForwardingRuleSpecCommon
| Field | Description |
|---|---|
name string |
A name of the referenced cidr object. This field is required. This field is immutable. |
ClusterNodeSelector
Represents the information used to locate a node or nodes inside of a specified cluster. Either cluster or node or both must be specified.
Appears in: - FlowLogFilter
| Field | Description |
|---|---|
cluster string |
The name of the cluster. If a value is not provided, all clusters will be searched for the desired node or nodes. |
node string |
A wildcard pattern used to search by the node name. For example, k8s* or *.domain.com. |
FlowLog
Defines a list of flow log filters used for finding relevant flows. Flow events matching any of the provided filter rules are logged.
Appears in: - FlowLogList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
FlowLog |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec FlowLogSpec |
The desired configuration for a flow log. |
status FlowLogStatus |
The observed state of a flow log. |
FlowLogFilter
Defines a collection of filter criteria that is applied at the
same time.
Each flow log filter contains several optional matching fields.
The matching logic for each filter follows these rules:
First, when a matching field is optional and not specified, it implies no
filtering is applied on this field of a flow.
For example, if no sources are provided, it means all sources are matched.
Next, when multiple fields are specified in one filter, all fields must match
the target flow.
For example, if a source value of `srcNS/pod1` and a destination value of `dstNS/pod2` are
specified at the same time, it matches the flow from pod `srcNS/pod1`
to destination `dstNS/pod2`.
Finally, when a field is a list, specifying it multiple times means matching
any of the values.
Appears in: - FlowLogSpec
| Field | Description |
|---|---|
source NetworkEndpointFilter |
A filter that filters flow events by a list of source rules. |
destination NetworkEndpointFilter |
A filter that filters flow events by a list of destination rules. |
endpoint NetworkEndpointFilter |
The endpoint filters flow events if the event source or destination matches any given endpoint in this list. If endpoint is set, source and destination must not be specified. When specified, each endpoint corresponds to two filters: one with source set to this endpoint and all other filter fields kept the same; Another with destination set to this endpoint and all other filter fields kept the same. |
l4Protocols Protocol array |
A filter that filters flow events by L4 protocols defined in [v1.Protocol]. Each protocol must be specified at most once. |
verdicts PolicyVerdict array |
A filter that filters flow events by verdict classification. |
clusterNodeSelectors ClusterNodeSelector array |
A list of clusters and nodes used to match flows. |
FlowLogList
Defines a list of flow log resources.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
FlowLogList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items FlowLog array |
A list of flow log entries. |
FlowLogSpec
Represents the flow log filters that are applied. When multiple filters are present, the flow is logged if at least one filter matches the flow event.
Appears in: - FlowLog
| Field | Description |
|---|---|
enable boolean |
Specifies if this flow log is enabled. When disabled, the backend flow filters are disabled, and no corresponding logs are collected. Defaults to true if not specified. |
filters FlowLogFilter array |
A list of filters used for matching flow events. Flow events matching any of the provided filter rules are logged. |
lifetime Lifetime |
The amount of time this flow log rules is applied for. After the time is reached, the flow logging rule is disabled. If empty, this flow logging rule is enabled indefinitely. |
logDetailLevel LogDetailLevel |
The fields that are logged for matching flow events. If empty, defaults to logging all fields. |
FlowLogStatus
Defines the observed state of flow logs.
Appears in: - FlowLog
| Field | Description |
|---|---|
conditions Condition array |
The current status of flow logs. Known condition types are: Reconciled: The flow log is reconciled and provisioned successfully; and Logging: the flow log is currently reconciled and active. |
clusters PropagationStatus array |
The propagation status of this flow log in each cluster where the resource is propagated. The Propagated condition is set to true in the Conditions if this resource is synced to the cluster, and its ObservedGeneration is set to the generation of the propagated resource in the target cluster. If this resource is successfully pruned from a cluster, the corresponding PropagationStatus must be removed from the list. |
startTime Time |
The time the flow log becomes active. This field is set by reconciler when it first interacts with the object, or when the FlowLogSpec resource is changed. |
endTime Time |
The time the flow log becomes inactive. This field is set by reconciler as such:
|
ForwardingRuleExternal
Represents a frontend API to create external forwarding rule.
