From a0e7e8d16996eb74e0e627f45e7e38f6d3203558 Mon Sep 17 00:00:00 2001 From: sridhartigera <63839878+sridhartigera@users.noreply.github.com> Date: Fri, 12 Jun 2026 05:48:12 +0000 Subject: [PATCH] Sync versions from Calico and Calico Enterprise --- .../calico/protect-builtin-tiers.yaml | 28 ++ .../enterprise/protect-builtin-tiers.yaml | 28 ++ ...projectcalico.org_felixconfigurations.yaml | 32 +- .../crd.projectcalico.org_ipamblocks.yaml | 4 +- ...projectcalico.org_felixconfigurations.yaml | 32 +- .../projectcalico.org_ipamblocks.yaml | 4 +- ...crd.projectcalico.org_alertexceptions.yaml | 2 + .../crd.projectcalico.org_bgppeers.yaml | 14 +- ...projectcalico.org_felixconfigurations.yaml | 47 ++- .../crd.projectcalico.org_globalalerts.yaml | 2 + .../crd.projectcalico.org_globalreports.yaml | 2 + ...ico.org_kubecontrollersconfigurations.yaml | 49 +++ ...crd.projectcalico.org_managedclusters.yaml | 14 +- .../crd.projectcalico.org_networks.yaml | 239 +++++++++++ .../crd.projectcalico.org_packetcaptures.yaml | 2 + ...ojectcalico.org_securityeventwebhooks.yaml | 2 + ...er.projectcalico.org_globalwafplugins.yaml | 182 +++++++++ ...r.projectcalico.org_globalwafpolicies.yaml | 253 ++++++++++++ ...alico.org_globalwafvalidationpolicies.yaml | 306 ++++++++++++++ ...ionlayer.projectcalico.org_wafplugins.yaml | 236 +++++++++++ ...onlayer.projectcalico.org_wafpolicies.yaml | 375 ++++++++++++++++++ ...ojectcalico.org_wafvalidationpolicies.yaml | 227 +++++++++++ .../projectcalico.org_alertexceptions.yaml | 2 + .../projectcalico.org_bgppeers.yaml | 14 +- ...projectcalico.org_felixconfigurations.yaml | 47 ++- .../projectcalico.org_globalalerts.yaml | 2 + .../projectcalico.org_globalreports.yaml | 2 + ...ico.org_kubecontrollersconfigurations.yaml | 49 +++ .../projectcalico.org_managedclusters.yaml | 15 +- .../projectcalico.org_networks.yaml | 247 ++++++++++++ .../projectcalico.org_packetcaptures.yaml | 2 + ...ojectcalico.org_securityeventwebhooks.yaml | 2 + 32 files changed, 2441 insertions(+), 21 deletions(-) create mode 100644 pkg/imports/admission/calico/protect-builtin-tiers.yaml create mode 100644 pkg/imports/admission/enterprise/protect-builtin-tiers.yaml create mode 100644 pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_networks.yaml create mode 100644 pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml create mode 100644 pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml create mode 100644 pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml create mode 100644 pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml create mode 100644 pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml create mode 100644 pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml create mode 100644 pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_networks.yaml diff --git a/pkg/imports/admission/calico/protect-builtin-tiers.yaml b/pkg/imports/admission/calico/protect-builtin-tiers.yaml new file mode 100644 index 0000000000..8bfde631fd --- /dev/null +++ b/pkg/imports/admission/calico/protect-builtin-tiers.yaml @@ -0,0 +1,28 @@ +--- +# ValidatingAdmissionPolicy that prevents deletion of the built-in Calico tiers +# (default, kube-admin, kube-baseline). These tiers are required for correct +# operation and should never be deleted. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: protect-builtin-tiers.projectcalico.org +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["projectcalico.org"] + apiVersions: ["v3"] + resources: ["tiers"] + operations: ["DELETE"] + validations: + - expression: "!(oldObject.metadata.name in ['default', 'kube-admin', 'kube-baseline'])" + messageExpression: "'The built-in tier ' + oldObject.metadata.name + ' cannot be deleted'" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: protect-builtin-tiers.projectcalico.org +spec: + policyName: protect-builtin-tiers.projectcalico.org + validationActions: + - Deny diff --git a/pkg/imports/admission/enterprise/protect-builtin-tiers.yaml b/pkg/imports/admission/enterprise/protect-builtin-tiers.yaml new file mode 100644 index 0000000000..8bfde631fd --- /dev/null +++ b/pkg/imports/admission/enterprise/protect-builtin-tiers.yaml @@ -0,0 +1,28 @@ +--- +# ValidatingAdmissionPolicy that prevents deletion of the built-in Calico tiers +# (default, kube-admin, kube-baseline). These tiers are required for correct +# operation and should never be deleted. +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicy +metadata: + name: protect-builtin-tiers.projectcalico.org +spec: + failurePolicy: Fail + matchConstraints: + resourceRules: + - apiGroups: ["projectcalico.org"] + apiVersions: ["v3"] + resources: ["tiers"] + operations: ["DELETE"] + validations: + - expression: "!(oldObject.metadata.name in ['default', 'kube-admin', 'kube-baseline'])" + messageExpression: "'The built-in tier ' + oldObject.metadata.name + ' cannot be deleted'" +--- +apiVersion: admissionregistration.k8s.io/v1 +kind: ValidatingAdmissionPolicyBinding +metadata: + name: protect-builtin-tiers.projectcalico.org +spec: + policyName: protect-builtin-tiers.projectcalico.org + validationActions: + - Deny diff --git a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml index 2cda28eaf2..85623d87e4 100644 --- a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml @@ -862,7 +862,9 @@ spec: IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer iptablesNATOutgoingInterfaceFilter: description: |- @@ -929,12 +931,14 @@ spec: - Disabled type: string istioDSCPMark: + anyOf: + - type: integer + - type: string description: |- IstioDSCPMark sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on SYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used with other Istio installation. [Default: 23] pattern: ^.* - type: integer x-kubernetes-int-or-string: true kubeNodePortRanges: description: |- @@ -955,6 +959,26 @@ spec: reverting to normal priority. [Default: 30s] pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$ type: string + localSubnetL2Reachability: + description: |- + LocalSubnetL2Reachability controls whether Felix automatically responds to + ARP (IPv4) and NDP (IPv6) requests on host interfaces for local pod IPs and + selected LoadBalancer VIPs that fall within the same subnet as the host + interface. When set to PodsAndLoadBalancers, pods and LB VIPs on the host + subnet are reachable from the local L2 segment without BGP. [Default: Disabled] + enum: + - Disabled + - PodsAndLoadBalancers + type: string + localSubnetL2ReachabilityRefreshInterval: + description: |- + LocalSubnetL2ReachabilityRefreshInterval controls how often Felix re-announces + (gratuitous ARP / unsolicited NA) every IP it proxies ARP/NDP for when + LocalSubnetL2Reachability is enabled, keeping neighbor caches and switch + forwarding tables warm even when the set of proxied IPs is unchanged. Set to 0 + to disable periodic re-announcement, leaving only the one-shot announce when an + IP is added. [Default: 120s] + type: string logActionRateLimit: description: |- LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", @@ -1092,7 +1116,9 @@ spec: NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer nftablesMode: default: Auto diff --git a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_ipamblocks.yaml b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_ipamblocks.yaml index f6003b241c..d625dc1ab0 100644 --- a/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_ipamblocks.yaml +++ b/pkg/imports/crds/calico/v1.crd.projectcalico.org/crd.projectcalico.org_ipamblocks.yaml @@ -54,10 +54,8 @@ spec: For non-nil entries at index i, the index is the ordinal of the allocation within this block and the value is the index of the associated attributes in the Attributes array. items: - type: integer - # TODO: This nullable is manually added in. We should update controller-gen - # to handle []*int properly itself. nullable: true + type: integer type: array attributes: description: |- diff --git a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml index 5691f46c5c..77342d58c8 100644 --- a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml @@ -861,7 +861,9 @@ spec: IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer iptablesNATOutgoingInterfaceFilter: description: |- @@ -928,12 +930,14 @@ spec: - Disabled type: string istioDSCPMark: + anyOf: + - type: integer + - type: string description: |- IstioDSCPMark sets the value to use when directing traffic to Istio ZTunnel, when Istio is enabled. The mark is set only on SYN packets at the final hop to avoid interference with other protocols. This value is reserved by Calico and must not be used with other Istio installation. [Default: 23] pattern: ^.