Appears in: - ForwardingRuleExternalList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ForwardingRuleExternal |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec ForwardingRuleExternalSpec |
|
status ForwardingRuleExternalStatus |
ForwardingRuleExternalList
Contains a list of ForwardingRuleExternal.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ForwardingRuleExternalList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items ForwardingRuleExternal array |
ForwardingRuleExternalSpec
Describes the attributes that a user expects from a forwarding rule.
Appears in: - ForwardingRuleExternal
| Field | Description |
|---|---|
cidrRef CIDRRef |
A reference to object holding the CIDR to use for this forwarding rule. It has to reference object in the same namespace as this forwarding rule. If not specified, an IPv4 /32 CIDR will be auto-reserved from the global or zonal IP pool. This field is optional. This field is immutable. |
ports Port array |
A list of L4 ports for which packets will be forwarded to the backends configured with this forwarding rule. At least one port has to be specified. For internal forwarding rules within the same VPC network, two or more forwarding rules cannot use the same [CIDR, Protocol] pair if they share at least one port number. This field is required. This field is immutable. |
backendServiceRef BackendServiceRef |
A reference to BackendService used for this forwarding rule. It has to reference BackendService in the same namespace as this forwarding rule. This field is immutable once set. |
ForwardingRuleExternalStatus
Represents the status of forwarding rule.
Appears in: - ForwardingRuleExternal
| Field | Description |
|---|---|
cidr string |
The resulting cidr value used for this forwarding rule. |
conditions Condition array |
A list of conditions describing the current state of the forwarding rule. Known condition types are: * "Ready" |
ForwardingRuleInternal
Represents a frontend API to create internal forwarding rule.
Appears in: - ForwardingRuleInternalList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ForwardingRuleInternal |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec ForwardingRuleInternalSpec |
|
status ForwardingRuleInternalStatus |
ForwardingRuleInternalList
Contains a list of ForwardingRuleInternal.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ForwardingRuleInternalList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items ForwardingRuleInternal array |
ForwardingRuleInternalSpec
Describes the attributes that a user expects from a forwarding rule.
Appears in: - ForwardingRuleInternal
| Field | Description |
|---|---|
cidrRef CIDRRef |
A reference to object holding the CIDR to use for this forwarding rule. It has to reference object in the same namespace as this forwarding rule. If not specified, an IPv4 /32 CIDR will be auto-reserved from the global or zonal IP pool. This field is optional. This field is immutable. |
ports Port array |
A list of L4 ports for which packets will be forwarded to the backends configured with this forwarding rule. At least one port has to be specified. For internal forwarding rules within the same VPC network, two or more forwarding rules cannot use the same [CIDR, Protocol] pair if they share at least one port number. This field is required. This field is immutable. |
backendServiceRef BackendServiceRef |
A reference to BackendService used for this forwarding rule. It has to reference BackendService in the same namespace as this forwarding rule. This field is immutable once set. |
ForwardingRuleInternalStatus
Represents the status of forwarding rule.
Appears in: - ForwardingRuleInternal
| Field | Description |
|---|---|
cidr string |
The resulting cidr value used for this forwarding rule. |
conditions Condition array |
A list of conditions describing the current state of the forwarding rule. Known condition types are: * "Ready" |
ForwardingRuleRef
Holds information about the forwarding rule.
Appears in: - BackendServiceStatus
| Field | Description |
|---|---|
name string |
A name of the referenced forwarding rule object. This field is required. This field is immutable. |
ForwardingRuleSpecCommon
Describes common attributes that a user expects from a forwarding rule.
Appears in: - ForwardingRuleExternalSpec - ForwardingRuleInternalSpec
| Field | Description |
|---|---|
cidrRef CIDRRef |
A reference to object holding the CIDR to use for this forwarding rule. It has to reference object in the same namespace as this forwarding rule. If not specified, an IPv4 /32 CIDR will be auto-reserved from the global or zonal IP pool. This field is optional. This field is immutable. |
ports Port array |
A list of L4 ports for which packets will be forwarded to the backends configured with this forwarding rule. At least one port has to be specified. For internal forwarding rules within the same VPC network, two or more forwarding rules cannot use the same [CIDR, Protocol] pair if they share at least one port number. This field is required. This field is immutable. |
backendServiceRef BackendServiceRef |
A reference to BackendService used for this forwarding rule. It has to reference BackendService in the same namespace as this forwarding rule. This field is immutable once set. |
ForwardingRuleStatusCommon
Represents common status of ForwardingRule
Appears in: - ForwardingRuleExternalStatus - ForwardingRuleInternalStatus
| Field | Description |
|---|---|
cidr string |
The resulting cidr value used for this forwarding rule. |
conditions Condition array |
A list of conditions describing the current state of the forwarding rule. Known condition types are: * "Ready" |
GatewayInterfaceRef
Represents a reference to an interface on a VPNGateway or PeerGateway resource.
Appears in: - VPNTunnelSpec
| Field | Description |
|---|---|
name string |
The name of the gateway. |
namespace string |
The namespace of the gateway. |
interface string |
The name of the interface. |
HealthCheck
Specifies the backend service health checks.
Appears in: - HealthCheckList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
HealthCheck |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec HealthCheckSpec |
|
status HealthCheckStatus |
HealthCheckList
Contains a list of HealthCheck.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
HealthCheckList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items HealthCheck array |
HealthCheckSpec
Describes the attributes that a user expects from a health check.
Appears in: - HealthCheck
| Field | Description |
|---|---|
tcpHealthCheck TCPHealthCheck |
Defines probes using TCP port. |
checkIntervalSec integer |
The amount of time in seconds from the start of one probe to the start of the next one. Defaults to 5. This field is immutable. |
timeoutSec integer |
A time (in seconds) to wait before claiming failure. Defaults to 5. This field is immutable. |
healthyThreshold integer |
A number of sequential probes that must succeed for the endpoint to be considered healthy. Defaults to 2. This field is immutable. |
unhealthyThreshold integer |
A number of sequential probes that must fail for the endpoint to be considered unhealthy. Defaults to 2. This field is immutable. |
HealthCheckStatus
Represents the status of a health check.
Appears in: - HealthCheck
| Field | Description |
|---|---|
conditions Condition array |
A list of conditions describing the current state of the health check. Known condition types are: * "Ready" |
Lifetime
Defines the lifetime of a flow log. A value for expiration or
duration must be specified, but not both.
Appears in: - FlowLogSpec
| Field | Description |
|---|---|
expiration Time |
The time when this filter rule expires and becomes inactive. Expiration must be a time in the future. It includes the time required to propagate resources down to child clusters so the value should account for an additional buffer of around one minute to ensure that all clusters can begin logging and capture the necessary traffic. |
duration Duration |
The amount of time the flow log will be active for, starting from when it is reconciled. It includes the time required to propagate resources down to child clusters so the value should account for an additional buffer of around one minute to ensure that all clusters can begin logging and capture the necessary traffic. |
LogDetailLevel
Underlying type: string
A list of predefined combinations of fields that are logged
when filtered flow events are captured.
Appears in: - FlowLogSpec
ManagedServiceSubject
Defines a managed service target.
Appears in: - OrganizationNetworkPolicySubject
| Field | Description |
|---|---|
matchTypes string array |
The organization managed service types that the policy applies to. |
NamespacePodSelector
Represents the information used to locate pods inside of the specified namespace.
Specify a value for namespace, pod, or namespace and pod.
Appears in: - NetworkEndpointFilter
| Field | Description |
|---|---|
namespace string |
The flow events that match the namespace name. For example, kube-system. |
pod string |
The flow events that match the given pod name prefix. For example, xwing, coredns-. |
NetworkEndpointFilter
Represents a filter that selects a set of network endpoints based on the filter conditions specified.