* - type: integer x-kubernetes-int-or-string: true kubeNodePortRanges: description: |- @@ -954,6 +958,26 @@ spec: reverting to normal priority. [Default: 30s] pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$ type: string + localSubnetL2Reachability: + description: |- + LocalSubnetL2Reachability controls whether Felix automatically responds to + ARP (IPv4) and NDP (IPv6) requests on host interfaces for local pod IPs and + selected LoadBalancer VIPs that fall within the same subnet as the host + interface. When set to PodsAndLoadBalancers, pods and LB VIPs on the host + subnet are reachable from the local L2 segment without BGP. [Default: Disabled] + enum: + - Disabled + - PodsAndLoadBalancers + type: string + localSubnetL2ReachabilityRefreshInterval: + description: |- + LocalSubnetL2ReachabilityRefreshInterval controls how often Felix re-announces + (gratuitous ARP / unsolicited NA) every IP it proxies ARP/NDP for when + LocalSubnetL2Reachability is enabled, keeping neighbor caches and switch + forwarding tables warm even when the set of proxied IPs is unchanged. Set to 0 + to disable periodic re-announcement, leaving only the one-shot announce when an + IP is added. [Default: 120s] + type: string logActionRateLimit: description: |- LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", @@ -1091,7 +1115,9 @@ spec: NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer nftablesMode: default: Auto diff --git a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_ipamblocks.yaml b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_ipamblocks.yaml index d4bf6eb7cb..70cfbe995b 100644 --- a/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_ipamblocks.yaml +++ b/pkg/imports/crds/calico/v3.projectcalico.org/projectcalico.org_ipamblocks.yaml @@ -69,10 +69,8 @@ spec: For non-nil entries at index i, the index is the ordinal of the allocation within this block and the value is the index of the associated attributes in the Attributes array. items: - type: integer - # TODO: This nullable is manually added in. We should update controller-gen - # to handle []*int properly itself. nullable: true + type: integer type: array x-kubernetes-list-type: atomic attributes: diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml index 2ddec8906d..9fefbc9722 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_alertexceptions.yaml @@ -76,3 +76,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml index 76d48506ee..1b70cb0318 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_bgppeers.yaml @@ -60,7 +60,9 @@ spec: used in custom BGP templates type: object externalNetwork: - description: Name of the external network to which this peer belongs. + description: + Name of the external network to which this peer belongs. Cannot + be set if network is set. type: string failureDetectionMode: description: |- @@ -110,6 +112,11 @@ spec: RestartMode is "LongLivedGracefulRestart". When not specified, the BIRD defaults are used, which are 120s for "GracefulRestart" and 3600s for "LongLivedGracefulRestart". type: string + network: + description: + Name of the network to which this peer belongs. Cannot + be set if externalNetwork is set. + type: string nextHopMode: description: |- NextHopMode defines the method of calculating the next hop attribute for received routes. @@ -282,6 +289,11 @@ spec: rule: "!has(self.keepOriginalNextHop) || !self.keepOriginalNextHop || !has(self.nextHopMode)" + - message: network and externalNetwork cannot both be set + reason: FieldValueForbidden + rule: + (!has(self.network) || size(self.network) == 0) || (!has(self.externalNetwork) + || size(self.externalNetwork) == 0) type: object served: true storage: true diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml index cf462a5aba..cc05ab79b7 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_felixconfigurations.yaml @@ -312,6 +312,9 @@ spec: description: |- BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing determines the CTLB behavior. [Default: Enabled] + enum: + - Enabled + - Disabled type: string bpfIPFragTimeout: description: |- @@ -1325,7 +1328,9 @@ spec: IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer iptablesNATOutgoingInterfaceFilter: description: |- @@ -1479,6 +1484,16 @@ spec: ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type. pattern: ^(?i)(IncludeL7SourceInfo|IncludeL7SourceInfoNoPort|ExcludeL7SourceInfo)?$ type: string + l7LogsFileAggregationTLSSNI: + description: |- + L7LogsFileAggregationTLSSNI controls whether the TLS Server Name Indication (SNI) + participates in the aggregation key for L7 logs. + [Default: IncludeL7TLSSNI - SNI is part of the aggregation key] + Accepted values: + IncludeL7TLSSNI - Include the SNI in the aggregation key. + ExcludeL7TLSSNI - Aggregate over all other fields ignoring the SNI entirely. + pattern: ^(?i)(IncludeL7TLSSNI|ExcludeL7TLSSNI)?$ + type: string l7LogsFileAggregationTrimURL: description: |- L7LogsFileAggregationTrimURL is used to choose the type of aggregation for the url on L7 log entries. @@ -1528,6 +1543,12 @@ spec: [Default: 300s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + l7ObservabilityEnabled: + description: |- + L7ObservabilityEnabled enables eBPF-based L7 HTTP and TLS observability. + It is dataplane-agnostic - works with eBPF, iptables, or nftables. + Requires kernel 5.17+. [Default: false] + type: boolean liveMigrationRouteConvergenceTime: description: |- LiveMigrationRouteConvergenceTime is the time to keep elevated route priority after a @@ -1535,6 +1556,26 @@ spec: reverting to normal priority. [Default: 30s] pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$ type: string + localSubnetL2Reachability: + description: |- + LocalSubnetL2Reachability controls whether Felix automatically responds to + ARP (IPv4) and NDP (IPv6) requests on host interfaces for local pod IPs and + selected LoadBalancer VIPs that fall within the same subnet as the host + interface. When set to PodsAndLoadBalancers, pods and LB VIPs on the host + subnet are reachable from the local L2 segment without BGP. [Default: Disabled] + enum: + - Disabled + - PodsAndLoadBalancers + type: string + localSubnetL2ReachabilityRefreshInterval: + description: |- + LocalSubnetL2ReachabilityRefreshInterval controls how often Felix re-announces + (gratuitous ARP / unsolicited NA) every IP it proxies ARP/NDP for when + LocalSubnetL2Reachability is enabled, keeping neighbor caches and switch + forwarding tables warm even when the set of proxied IPs is unchanged. Set to 0 + to disable periodic re-announcement, leaving only the one-shot announce when an + IP is added. [Default: 120s] + type: string logActionRateLimit: description: |- LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", @@ -1701,7 +1742,9 @@ spec: NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer nftablesMode: default: Auto diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml index 58b2b0b79b..2bf83b8060 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalalerts.yaml @@ -225,3 +225,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalreports.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalreports.yaml index 92676e43eb..53c7e53e23 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalreports.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_globalreports.yaml @@ -455,3 +455,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_kubecontrollersconfigurations.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_kubecontrollersconfigurations.yaml index 84c6c2171a..6da8f9f3b5 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_kubecontrollersconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_kubecontrollersconfigurations.yaml @@ -45,6 +45,19 @@ spec: Controllers enables and configures individual Kubernetes controllers properties: + applicationLayer: + description: |- + ApplicationLayer enables and configures the application-layer subsystem + (WAF, GlobalWAF, WAFPlugin, validation). Operator-managed; users should + not edit this field directly. Non-nil enables the subsystem; activation + is gated on a valid Calico Enterprise license. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation. + [Default: 30s]" + type: string + type: object federatedServices: description: FederatedServices enables and configures the federatedservices @@ -192,6 +205,17 @@ spec: with the Calico datastore. [Default: 5m]" type: string type: object + rbacSync: + description: |- + RBACSync enables and configures the RBAC sync controller, which reconciles + Calico RBAC ClusterRoles and bindings. Disabled by default, set to non-nil to enable. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 30s]" + type: string + type: object serviceAccount: description: ServiceAccount enables and configures the service @@ -284,6 +308,19 @@ spec: Controllers enables and configures individual Kubernetes controllers properties: + applicationLayer: + description: |- + ApplicationLayer enables and configures the application-layer subsystem + (WAF, GlobalWAF, WAFPlugin, validation). Operator-managed; users should + not edit this field directly. Non-nil enables the subsystem; activation + is gated on a valid Calico Enterprise license. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation. [Default: 30s]" + type: string + type: object federatedServices: description: FederatedServices enables and configures the @@ -434,6 +471,18 @@ spec: 5m]" type: string type: object + rbacSync: + description: |- + RBACSync enables and configures the RBAC sync controller, which reconciles + Calico RBAC ClusterRoles and bindings. Disabled by default, set to non-nil to enable. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 30s]" + type: string + type: object serviceAccount: description: ServiceAccount enables and configures the service diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_managedclusters.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_managedclusters.yaml index 93e210803e..3d984f14b7 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_managedclusters.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_managedclusters.yaml @@ -14,7 +14,17 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v1 + - additionalPrinterColumns: + - description: + Whether the managed cluster is currently connected to the management + cluster + jsonPath: .status.conditions[?