Appears in: - FlowLogFilter
| Field | Description |
|---|---|
ipBlocks string array |
A filter that selects flow events that match the IP address or IP address range. Each of the IP addresses can be specified as an exact match, like 1.1.1.1 or 1200:0000:AB00:1234:0000:2552:7777:1313, or as a CIDR range like 1.1.1.0/24 or 1200:0000:AB00:1234:0000:2552:7777:1313/120. If not specified, any IP address is matched. |
labels LabelSelector array |
A filter that selects flow events that match the label selector. Selectors support the full Kubernetes label selector syntax. |
namespacePodSelectors NamespacePodSelector array |
A list of namespaces and pods used to match flows. |
ports IntOrString array |
A filter that selects flows by their L4 ports. If this field is not provided, this matches all port numbers. An example value for a single port is 80. If present, only traffic on the specified protocol and port is matched. |
OrganizationNetworkPolicy
Defines the Schema for the OrganizationNetworkPolicy API.
Appears in: - OrganizationNetworkPolicyList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
OrganizationNetworkPolicy |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec OrganizationNetworkPolicySpec |
The desired configuration for OrganizationNetworkPolicy. |
status OrganizationNetworkPolicyStatus |
The observed state for OrganizationNetworkPolicy. |
OrganizationNetworkPolicyIngressRule
Defines a single ingress rule for a OrganizationNetworkPolicy resource.
Appears in: - OrganizationNetworkPolicySpec
| Field | Description |
|---|---|
from OrganizationNetworkPolicyPeer array |
A list of sources which are able to access the subject of the policy. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources, the traffic is not restricted by source. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. A maximum of one item must be specified. |
OrganizationNetworkPolicyList
Defines a list of OrganizationNetworkPolicy resources.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
OrganizationNetworkPolicyList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items OrganizationNetworkPolicy array |
OrganizationNetworkPolicyPeer
Defines a peer to allow traffic from.
Appears in: - OrganizationNetworkPolicyIngressRule
| Field | Description |
|---|---|
ipBlock IPBlock |
A policy on a particular iPBlock. If empty, it allows all traffic (0.0.0.0/0). |
OrganizationNetworkPolicySpec
Defines the desired state of a OrganizationNetworkPolicy resource.
The array of ingress rules for this policy applies to the specified target.
When multiple rules are present, or when multiple policies are present,
the rules for each are combined additively. Traffic is
allowed if it matches at least one rule.
Appears in: - OrganizationNetworkPolicy
| Field | Description |
|---|---|
subject OrganizationNetworkPolicySubject |
The managed services of the organization network policies. |
ingress OrganizationNetworkPolicyIngressRule array |
The ingress rule for the traffic. If ingress is empty or missing, it does not allow any traffic. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from field. |
OrganizationNetworkPolicyStatus
Defines the observed state of OrganizationNetworkPolicy resource.
Appears in: - OrganizationNetworkPolicy
| Field | Description |
|---|---|
conditions Condition array |
If ready is true, it means that the OrganizationNetworkPolicy resource is successfully propagated to the Management API server. If ready is false, it means that the OrganizationNetworkPolicy has failed to propagate. |
generatedauthorizationpolicies AuthorizationPolicyRef array |
The list of authorization policies that are generated from the OrganizationNetworkPolicy resource. |
OrganizationNetworkPolicySubject
Represents the organization service targets. Choose exactly one of the properties for the target.
Appears in: - OrganizationNetworkPolicySpec
| Field | Description |
|---|---|
subjectType OrganizationNetworkPolicySubjectType |
The type of entities the policy rules apply to. If not set, then it defaults to ManagedService. |
services ManagedServiceSubject |
The service to select. Supports the organization multi-tenant service, including UIConsole and APIServer. |
OrganizationNetworkPolicySubjectType
Underlying type: string
Defines the target type of the policies.
Appears in: - OrganizationNetworkPolicySubject
PeerGateway
PeerGateway represents a remote VPN endpoint. An interface on a PeerGateway should be used by a single VPNTunnel to establish an encrypted tunnel to the remote site.
Appears in: - PeerGatewayList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
PeerGateway |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec PeerGatewaySpec |
|
status PeerGatewayStatus |
PeerGatewayInterface
Represents a Gateway interface on which a tunnel is established.
Appears in: - PeerGatewaySpec
| Field | Description |
|---|---|
name string |
The name of the interface. |
ip string |
The IPv4 address of the interface. |
PeerGatewayList
PeerGatewayList contains a list of PeerGateway.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
PeerGatewayList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items PeerGateway array |
Items is a list of PeerGateway entries. |
PeerGatewaySpec
PeerGatewaySpec defines the desired state of PeerGateway.
Appears in: - PeerGateway
| Field | Description |
|---|---|
interfaces PeerGatewayInterface array |
The list of interfaces on the Peer Gateway which will be used for VPN connections. Each interface should be used by one VPNTunnel. |
PeerGatewayStatus
PeerGatewayStatus defines the observed state of PeerGateway.
Appears in: - PeerGateway
| Field | Description |
|---|---|
conditions Condition array |
Indicates the current status of PeerGateway. Known condition types are: - "Ready": The Peer Gateway is reconciled and used by a VPNTunnel. - "TunnelsEstablished": Each interface on the Peer Gateway is used by a VPNTunnel. |
PolicyManagedServiceSubject
Defines a managed service target.
Appears in: - ProjectNetworkPolicySubject
| Field | Description |
|---|---|
matchTypes string array |
The managed service types that the policy applies to. Exactly one item must be specified. |
PolicyProjects
Represents a collection of projects that is used to match a set of projects.
Appears in: - ProjectNetworkPolicyPeer - ProjectSelector
| Field | Description |
|---|---|
matchNames string array |
The selected projects which are chosen within the organization based on their name. The project namespace is derived from the project network policy's namespace. If this field is empty or missing, this rule matches all projects. A maximum of one item must be specified. |
PolicySubjectType
Underlying type: string
Defines the target type of the network policies.
Appears in: - ProjectNetworkPolicySubject
PolicyType
Underlying type: string
Defines the direction of traffic on which the policy rules are
applied.
Appears in: - ProjectNetworkPolicySpec
PolicyVerdict
Underlying type: string
Defines a list of verdict classifying flows.
Appears in: - FlowLogFilter
Port
Contains information on L4 port on which service needs to be served.
Appears in: - ForwardingRuleExternalSpec - ForwardingRuleInternalSpec - ForwardingRuleSpecCommon - TargetPort
| Field | Description |
|---|---|
protocol Protocol |
Specifies Layer-4 protocol which traffic must match. Only TCP and UDP are supported. This field is required. This field is immutable. |
port integer |
A number of the port that will be exposed by this service. This field is required. This field is immutable. |
ProbeHandler
Defines the available probes for the health check. One and only one of the fields must be specified.
Appears in: - HealthCheckSpec
| Field | Description |
|---|---|
tcpHealthCheck TCPHealthCheck |
Defines probes using TCP port. |
ProjectNetworkPolicy
Contains the Schema for the ProjectNetworkPolicy API.
Appears in: - ProjectNetworkPolicyList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ProjectNetworkPolicy |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec ProjectNetworkPolicySpec |
The desired configuration for ProjectNetworkPolicy resource. |
status ProjectNetworkPolicyStatus |
The observed state for ProjectNetworkPolicy resource. |
ProjectNetworkPolicyEgressRule
Defines a single egress rule for a ProjectNetworkPolicy resource.
Appears in: - ProjectNetworkPolicySpec
| Field | Description |
|---|---|
ports ProjectNetworkPolicyPort array |
A list of the destination ports showing outgoing traffic. Each item in this list is combined using a logical OR operation. If this field is empty or missing, this rule matches all ports, traffic is not restricted by port. If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. |
to ProjectNetworkPolicyPeer array |
A list of destinations for outgoing traffic of the subject for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations , traffic is not restricted by destination. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. A maximum of one item must be specified. |
ProjectNetworkPolicyIngressRule
Defines a single ingress rule for a ProjectNetworkPolicy resource.
Appears in: - ProjectNetworkPolicySpec
| Field | Description |
|---|---|
ports ProjectNetworkPolicyPort array |
A list of ports for incoming traffic. Each item in this list is combined using a logical OR operation. If this field is empty or missing, this rule matches all ports, traffic is not restricted by port. If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. |
from ProjectNetworkPolicyPeer array |
A list of sources which are able to access the subject of the policy. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources , traffic is not restricted by source. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. A maximum of one item must be specified. |
ProjectNetworkPolicyList
Defines a list of ProjectNetworkPolicy resources.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ProjectNetworkPolicyList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items ProjectNetworkPolicy array |
ProjectNetworkPolicyPeer
Represents a peer to allow traffic from. Exactly one of the subfields must be specified.