(@.type=='ManagedClusterConnected')].status + name: Connected + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v1 schema: openAPIV3Schema: properties: @@ -81,3 +91,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_networks.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_networks.yaml new file mode 100644 index 0000000000..ac0aaea2cc --- /dev/null +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_networks.yaml @@ -0,0 +1,239 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: networks.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: Network + listKind: NetworkList + plural: networks + singular: network + preserveUnknownFields: false + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + NetworkSpec contains the specification for a Network resource. Exactly one of the + network-type fields (vrf, ...) must be set. + maxProperties: 1 + minProperties: 1 + properties: + vrf: + description: |- + VRF network configuration. + Pods interfaces on a VRF network are isolated in a Linux VRF and can only access their own VRF. + properties: + hostConfig: + description: |- + HostConfig defines per-node configuration for this VRF network. At least one entry + must be specified. When multiple entries are present (e.g. one per rack), they must + have disjoint nodeSelectors although this is not enforced. For a given node, the + first matching entry is applied and all others are ignored. + + The list is stored and served as a JSON array; Kubernetes preserves the + order in which entries were submitted (including across Server-Side + Apply merges keyed on nodeSelector), so the result of `kubectl get -oyaml` + is authoritative for "first match wins". Single-actor edits keep the + order users see in the YAML they edit. + items: + description: |- + VRFHostConfig provides node-specific VRF settings which may vary across different hosts + in the cluster. + properties: + hostInterfaces: + description: |- + Interfaces on the node to attach to the VRF. The IP address, and local routes + for that IP address will move into the VRF routing table. At least one interface + should be specified to allow pods in the VRF to communicate outside the node. + items: + description: |- + InterfaceMatch identifies a network interface. Exactly one match + criterion must be set. + maxProperties: 1 + minProperties: 1 + properties: + name: + description: |- + Name matches a network interface by its exact device name + (e.g. "bond0", "eth1", "ens192"). + maxLength: 15 + minLength: 1 + type: string + type: object + type: array + x-kubernetes-list-type: atomic + nodeSelector: + default: "" + description: |- + NodeSelector is a Calico selector expression that determines which nodes this + configuration applies to. If omitted, the entry applies to all nodes. + When multiple HostConfig entries are present, the first entry whose selector + matches a given node wins. + type: string + routeTableIndex: + description: |- + RouteTableIndex is the Linux kernel routing table number to use for this VRF. + Must be unique on these nodes, must not overlap with the RouteTableRanges in + FelixConfiguration, and must not collide with tables used by other software on + the node. Tables 253 (default), 254 (main), and 255 (local) are reserved by + the kernel. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + staticRoutes: + description: |- + StaticRoutes are additional routes programmed into the VRF routing table, beyond + the pod routes that Felix manages automatically and routes derived from VRF + interface addresses. + items: + description: + VRFStaticRoute defines a static route to + program in a VRF routing table. + properties: + action: + description: |- + Action determines how traffic matching this route is handled. Exactly one action + field must be set. + maxProperties: 1 + minProperties: 1 + properties: + nextHop: + description: |- + NextHop forwards matching traffic to the specified gateway IP. The address must be + reachable on the subnet of one of the VRF interfaces on the node. + type: string + type: object + destination: + description: |- + Destination is the CIDR prefix for this route. Use "0.0.0.0/0" or "::/0" for a + default route. + type: string + required: + - action + - destination + type: object + type: array + x-kubernetes-list-type: atomic + required: + - routeTableIndex + type: object + maxItems: 100 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeSelector + x-kubernetes-list-type: map + routing: + description: + Routing controls cluster-wide routing behaviour for + this VRF network. + properties: + inClusterMode: + default: Local + description: |- + InClusterMode controls how Felix programs routes to pods on remote nodes inside + the VRF routing table. + + - Local: Felix programs routes to VRF pods local to this node; + routing to pods on other nodes must be handled by BGP. + enum: + - Local + type: string + type: object + required: + - hostConfig + type: object + type: object + status: + description: NetworkStatus reports the observed state of the Network resource. + properties: + conditions: + description: + Conditions is a list of conditions that apply to this + network. + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-type: atomic + type: object + type: object + served: true + storage: true diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml index 1bfe906625..75fcf1bb8a 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_packetcaptures.yaml @@ -167,3 +167,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_securityeventwebhooks.yaml b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_securityeventwebhooks.yaml index e2182aaf81..ba61ad2421 100644 --- a/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_securityeventwebhooks.yaml +++ b/pkg/imports/crds/enterprise/v1.crd.projectcalico.org/crd.projectcalico.org_securityeventwebhooks.yaml @@ -186,3 +186,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml new file mode 100644 index 0000000000..66ace9e0e7 --- /dev/null +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafplugins.yaml @@ -0,0 +1,182 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: globalwafplugins.applicationlayer.projectcalico.org +spec: + group: applicationlayer.projectcalico.org + names: + kind: GlobalWAFPlugin + listKind: GlobalWAFPluginList + plural: globalwafplugins + shortNames: + - gwafplugin + singular: globalwafplugin + preserveUnknownFields: false + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.description + name: Description + type: string + - jsonPath: .status.ruleCount + name: Rules + type: integer + - jsonPath: .status.namespaceCount + name: Namespaces + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v3 + schema: + openAPIV3Schema: + description: GlobalWAFPlugin is the Schema for cluster-wide custom WAF plugins + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalWAFPluginSpec defines a cluster-wide custom WAF plugin + properties: + after: + description: |- + After contains raw SecAction/SecRule directives that run AFTER CRS rules. + Use for post-processing, logging, or cleanup. + Equivalent to CRS *-after.conf files. + maxLength: 65536 + type: string + before: + description: |- + Before contains raw SecAction/SecRule directives that run BEFORE CRS rules. + Use for pre-processing, initialization, or early blocking. + Equivalent to CRS *-before.conf files. + maxLength: 65536 + type: string + config: + description: |- + Config contains raw SecAction/SecRule directives for plugin configuration. + These run first and typically set tx.* variables. + Equivalent to CRS *-config.conf files. + maxLength: 65536 + type: string + description: + description: + Description is a human-readable description of what this + plugin does + maxLength: 1024 + type: string + rules: + description: |- + Rules contains the main SecAction/SecRule directives for this plugin. + These run alongside CRS rules. Ordering across plugins follows array + position in the consuming policy's spec.plugins[]. + maxLength: 65536 + type: string + type: object + x-kubernetes-validations: + - message: plugin must define at least one of config, before, rules, after + rule: + (has(self.config) && size(self.config) > 0) || (has(self.before) + && size(self.before) > 0) || (has(self.rules) && size(self.rules) + > 0) || (has(self.after) && size(self.after) > 0) + status: + description: |- + GlobalWAFPluginStatus defines the observed state. + + Conditions emitted by the controller: + - Accepted (DirectivesValid / InvalidDirectives) + properties: + conditions: + description: Conditions represent the latest available observations + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + namespaceCount: + description: |- + NamespaceCount is the number of namespaces with at least one WAFPolicy + referencing this plugin. Kept as a bounded aggregate (not a + ReferencedBy list) because a Global plugin can fan out to many + namespaces; a list would churn the status payload as policies come + and go. Different denominator from GlobalWAFPolicyStatus.NamespaceCount + (which counts namespaces using the policy itself). + type: integer + ruleCount: + description: + RuleCount is the number of SecRule directives in this + plugin + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml new file mode 100644 index 0000000000..966ca50f3e --- /dev/null +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafpolicies.yaml @@ -0,0 +1,253 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: globalwafpolicies.applicationlayer.projectcalico.org +spec: + group: applicationlayer.projectcalico.org + names: + kind: GlobalWAFPolicy + listKind: GlobalWAFPolicyList + plural: globalwafpolicies + shortNames: + - gwafp + singular: globalwafpolicy + preserveUnknownFields: false + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.defaultAction + name: Action + type: string + - jsonPath: .spec.coreRuleSet.state + name: CRS + type: string + - jsonPath: .spec.coreRuleSet.paranoiaLevel + name: Paranoia + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v3 + schema: + openAPIV3Schema: + description: GlobalWAFPolicy is the Schema for cluster-wide WAF configuration + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: GlobalWAFPolicySpec defines the desired state + properties: + coreRuleSet: + description: CoreRuleSet configures the OWASP Core Rule Set + properties: + enabled: + description: |- + Enabled is the deprecated boolean form. Read for backward compatibility + with v0.2.x CRs; new CRs should set State. If both fields are set, + State wins. + + Deprecated: use State. + type: boolean + paranoiaLevel: + default: 1 + description: ParanoiaLevel sets the CRS paranoia level (1-4) + maximum: 4 + minimum: 1 + type: integer + state: + default: Enabled + description: State enables or disables the OWASP CRS baseline. + enum: + - Enabled + - Disabled + type: string + type: object + defaultAction: + default: Detect + description: DefaultAction specifies what happens when a rule matches + enum: + - Detect + - Block + type: string + plugins: + description: |- + Plugins references GlobalWAFPlugins + These plugins are applied to all namespaces + items: + description: |- + PluginRef references a plugin by kind + name. Kind makes the + reference target explicit; without it, "is this naming a Global or a + namespace plugin?" had to be inferred from which policy's spec.plugins[] + the reference appeared in. The default is WAFPlugin (namespace-scoped) for + backward-compat with v0.2.x CRs that omit Kind. + + Note: in this release the resolved scope still follows the parent policy + (GlobalWAFPolicy.spec.plugins[] resolves as Global; WAFPolicy.spec.plugins[] + resolves as namespace-scoped). Cross-scope lookup (e.g. WAFPolicy + referencing a GlobalWAFPlugin) is a future addition; the Kind field + here is type-level disclosure of intent that the reconciler can validate + against in a later release. + properties: + kind: + default: WAFPlugin + description: |- + Kind selects between namespace-scoped (WAFPlugin) and cluster-scoped + (GlobalWAFPlugin) plugin types. + enum: + - WAFPlugin + - GlobalWAFPlugin + type: string + name: + description: Name is the name of the plugin resource. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 64 + type: array + type: object + status: + description: |- + GlobalWAFPolicyStatus defines the observed state. + + Conditions emitted by the controller: + - Licensed (LicenseValid / LicenseBlocked) + - Accepted (Accepted / Invalid / PluginNotFound) + - Ready (Ready / NotReady / ConflictingGlobalPolicy) + properties: + conditions: + description: Conditions represent the latest available observations + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inheritedFromGlobal: + description: |- + InheritedFromGlobal is always nil for GlobalWAFPolicy. The field is + declared for symmetry with WAFPolicyStatus so generated clients (Go, + TS) can share a single attribution shape across scopes. + type: string + lastApplied: + description: LastApplied is the timestamp of the last successful application + format: date-time + type: string + namespaceCount: + description: |- + NamespaceCount is the number of namespaces in which a WAFPolicy targets + resources covered by this Global policy. Different denominator from + GlobalWAFPluginStatus.NamespaceCount (which counts namespaces where a + policy references the plugin). + type: integer + renderedConfigMapRefs: + description: |- + RenderedConfigMapRefs enumerates ConfigMaps the controller has emitted + from this GlobalWAFPolicy, one per namespace that consumed it. Capped + at 50 entries; see RenderedConfigMapRefsTruncated. When the cap is + exceeded, the surfaced entries are the lexically-first 50 namespace + names (sorted ascending by namespace), so the truncation is + deterministic across reconciles; use NamespaceCount to recover the + untruncated total. + items: + description: |- + RenderedConfigMapRef identifies the ConfigMap into which the controller + materialised the merged WAF rule set for a policy. CLI tools and status + consumers resolve this reference instead of reconstructing the name. + properties: + name: + maxLength: 253 + type: string + namespace: + maxLength: 253 + type: string + resourceVersion: + maxLength: 253 + type: string + required: + - name + - namespace + type: object + type: array + renderedConfigMapRefsTruncated: + description: |- + RenderedConfigMapRefsTruncated is true when the full set exceeded the + 50-entry status cap. Consumers should use NamespaceCount for totals. + type: boolean + type: object + type: object + x-kubernetes-validations: + - message: GlobalWAFPolicy is a singleton; the only permitted name is 'default' + rule: self.metadata.name == 'default' + served: true + storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml new file mode 100644 index 0000000000..b2007a4b17 --- /dev/null +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_globalwafvalidationpolicies.yaml @@ -0,0 +1,306 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: globalwafvalidationpolicies.applicationlayer.projectcalico.org +spec: + group: applicationlayer.projectcalico.org + names: + kind: GlobalWAFValidationPolicy + listKind: GlobalWAFValidationPolicyList + plural: globalwafvalidationpolicies + shortNames: + - gwafvp + singular: globalwafvalidationpolicy + preserveUnknownFields: false + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.enforcementMode + name: Mode + type: string + - jsonPath: .status.passingCount + name: Passing + type: integer + - jsonPath: .status.violatingPolicies + name: Violating + type: integer + - jsonPath: .status.summary + name: Summary + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v3 + schema: + openAPIV3Schema: + description: |- + GlobalWAFValidationPolicy defines cluster-wide validation rules that merged + WAF configurations must pass. Used by Cluster Operators to enforce security + requirements across all namespaces. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: + GlobalWAFValidationPolicySpec defines cluster-wide validation + rules + properties: + enforcementMode: + default: Audit + description: |- + EnforcementMode determines how validation failures are handled + - Audit: Log warnings but generate EnvoyExtensionPolicy anyway + - Enforce: Block EnvoyExtensionPolicy generation on critical failures + enum: + - Audit + - Enforce + type: string + namespaceSelector: + description: |- + NamespaceSelector limits which namespaces this validation policy applies to. + If empty, applies to all namespaces. + + Standard metav1.LabelSelector semantics: every namespace — including + `default` — is matched against the selector's labels, with no implicit + special-casing. Since k8s 1.21 every namespace carries an auto-applied + `kubernetes.io/metadata.name=` label, so the canonical way to + scope down to specific namespaces (including `default`) is a + matchExpressions on that label. + properties: + matchExpressions: + description: + matchExpressions is a list of label selector requirements. + The requirements are ANDed. + items: + description: |- + A label selector requirement is a selector that contains values, a key, and an operator that + relates the key and values. + properties: + key: + description: + key is the label key that the selector applies + to. + type: string + operator: + description: |- + operator represents a key's relationship to a set of values. + Valid operators are In, NotIn, Exists and DoesNotExist. + type: string + values: + description: |- + values is an array of string values. If the operator is In or NotIn, + the values array must be non-empty. If the operator is Exists or DoesNotExist, + the values array must be empty. This array is replaced during a strategic + merge patch. + items: + type: string + type: array + x-kubernetes-list-type: atomic + required: + - key + - operator + type: object + type: array + x-kubernetes-list-type: atomic + matchLabels: + additionalProperties: + type: string + description: |- + matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels + map is equivalent to an element of matchExpressions, whose key field is "key", the + operator is "In", and the values array contains only "value". The requirements are ANDed. + type: object + type: object + x-kubernetes-map-type: atomic + rules: + description: Rules defines the validation rules to apply + items: + description: + ValidationRule defines a single Rego-based validation + rule + properties: + message: + description: Message is displayed when validation fails + maxLength: 1024 + type: string + name: + description: Name is a unique identifier for this rule + maxLength: 63 + minLength: 1 + type: string + rego: + description: |- + Rego is a Rego module that decides violations against the merged WAF + configuration. The module must declare `package waf` and produce a + `violations` set; an empty set means the rule passed. Each violation + may be a plain string message, or an object carrying a `msg` string. + The `input` document available to the module: + - input.directives: []string - the final merged directive list + - input.config.action: string - effective action ("Detect" or "Block") + - input.config.crsState: string - CRS state ("Enabled" or "Disabled") + - input.config.paranoiaLevel: int - effective paranoia level (1-4) + - input.source.globalPolicy: string - name of GlobalWAFPolicy + - input.source.namespacePolicy: string - name of WAFPolicy (if any) + - input.source.globalPlugins: []string - names of global plugins applied + - input.source.namespacePlugins: []string - names of namespace plugins applied + maxLength: 16384 + minLength: 1 + type: string + severity: + default: warning + description: Severity determines the impact of this rule failing + enum: + - info + - warning + - critical + type: string + required: + - name + - rego + type: object + minItems: 1 + type: array + required: + - rules + type: object + status: + description: |- + GlobalWAFValidationPolicyStatus defines the observed state. + + Conditions emitted by the controller: + - Ready (Evaluated) + properties: + conditions: + description: Conditions represent the latest available observations + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + evaluatedCount: + description: EvaluatedCount is the number of WAF policies evaluated + type: integer + lastEvaluated: + description: LastEvaluated is the timestamp of the last evaluation + format: date-time + type: string + passingCount: + description: PassingCount is the number of policies passing all rules + type: integer + summary: + description: Summary provides a quick overview of validation state + maxLength: 1024 + type: string + violatingPolicies: + description: |- + ViolatingPolicies lists all WAF policies that failed validation. + Useful for COs to centrally see which namespaces need attention. + items: + description: + ViolatingPolicy identifies a WAF policy that failed + validation + properties: + action: + description: "Action taken: Audited or Rejected" + maxLength: 253 + type: string + failedRules: + description: FailedRules lists the rules that this policy violated + items: + type: string + type: array + name: + description: Name is the name of the WAFPolicy + maxLength: 253 + type: string + namespace: + description: Namespace is the namespace of the violating policy + maxLength: 253 + type: string + severity: + description: Severity is the highest severity of the failures + enum: + - info + - warning + - critical + type: string + required: + - name + - namespace + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml new file mode 100644 index 0000000000..d88e6646c9 --- /dev/null +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafplugins.yaml @@ -0,0 +1,236 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: wafplugins.applicationlayer.projectcalico.org +spec: + group: applicationlayer.projectcalico.org + names: + kind: WAFPlugin + listKind: WAFPluginList + plural: wafplugins + shortNames: + - wafplugin + singular: wafplugin + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.description + name: Description + type: string + - jsonPath: .status.ruleCount + name: Rules + type: integer + - jsonPath: .status.referencedByCount + name: Refs + type: integer + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v3 + schema: + openAPIV3Schema: + description: WAFPlugin is the Schema for namespace-scoped custom WAF plugins + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: + WAFPluginSpec defines a custom WAF plugin with CRS 4-style + structure + properties: + after: + description: |- + After contains raw SecAction/SecRule directives that run AFTER CRS rules. + Use for post-processing, logging, or cleanup. + Equivalent to CRS *-after.conf files. + maxLength: 65536 + type: string + before: + description: |- + Before contains raw SecAction/SecRule directives that run BEFORE CRS rules. + Use for pre-processing, initialization, or early blocking. + Equivalent to CRS *-before.conf files. + maxLength: 65536 + type: string + config: + description: |- + Config contains raw SecAction/SecRule directives for plugin configuration. + These run first and typically set tx.* variables. + Equivalent to CRS *-config.conf files. + maxLength: 65536 + type: string + description: + description: + Description is a human-readable description of what this + plugin does + maxLength: 1024 + type: string + rules: + description: |- + Rules contains the main SecAction/SecRule directives for this plugin. + These run alongside CRS rules. Ordering across plugins follows array + position in the consuming policy's spec.plugins[]. + maxLength: 65536 + type: string + type: object + x-kubernetes-validations: + - message: plugin must define at least one of config, before, rules, after + rule: + (has(self.config) && size(self.config) > 0) || (has(self.before) + && size(self.before) > 0) || (has(self.rules) && size(self.rules) + > 0) || (has(self.after) && size(self.after) > 0) + status: + description: |- + WAFPluginStatus defines the observed state. + + Conditions emitted by the controller: + - Accepted (DirectivesValid / InvalidDirectives) + properties: + conditions: + description: Conditions represent the latest available observations + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + referencedBy: + description: |- + ReferencedBy enumerates the policies that name this plugin in their + spec.plugins[]. Sorted: namespace asc, name asc, kind asc. Updated + every reconcile so client-side filtering is unnecessary. Capped at + 50 entries (matching RenderedConfigMapRefs on GlobalWAFPolicy) so a + runaway WAFPolicy population can't blow up the status payload; when + the cap is hit ReferencedByTruncated is set and the scalar + ReferencedByCount above remains authoritative for "how many + actually reference me". + items: + description: |- + PolicyRef identifies a policy that references a plugin. Used by plugin + status.referencedBy to give kubectl-readable reverse-index entries + without packing identifiers into a single string. + + Current scope-binding (this release): the plugin reconciler resolves + references from the parent policy's scope — WAFPolicy.spec.plugins[] + resolves namespace-scoped, GlobalWAFPolicy.spec.plugins[] resolves + cluster-scoped. Cross-scope lookup is a future addition; the Kind field + below is type-level disclosure of intent for a later release. + properties: + kind: + description: Kind identifies the referencing policy kind. + enum: + - WAFPolicy + - GlobalWAFPolicy + type: string + name: + description: Name is the name of the referencing policy. + maxLength: 253 + type: string + namespace: + description: |- + Namespace is the namespace of the referencing policy. Unset for + cluster-scoped GlobalWAFPolicy entries (pointer so unset is + distinguishable from explicit empty, per the optional-fields-are- + pointers convention). + maxLength: 253 + type: string + required: + - kind + - name + type: object + maxItems: 50 + type: array + referencedByCount: + description: |- + ReferencedByCount is the total number of policies referencing this + plugin — always the true population size, never bounded by the + 50-entry list cap on ReferencedBy. Backs the `Refs` printcolumn so + `kubectl get wafplugin` shows the real fan-in even when ReferencedBy + is truncated. + type: integer + referencedByTruncated: + description: |- + ReferencedByTruncated is true when the consuming-policy set exceeded + the 50-entry cap on ReferencedBy. Consumers should fall back to a + label-selector list query rather than relying on ReferencedBy alone; + ReferencedByCount remains accurate regardless. + type: boolean + ruleCount: + description: + RuleCount is the number of SecRule directives in this + plugin + type: integer + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml new file mode 100644 index 0000000000..8b476229e6 --- /dev/null +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafpolicies.yaml @@ -0,0 +1,375 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: wafpolicies.applicationlayer.projectcalico.org +spec: + group: applicationlayer.projectcalico.org + names: + kind: WAFPolicy + listKind: WAFPolicyList + plural: wafpolicies + shortNames: + - wafp + singular: wafpolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .spec.action + name: Action + type: string + - jsonPath: .status.pluginCount + name: Plugins + type: integer + - jsonPath: .status.validation.status + name: Validation + type: string + - jsonPath: .status.validation.securityPosture + name: Posture + priority: 1 + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v3 + schema: + openAPIV3Schema: + description: WAFPolicy is the Schema for namespace-scoped WAF configuration + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: WAFPolicySpec defines the desired state + properties: + action: + description: |- + Action overrides the global default action for this namespace. + Nil means inherit from GlobalWAFPolicy; an explicit value overrides + the global default. Subject to validation policy enforcement. + enum: + - Detect + - Block + type: string + coreRuleSet: + description: |- + CoreRuleSet configures the OWASP Core Rule Set for this namespace + If not specified, inherits from GlobalWAFPolicy + properties: + enabled: + description: |- + Enabled is the deprecated boolean form. Read for backward compatibility + with v0.2.x CRs; new CRs should set State. If both fields are set, + State wins. + + Deprecated: use State. + type: boolean + paranoiaLevel: + default: 1 + description: ParanoiaLevel sets the CRS paranoia level (1-4) + maximum: 4 + minimum: 1 + type: integer + state: + default: Enabled + description: State enables or disables the OWASP CRS baseline. + enum: + - Enabled + - Disabled + type: string + type: object + plugins: + description: Plugins references WAFPlugins in this namespace + items: + description: |- + PluginRef references a plugin by kind + name. Kind makes the + reference target explicit; without it, "is this naming a Global or a + namespace plugin?" had to be inferred from which policy's spec.plugins[] + the reference appeared in. The default is WAFPlugin (namespace-scoped) for + backward-compat with v0.2.x CRs that omit Kind. + + Note: in this release the resolved scope still follows the parent policy + (GlobalWAFPolicy.spec.plugins[] resolves as Global; WAFPolicy.spec.plugins[] + resolves as namespace-scoped). Cross-scope lookup (e.g. WAFPolicy + referencing a GlobalWAFPlugin) is a future addition; the Kind field + here is type-level disclosure of intent that the reconciler can validate + against in a later release. + properties: + kind: + default: WAFPlugin + description: |- + Kind selects between namespace-scoped (WAFPlugin) and cluster-scoped + (GlobalWAFPlugin) plugin types. + enum: + - WAFPlugin + - GlobalWAFPlugin + type: string + name: + description: Name is the name of the plugin resource. + maxLength: 253 + type: string + required: + - name + type: object + maxItems: 64 + type: array + targetRefs: + description: + TargetRefs specifies Gateway API references (Gateway, + HTTPRoute) + items: + description: PolicyTargetReference identifies a Gateway API resource + properties: + group: + default: gateway.networking.k8s.io + description: Group is the group of the target resource + maxLength: 253 + type: string + kind: + description: Kind is the kind of the target resource + enum: + - Gateway + - HTTPRoute + maxLength: 253 + type: string + name: + description: Name is the name of the target resource + maxLength: 253 + type: string + sectionName: + description: |- + SectionName scopes the WAF to a single named section within the target + (GEP-713): an HTTPRoute rule name (spec.rules[].name) or a Gateway listener + name (spec.listeners[].name). When unset, the policy attaches to the entire + target. The named rule/listener must exist, or the policy reports + Programmed=False/TargetNotFound. A rule-scoped policy takes precedence over + a whole-route one for that rule (Envoy Gateway GEP-713 precedence). See + designs#25 §01. + maxLength: 253 + type: string + required: + - kind + - name + type: object + maxItems: 16 + minItems: 1 + type: array + required: + - targetRefs + type: object + x-kubernetes-validations: + - message: only group gateway.networking.k8s.io is supported for targetRefs + rule: + "!has(self.targetRefs) || self.targetRefs.all(ref, ref.group == + 'gateway.networking.k8s.io')" + status: + description: |- + WAFPolicyStatus defines the observed state. + + Conditions emitted by the controller: + - Licensed (LicenseValid / LicenseInGracePeriod / LicenseExpired / + LicenseInvalid / LicenseBlocked) + - Accepted (Accepted / Invalid / Conflicted / PluginNotFound / + ReplicaUnmanaged / ValidationFailed) + - Programmed (ConfigurationApplied / WASMUnavailable / CheckerError / + NotAttempted) + - Ready (Ready / NotReady) + properties: + conditions: + description: Conditions represent the latest available observations + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + inheritedFromGlobal: + description: |- + InheritedFromGlobal names the GlobalWAFPolicy whose plugin merge + contributed an inherited error (e.g. an Invalid reason on the Accepted + condition) to this policy. Nil when the failure is self-authored or + no failure is present. UI consumers use this to render a "Inherited + from GlobalWAFPolicy/" attribution badge that deep-links to the + offending Global resource. + type: string + lastApplied: + description: LastApplied is the timestamp of the last successful application + format: date-time + type: string + pluginCount: + description: PluginCount is the number of plugins applied + type: integer + renderedConfigMapRef: + description: |- + RenderedConfigMapRef points to the ConfigMap the controller emitted + for this namespace. Unset until the first successful reconcile. + properties: + name: + maxLength: 253 + type: string + namespace: + maxLength: 253 + type: string + resourceVersion: + maxLength: 253 + type: string + required: + - name + - namespace + type: object + validation: + description: |- + Validation contains the results of validation policy evaluation. + Shows whether the policy passed, was audited (warnings logged), or rejected. + properties: + failures: + description: + Failures contains details about failed validation + rules + items: + description: + ValidationFailure describes a single validation + rule failure + properties: + message: + description: Message explains why validation failed + maxLength: 1024 + type: string + policyKind: + description: PolicyKind is Global or Namespace-scoped + enum: + - GlobalWAFValidationPolicy + - WAFValidationPolicy + maxLength: 253 + type: string + policyName: + description: + PolicyName is the name of the validation policy + that failed + maxLength: 253 + type: string + rule: + description: + Rule is the name of the specific rule that + failed + maxLength: 63 + type: string + severity: + description: Severity of the failure + enum: + - info + - warning + - critical + type: string + required: + - policyKind + - policyName + - rule + - severity + type: object + type: array + lastEvaluated: + description: LastEvaluated is when validation was last performed + format: date-time + type: string + securityPosture: + description: + SecurityPosture is the security posture based on + all validation results + enum: + - Compliant + - Warning + - Degraded + - Critical + type: string + status: + description: |- + Status is the overall validation outcome. Denormalized from the + Validated x Programmed conditions so the `kubectl get wafpolicy` + printcolumn can show a single readable scalar; CRD printcolumns can + only read one JSONPath, not compute from two conditions. The + conditions are authoritative — if this field and the conditions ever + diverge in a future change, the conditions win and this field is the + rendered projection. Valid = Validated/True + Programmed/True; + Audited = Validated/False + Programmed/True (Audit mode); + Rejected = Validated/False + Programmed/False (Enforce mode blocked). + enum: + - Valid + - Audited + - Rejected + type: string + required: + - status + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml new file mode 100644 index 0000000000..d1f2ec91d9 --- /dev/null +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/applicationlayer.projectcalico.org_wafvalidationpolicies.yaml @@ -0,0 +1,227 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: wafvalidationpolicies.applicationlayer.projectcalico.org +spec: + group: applicationlayer.projectcalico.org + names: + kind: WAFValidationPolicy + listKind: WAFValidationPolicyList + plural: wafvalidationpolicies + shortNames: + - wafvp + singular: wafvalidationpolicy + preserveUnknownFields: false + scope: Namespaced + versions: + - additionalPrinterColumns: + - jsonPath: .status.securityPosture + name: Posture + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v3 + schema: + openAPIV3Schema: + description: |- + WAFValidationPolicy defines namespace-scoped validation rules for Application + Operators to self-validate their WAF configuration. Useful for catching + mistakes like accidentally removing required plugins. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + WAFValidationPolicySpec defines namespace validation rules. + + Namespace WAFValidationPolicies are ADVISORY ONLY: they self-validate an App + Operator's namespace config and surface failures via status + SecurityPosture + but never block EnvoyExtensionPolicy generation. The enforcement role belongs + to the Cluster Operator's GlobalWAFValidationPolicy (which has an + EnforcementMode); this type intentionally has no EnforcementMode. See the + approved design (per-route/namespaced WAF, designs#25 §01/§02). A future + CO-delegated self-enforcement model would be added separately (RFE). EV-6386. + properties: + rules: + description: Rules defines the validation rules to apply + items: + description: + ValidationRule defines a single Rego-based validation + rule + properties: + message: + description: Message is displayed when validation fails + maxLength: 1024 + type: string + name: + description: Name is a unique identifier for this rule + maxLength: 63 + minLength: 1 + type: string + rego: + description: |- + Rego is a Rego module that decides violations against the merged WAF + configuration. The module must declare `package waf` and produce a + `violations` set; an empty set means the rule passed. Each violation + may be a plain string message, or an object carrying a `msg` string. + The `input` document available to the module: + - input.directives: []string - the final merged directive list + - input.config.action: string - effective action ("Detect" or "Block") + - input.config.crsState: string - CRS state ("Enabled" or "Disabled") + - input.config.paranoiaLevel: int - effective paranoia level (1-4) + - input.source.globalPolicy: string - name of GlobalWAFPolicy + - input.source.namespacePolicy: string - name of WAFPolicy (if any) + - input.source.globalPlugins: []string - names of global plugins applied + - input.source.namespacePlugins: []string - names of namespace plugins applied + maxLength: 16384 + minLength: 1 + type: string + severity: + default: warning + description: Severity determines the impact of this rule failing + enum: + - info + - warning + - critical + type: string + required: + - name + - rego + type: object + minItems: 1 + type: array + required: + - rules + type: object + status: + description: |- + WAFValidationPolicyStatus defines the observed state. + No conditions are emitted by the controller for this type today; the Conditions + field is reserved for future use. + properties: + conditions: + description: Conditions represent the latest available observations + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + lastEvaluated: + description: LastEvaluated is the timestamp of the last evaluation + format: date-time + type: string + securityPosture: + description: + SecurityPosture is the overall posture based on validation + results + enum: + - Compliant + - Warning + - Degraded + - Critical + type: string + validationResults: + description: ValidationResults contains results for each rule + items: + description: + ValidationResult represents the result of a single + validation rule + properties: + message: + description: Message is the failure message (if failed) + maxLength: 1024 + type: string + passed: + description: Passed indicates whether the rule passed + type: boolean + rule: + description: Rule is the name of the validation rule + maxLength: 63 + type: string + severity: + description: Severity is the severity level of this rule + enum: + - info + - warning + - critical + type: string + required: + - passed + - rule + type: object + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml index 2750ea66d9..1dcd44c189 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_alertexceptions.yaml @@ -80,3 +80,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml index 80d512f088..6d6436bb43 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_bgppeers.yaml @@ -91,7 +91,9 @@ spec: used in custom BGP templates type: object externalNetwork: - description: Name of the external network to which this peer belongs. + description: + Name of the external network to which this peer belongs. Cannot + be set if network is set. type: string failureDetectionMode: description: |- @@ -141,6 +143,11 @@ spec: RestartMode is "LongLivedGracefulRestart". When not specified, the BIRD defaults are used, which are 120s for "GracefulRestart" and 3600s for "LongLivedGracefulRestart". type: string + network: + description: + Name of the network to which this peer belongs. Cannot + be set if externalNetwork is set. + type: string nextHopMode: description: |- NextHopMode defines the method of calculating the next hop attribute for received routes. @@ -313,6 +320,11 @@ spec: rule: "!has(self.keepOriginalNextHop) || !self.keepOriginalNextHop || !has(self.nextHopMode)" + - message: network and externalNetwork cannot both be set + reason: FieldValueForbidden + rule: + (!has(self.network) || size(self.network) == 0) || (!has(self.externalNetwork) + || size(self.externalNetwork) == 0) required: - metadata - spec diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml index e3c428e0d6..8a759548e1 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_felixconfigurations.yaml @@ -311,6 +311,9 @@ spec: description: |- BPFHostNetworkedNATWithoutCTLB when in BPF mode, controls whether Felix does a NAT without CTLB. This along with BPFConnectTimeLoadBalancing determines the CTLB behavior. [Default: Enabled] + enum: + - Enabled + - Disabled type: string bpfIPFragTimeout: description: |- @@ -1324,7 +1327,9 @@ spec: IptablesMarkMask is the mask that Felix selects its IPTables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer iptablesNATOutgoingInterfaceFilter: description: |- @@ -1478,6 +1483,16 @@ spec: ExcludeL7SourceInfo - Aggregate over all other fields ignoring the source aggregated name, namespace, and type. pattern: ^(?i)(IncludeL7SourceInfo|IncludeL7SourceInfoNoPort|ExcludeL7SourceInfo)?$ type: string + l7LogsFileAggregationTLSSNI: + description: |- + L7LogsFileAggregationTLSSNI controls whether the TLS Server Name Indication (SNI) + participates in the aggregation key for L7 logs. + [Default: IncludeL7TLSSNI - SNI is part of the aggregation key] + Accepted values: + IncludeL7TLSSNI - Include the SNI in the aggregation key. + ExcludeL7TLSSNI - Aggregate over all other fields ignoring the SNI entirely. + pattern: ^(?i)(IncludeL7TLSSNI|ExcludeL7TLSSNI)?$ + type: string l7LogsFileAggregationTrimURL: description: |- L7LogsFileAggregationTrimURL is used to choose the type of aggregation for the url on L7 log entries. @@ -1527,6 +1542,12 @@ spec: [Default: 300s] pattern: ^([0-9]+(\\.[0-9]+)?(ms|s|m|h))*$ type: string + l7ObservabilityEnabled: + description: |- + L7ObservabilityEnabled enables eBPF-based L7 HTTP and TLS observability. + It is dataplane-agnostic - works with eBPF, iptables, or nftables. + Requires kernel 5.17+. [Default: false] + type: boolean liveMigrationRouteConvergenceTime: description: |- LiveMigrationRouteConvergenceTime is the time to keep elevated route priority after a @@ -1534,6 +1555,26 @@ spec: reverting to normal priority. [Default: 30s] pattern: ^([0-9]+(\.[0-9]+)?(ms|s|m|h))*$ type: string + localSubnetL2Reachability: + description: |- + LocalSubnetL2Reachability controls whether Felix automatically responds to + ARP (IPv4) and NDP (IPv6) requests on host interfaces for local pod IPs and + selected LoadBalancer VIPs that fall within the same subnet as the host + interface. When set to PodsAndLoadBalancers, pods and LB VIPs on the host + subnet are reachable from the local L2 segment without BGP. [Default: Disabled] + enum: + - Disabled + - PodsAndLoadBalancers + type: string + localSubnetL2ReachabilityRefreshInterval: + description: |- + LocalSubnetL2ReachabilityRefreshInterval controls how often Felix re-announces + (gratuitous ARP / unsolicited NA) every IP it proxies ARP/NDP for when + LocalSubnetL2Reachability is enabled, keeping neighbor caches and switch + forwarding tables warm even when the set of proxied IPs is unchanged. Set to 0 + to disable periodic re-announcement, leaving only the one-shot announce when an + IP is added. [Default: 120s] + type: string logActionRateLimit: description: |- LogActionRateLimit sets the rate of hitting a Log action. The value must be in the format "N/unit", @@ -1700,7 +1741,9 @@ spec: NftablesMarkMask is the mask that Felix selects its nftables Mark bits from. Should be a 32 bit hexadecimal number with at least 8 bits set, none of which clash with any other mark bits in use on the system. [Default: 0xffff0000] - format: int32 + format: int64 + maximum: 4294967295 + minimum: 0 type: integer nftablesMode: default: Auto diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml index 5e176fe3e5..5583399d28 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalalerts.yaml @@ -228,3 +228,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalreports.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalreports.yaml index 7522f10015..355df8ebc9 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalreports.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_globalreports.yaml @@ -461,3 +461,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_kubecontrollersconfigurations.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_kubecontrollersconfigurations.yaml index cf04e94660..e523fb35e3 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_kubecontrollersconfigurations.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_kubecontrollersconfigurations.yaml @@ -48,6 +48,19 @@ spec: Controllers enables and configures individual Kubernetes controllers properties: + applicationLayer: + description: |- + ApplicationLayer enables and configures the application-layer subsystem + (WAF, GlobalWAF, WAFPlugin, validation). Operator-managed; users should + not edit this field directly. Non-nil enables the subsystem; activation + is gated on a valid Calico Enterprise license. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation. + [Default: 30s]" + type: string + type: object federatedServices: description: FederatedServices enables and configures the federatedservices @@ -195,6 +208,17 @@ spec: with the Calico datastore. [Default: 5m]" type: string type: object + rbacSync: + description: |- + RBACSync enables and configures the RBAC sync controller, which reconciles + Calico RBAC ClusterRoles and bindings. Disabled by default, set to non-nil to enable. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 30s]" + type: string + type: object serviceAccount: description: ServiceAccount enables and configures the service @@ -287,6 +311,19 @@ spec: Controllers enables and configures individual Kubernetes controllers properties: + applicationLayer: + description: |- + ApplicationLayer enables and configures the application-layer subsystem + (WAF, GlobalWAF, WAFPlugin, validation). Operator-managed; users should + not edit this field directly. Non-nil enables the subsystem; activation + is gated on a valid Calico Enterprise license. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation. [Default: 30s]" + type: string + type: object federatedServices: description: FederatedServices enables and configures the @@ -437,6 +474,18 @@ spec: 5m]" type: string type: object + rbacSync: + description: |- + RBACSync enables and configures the RBAC sync controller, which reconciles + Calico RBAC ClusterRoles and bindings. Disabled by default, set to non-nil to enable. + properties: + reconcilerPeriod: + description: + "ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 30s]" + type: string + type: object serviceAccount: description: ServiceAccount enables and configures the service diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_managedclusters.