Appears in: - ProjectNetworkPolicyEgressRule - ProjectNetworkPolicyIngressRule
| Field | Description |
|---|---|
projects PolicyProjects |
The projects to apply the network policy to. |
projectSelector ProjectSelector |
ProjectSelector selects projects and workloads within those projects as a source of traffic. If specified, allows traffic from workloads within the selected projects that match the workload selector. |
ipBlock IPBlock |
A policy on a particular iPBlock. If empty, then all external IPs, excluding Kubernetes nodes and workloads in the organization, are selected. |
ipBlocks IPBlock array |
A policy on particular iPBlocks. If empty, then all external IPs, excluding Kubernetes nodes and workloads in the organization, are selected. |
ProjectNetworkPolicyPort
Represents a port to allow traffic on. If all subfields are empty, all TCP traffic is selected.
Appears in: - ProjectNetworkPolicyEgressRule - ProjectNetworkPolicyIngressRule
| Field | Description |
|---|---|
protocol Protocol |
The protocol which traffic must match. The options are TCP, UDP, or SCTP. If unspecified, this field defaults to TCP. |
port IntOrString |
The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol and port is matched. |
ProjectNetworkPolicySpec
Defines the desired state of ProjectNetworkPolicy resource.
The array of ingress or egress rules for this policy applies to the specified
subject or target.
When multiple rules are present, or when multiple policies are present,
the rules for each are combined additively. In other words, traffic is
allowed if it matches at least one rule.
Appears in: - ProjectNetworkPolicy
| Field | Description |
|---|---|
subject ProjectNetworkPolicySubject |
The target of the project network policies. If unspecified, all pods excluding the managed services in the project are selected. |
policyType PolicyType |
The direction of traffic on which the policy rules are applied. This must be set to one of ingress and egress. If not set, then it defaults to ingress. |
ingress ProjectNetworkPolicyIngressRule array |
A list of ingress rules for this policy. If this field is empty, the ProjectNetworkPolicy resource does not allow any traffic and serves solely to ensure that the subjects it selects are isolated by default. |
egress ProjectNetworkPolicyEgressRule array |
A the list of egress rules for this policy. If this field is empty, the ProjectNetworkPolicy resource does not allow any traffic and serves solely to ensure that subjects it selects are isolated by default. |
ProjectNetworkPolicyStatus
Defines the observed state of a ProjectNetworkPolicy resource.
Appears in: - ProjectNetworkPolicy
| Field | Description |
|---|---|
conditions Condition array |
If ready is true, it means that all network policies are successfully propagated to all user clusters. if ready is false, it means that some, or all, network policies have failed to propagate. |
propagatedName string |
The name of the propagated network policy realized in all user clusters within the project. This field is expected to be set when the property of SubjectType="UserWorkload". |
clusters ClusterStatus array |
The list of propagation status on the clusters. This field is expected to be set when the property of SubjectType="UserWorkload". |
propagatedManagedServiceNamespaces string array |
The list of managed service namespaces that the policy is propagated to. This field is expected to be set when the property of SubjectType="ManagedService". |
errorStatus ErrorStatus |
ErrorStatus holds most recent errors with last seen time. |
ProjectNetworkPolicySubject
Defines the target for project network policies.
Appears in: - ProjectNetworkPolicySpec
| Field | Description |
|---|---|
subjectType PolicySubjectType |
The type of entities the policy rules apply to. This must be set to one of userWorkload or managedService. If not set, then it defaults to userWorkload. If set to userWorkload, then all pods excluding the managed services in the project are selected. If set to managedService, then specified managed services are selected. |
managedServices PolicyManagedServiceSubject |
The managed services that the policy rules apply to. Must be specified only with SubjectType="ManagedService". |
workloadSelector LabelSelector |
WorkloadSelector selects the workloads in the project to which the policy rules apply. If this field is nil or empty, this rule applies to all workloads in the project. |
ProjectSelector
ProjectSelector selects projects and workloads.
Appears in: - ProjectNetworkPolicyPeer
| Field | Description |
|---|---|
projects PolicyProjects |
The projects to apply the network policy to. If empty, this rule matches all projects. |
workloads LabelSelector |
The workloads to apply the network policy to. If empty, all workloads in the selected projects are included. |
PropagationStatus
Defines the propagation status for a specific cluster.
Appears in: - FlowLogStatus
| Field | Description |
|---|---|
cluster string |
The cluster name where this resource is propagated. |
node string |
The node name where this resource is propagated. |
namespace string |
The namespace where this resource is propagated. |
name string |
The name of the propagated resource. |
conditions Condition array |
The current status of the programmed resources. |
Route
Represents a route advertised or received over the tunnel.
Appears in: - VPNBGPPeerStatus
| Field | Description |
|---|---|
prefix string |
The network prefix of the route. |
SessionAffinity
Underlying type: string
Session Affinity Type string
Appears in: - BackendServicePolicySpec
SessionState
Underlying type: string
The state of the BGP session, like Established or NotEstablished.
Appears in: - VPNBGPPeerStatus
TCPHealthCheck
Specifies parameters for TCP health check probes.
Appears in: - HealthCheckSpec - ProbeHandler
| Field | Description |
|---|---|
port integer |
A number of the port on which the health check will be performed. Defaults to 80. This field is immutable. |
TargetPort
Holds information about an L4 port that will be translated to specified targetPort.
Appears in: - BackendServiceSpec
| Field | Description |
|---|---|
protocol Protocol |
Specifies Layer-4 protocol which traffic must match. Only TCP and UDP are supported. This field is required. This field is immutable. |
port integer |
A number of the port that will be exposed by this service. This field is required. This field is immutable. |
targetPort integer |
A port to which the Port value will be translated to. Value of TargetPort cannot be repeated in a given object. This field is required. This field is immutable. |
TunnelState
Underlying type: string
The state of the Tunnel, like Established or Connecting.
Appears in: - VPNTunnelStatus
VPNBGPPeer
VPNBGPPeer represents a BGP session over a VPN tunnel. A VPNBGPPeer establishes a BGP session between a BGP peer in an Organization and BGP peer of a remote site across a single VPNTunnel. A VPNBGPPeer should be used by a VPNTunnel.
Appears in: - VPNBGPPeerList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNBGPPeer |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec VPNBGPPeerSpec |
|
status VPNBGPPeerStatus |
VPNBGPPeerList
VPNBGPPeerList contains a list of VPNBGPPeer.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNBGPPeerList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items VPNBGPPeer array |
Items is a list of VPNBGPPeer entries. |
VPNBGPPeerSpec
VPNBGPPeerSpec defines the desired state of VPNBGPPeer. The IP for both the Remote and Local BGP peer must be in the same "/30" block from the "169.254.0.0/16" range.
Appears in: - VPNBGPPeer
| Field | Description |
|---|---|
remote BGPPeerInterface |
Represents the remote BGP peer. |
local BGPPeerInterface |
Represents the local BGP peer. |
VPNBGPPeerStatus
VPNBGPPeerStatus defines the observed state of VPNBGPPeer. The Organization will create a BGP session with the remote site over the VPNTunnel that references this VPNBGPPeer. The local BGP peer will advertise all internal CIDR's of the Organization to the remote BGP peer. If the remote BGP peer advertises a CIDR that conflicts with the internal CIDR's of the Organization, the VPNBGPPeer "Ready" condition will be false.
Appears in: - VPNBGPPeer
| Field | Description |
|---|---|
state SessionState |
Represents the state of the BGP session between the local BGP peer and the remote BGP peer. |
advertised Route array |
Represents routes advertised to the remote site on the BGP session. |
received Route array |
Represents routes received from the remote site on the BGP session. |
conditions Condition array |
Indicates the current status of VPNBGPPeer. Known condition types are: - "Ready": The Peer Gateway is reconciled and used by a VPNTunnel. - "BGPSessionEstablished": Each interface on the Peer Gateway is used by a VPNTunnel. - "ReceivedRoutesReady": The routes received from the remote BGP peer do not interfere with routes in the internal CIDR of the Organization. |
VPNGateway
VPNGateway represents an Organization VPN endpoint. An interface on a VPNGateway should be used by a VPNTunnel to establish an encrypted tunnel to a remote site.