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_managedclusters.yaml index b415f75da4..c6f1590fcd 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_managedclusters.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_managedclusters.yaml @@ -14,7 +14,17 @@ spec: preserveUnknownFields: false scope: Cluster versions: - - name: v3 + - additionalPrinterColumns: + - description: + Whether the managed cluster is currently connected to the management + cluster + jsonPath: .status.conditions[?(@.type=='ManagedClusterConnected')].status + name: Connected + type: string + - jsonPath: .metadata.creationTimestamp + name: Age + type: date + name: v3 schema: openAPIV3Schema: description: |- @@ -85,7 +95,8 @@ spec: required: - metadata - spec - - status type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_networks.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_networks.yaml new file mode 100644 index 0000000000..7e2846d2a5 --- /dev/null +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_networks.yaml @@ -0,0 +1,247 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: v0.18.0 + name: networks.projectcalico.org +spec: + group: projectcalico.org + names: + kind: Network + listKind: NetworkList + plural: networks + singular: network + preserveUnknownFields: false + scope: Cluster + versions: + - name: v3 + schema: + openAPIV3Schema: + description: |- + Network defines a logical network within a Calico cluster. Each Network has a type + (VRF, ...) that determines how pods on that network are isolated and how + their traffic is routed. + properties: + apiVersion: + description: |- + APIVersion defines the versioned schema of this representation of an object. + Servers should convert recognized schemas to the latest internal value, and + may reject unrecognized values. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources + type: string + kind: + description: |- + Kind is a string value representing the REST resource this object represents. + Servers may infer this from the endpoint the client submits requests to. + Cannot be updated. + In CamelCase. + More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds + type: string + metadata: + type: object + spec: + description: |- + NetworkSpec contains the specification for a Network resource. Exactly one of the + network-type fields (vrf, ...) must be set. + maxProperties: 1 + minProperties: 1 + properties: + vrf: + description: |- + VRF network configuration. + Pods interfaces on a VRF network are isolated in a Linux VRF and can only access their own VRF. + properties: + hostConfig: + description: |- + HostConfig defines per-node configuration for this VRF network. At least one entry + must be specified. When multiple entries are present (e.g. one per rack), they must + have disjoint nodeSelectors although this is not enforced. For a given node, the + first matching entry is applied and all others are ignored. + + The list is stored and served as a JSON array; Kubernetes preserves the + order in which entries were submitted (including across Server-Side + Apply merges keyed on nodeSelector), so the result of `kubectl get -oyaml` + is authoritative for "first match wins". Single-actor edits keep the + order users see in the YAML they edit. + items: + description: |- + VRFHostConfig provides node-specific VRF settings which may vary across different hosts + in the cluster. + properties: + hostInterfaces: + description: |- + Interfaces on the node to attach to the VRF. The IP address, and local routes + for that IP address will move into the VRF routing table. At least one interface + should be specified to allow pods in the VRF to communicate outside the node. + items: + description: |- + InterfaceMatch identifies a network interface. Exactly one match + criterion must be set. + maxProperties: 1 + minProperties: 1 + properties: + name: + description: |- + Name matches a network interface by its exact device name + (e.g. "bond0", "eth1", "ens192"). + maxLength: 15 + minLength: 1 + type: string + type: object + type: array + x-kubernetes-list-type: atomic + nodeSelector: + default: "" + description: |- + NodeSelector is a Calico selector expression that determines which nodes this + configuration applies to. If omitted, the entry applies to all nodes. + When multiple HostConfig entries are present, the first entry whose selector + matches a given node wins. + type: string + routeTableIndex: + description: |- + RouteTableIndex is the Linux kernel routing table number to use for this VRF. + Must be unique on these nodes, must not overlap with the RouteTableRanges in + FelixConfiguration, and must not collide with tables used by other software on + the node. Tables 253 (default), 254 (main), and 255 (local) are reserved by + the kernel. + format: int32 + maximum: 2147483647 + minimum: 1 + type: integer + staticRoutes: + description: |- + StaticRoutes are additional routes programmed into the VRF routing table, beyond + the pod routes that Felix manages automatically and routes derived from VRF + interface addresses. + items: + description: + VRFStaticRoute defines a static route to + program in a VRF routing table. + properties: + action: + description: |- + Action determines how traffic matching this route is handled. Exactly one action + field must be set. + maxProperties: 1 + minProperties: 1 + properties: + nextHop: + description: |- + NextHop forwards matching traffic to the specified gateway IP. The address must be + reachable on the subnet of one of the VRF interfaces on the node. + type: string + type: object + destination: + description: |- + Destination is the CIDR prefix for this route. Use "0.0.0.0/0" or "::/0" for a + default route. + type: string + required: + - action + - destination + type: object + type: array + x-kubernetes-list-type: atomic + required: + - routeTableIndex + type: object + maxItems: 100 + minItems: 1 + type: array + x-kubernetes-list-map-keys: + - nodeSelector + x-kubernetes-list-type: map + routing: + description: + Routing controls cluster-wide routing behaviour for + this VRF network. + properties: + inClusterMode: + default: Local + description: |- + InClusterMode controls how Felix programs routes to pods on remote nodes inside + the VRF routing table. + + - Local: Felix programs routes to VRF pods local to this node; + routing to pods on other nodes must be handled by BGP. + enum: + - Local + type: string + type: object + required: + - hostConfig + type: object + type: object + status: + description: NetworkStatus reports the observed state of the Network resource. + properties: + conditions: + description: + Conditions is a list of conditions that apply to this + network. + items: + description: + Condition contains details for one aspect of the current + state of this API Resource. + properties: + lastTransitionTime: + description: |- + lastTransitionTime is the last time the condition transitioned from one status to another. + This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable. + format: date-time + type: string + message: + description: |- + message is a human readable message indicating details about the transition. + This may be an empty string. + maxLength: 32768 + type: string + observedGeneration: + description: |- + observedGeneration represents the .metadata.generation that the condition was set based upon. + For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date + with respect to the current state of the instance. + format: int64 + minimum: 0 + type: integer + reason: + description: |- + reason contains a programmatic identifier indicating the reason for the condition's last transition. + Producers of specific condition types may define expected values and meanings for this field, + and whether the values are considered a guaranteed API. + The value should be a CamelCase string. + This field may not be empty. + maxLength: 1024 + minLength: 1 + pattern: ^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$ + type: string + status: + description: status of the condition, one of True, False, Unknown. + enum: + - "True" + - "False" + - Unknown + type: string + type: + description: type of condition in CamelCase or in foo.example.com/CamelCase. + maxLength: 316 + pattern: ^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$ + type: string + required: + - lastTransitionTime + - message + - reason + - status + - type + type: object + type: array + x-kubernetes-list-type: atomic + type: object + required: + - spec + type: object + served: true + storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml index 60f7270335..d36ec49f0b 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_packetcaptures.yaml @@ -166,3 +166,5 @@ spec: type: object served: true storage: true + subresources: + status: {} diff --git a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_securityeventwebhooks.yaml b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_securityeventwebhooks.yaml index 7226756f30..b701e292b7 100644 --- a/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_securityeventwebhooks.yaml +++ b/pkg/imports/crds/enterprise/v3.projectcalico.org/projectcalico.org_securityeventwebhooks.yaml @@ -190,3 +190,5 @@ spec: type: object served: true storage: true + subresources: + status: {}