Appears in: - VPNGatewayList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNGateway |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec VPNGatewaySpec |
|
status VPNGatewayStatus |
VPNGatewayInterface
Represents an interface on the Gateway. An IP will be allocated for each interface and added in the status.
Appears in: - VPNGatewaySpec
| Field | Description |
|---|---|
name string |
The name of the interface. |
VPNGatewayInterfaceStatus
Represents a Gateway interface on which a tunnel is established.
Appears in: - VPNGatewayStatus
| Field | Description |
|---|---|
name string |
The name of the interface. |
ip string |
The IPv4 address of the interface. |
VPNGatewayList
VPNGatewayList contains a list of VPNGateway.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNGatewayList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items VPNGateway array |
Items is a list of VPNGateway entries. |
VPNGatewaySpec
VPNGatewaySpec defines the desired state of VPNGateway. Define the name of the interfaces which should be assigned external IPv4 addresses by the VPNGateway. Each IPv4 address that is assigned to the interface is automatically chosen from an external address pool.
Appears in: - VPNGateway
| Field | Description |
|---|---|
interfaces VPNGatewayInterface array |
The names of each interface. VPNGateway will assign an external IPv4 address to each interface in the list. |
VPNGatewayStatus
VPNGatewayStatus defines the observed state of VPNGateway.
Appears in: - VPNGateway
| Field | Description |
|---|---|
interfaces VPNGatewayInterfaceStatus array |
The list of interfaces on the VPNGateway. Each interface can be used by one VPNTunnel. |
conditions Condition array |
Indicates the current status of VPNGateway. Known condition types are: - "Ready": The VPNGateway is reconciled and used by a VPNTunnel. - "IPsAssigned": IPv4 addresses have been assigned to each interface on the VPNGateway. - "TunnelsAttached": Each interface on the VPNGateway is used by a VPNTunnel. |
VPNTunnel
VPNTunnel represents an encrypted IPSec tunnel between an Organization network and a remote network. It connects a VPNGateway interface to a PeerGateway interface, and uses VPNBGPPeer to exchange routing information over the tunnel.
Appears in: - VPNTunnelList
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNTunnel |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata. |
spec VPNTunnelSpec |
|
status VPNTunnelStatus |
VPNTunnelList
VPNTunnelList contains a list of VPNTunnel.
| Field | Description |
|---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNTunnelList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata. |
items VPNTunnel array |
Items is a list of VPNTunnel entries. |
VPNTunnelSpec
VPNTunnelSpec defines the desired state of VPNTunnel. The tunnel that is established supports the IKEv2 protocol with PSK-based authentication. Packets going through the tunnel are encrypted using IPSec Tunnel mode, where the outer IP header is constructed using a VPNGateway interface IP and a PeerGateway interface IP. A VPNTunnel references a VPNGateway interface, a PeerGateway interface, a VPNBGPPeer resource, and a secret which contains the preshared key for the authentication.
Appears in: - VPNTunnel
| Field | Description |
|---|---|
vpnInterface GatewayInterfaceRef |
The interface on the VPNGateway that is used for the tunnel. The IP from the interface is used as the source IP for packets sent to the remote site over the tunnel. |
peerInterface GatewayInterfaceRef |
The interface on the PeerGateway that is used for the tunnel. The IP from the interface is used as the destination IP for packets sent to the remote site over the tunnel. |
vpnBGPPeer ObjectReference |
A reference to a VPNBGPPeer which specifies the dynamic routing over the tunnel. |
ikeKey SecretReference |
The secret that contains the preshared key for initial authentication of the gateways. |
VPNTunnelStatus
VPNTunnelStatus defines the observed state of VPNTunnel.
Appears in: - VPNTunnel
| Field | Description |
|---|---|
state TunnelState |
The current status of the tunnel. |
conditions Condition array |
Indicates the current status of VPNTunnel. Known condition types are: - "Ready": The VPNTunnel is reconciled and is in an established state. - "TunnelEstablished": The tunnel is in an established state. |