tatara-cilium 0.2.5

Tatara domain wrapping 1 CRD(s).
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
1790
1791
1792
1793
1794
1795
1796
1797
1798
1799
1800
1801
1802
1803
1804
1805
//! tatara-cilium — auto-generated tatara domain.
//!
//! Tatara domain wrapping 1 CRD(s).
//!
//! Generated by `tatara-domain-forge`. Do not hand-edit.
//! Re-run the generator to refresh.

#![allow(clippy::module_name_repetitions)]

use serde::{Deserialize, Serialize};
use tatara_lisp_derive::TataraDomain;

/// CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy.
#[derive(Debug, Clone, Serialize, Deserialize, TataraDomain)]
#[tatara(keyword = "defciliumnetworkpolicy")]
pub struct CiliumNetworkPolicySpec {
    /// Description is a free form string, it can be used by the creator of the rule to store human readable explanation of the purpose of this rule. Rules cannot be identified by comment.
    #[serde(default)]
    pub description: Option<String>,
    /// Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress.
    #[serde(default)]
    pub egress: Option<Vec<CiliumNetworkPolicyEgressItem>>,
    /// EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will be denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress.
    #[serde(default)]
    pub egress_deny: Option<Vec<CiliumNetworkPolicyEgressDenyItem>>,
    /// EnableDefaultDeny determines whether this policy configures the subject endpoint(s) to have a default deny mode. If enabled, this causes all traffic not explicitly allowed by a network policy to be dropped.
    /// If not specified, the default is true for each traffic direction that has rules, and false otherwise. For example, if a policy only has Ingress or IngressDeny rules, then the default for ingress is true and egress is false.
    /// If multiple policies apply to an endpoint, that endpoint's default deny will be enabled if any policy requests it.
    /// This is useful for creating broad-based network policies that will not cause endpoints to enter default-deny mode.
    #[serde(default)]
    pub enable_default_deny: Option<CiliumNetworkPolicyEnableDefaultDeny>,
    /// EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive.
    #[serde(default)]
    pub endpoint_selector: Option<CiliumNetworkPolicyEndpointSelector>,
    /// Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress.
    #[serde(default)]
    pub ingress: Option<Vec<CiliumNetworkPolicyIngressItem>>,
    /// IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will be denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress.
    #[serde(default)]
    pub ingress_deny: Option<Vec<CiliumNetworkPolicyIngressDenyItem>>,
    /// Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels.
    #[serde(default)]
    pub labels: Option<Vec<CiliumNetworkPolicyLabelsItem>>,
    /// NodeSelector selects all nodes which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies.
    #[serde(default)]
    pub node_selector: Option<CiliumNetworkPolicyNodeSelector>,
}

// ── Nested types ──────────────────────────────────────
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemAuthenticationModeKind {
    #[serde(rename = "disabled")]
    Disabled,
    #[serde(rename = "required")]
    Required,
    #[serde(rename = "test-always-fail")]
    TestAlwaysFail,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemAuthentication {
    /// Mode is the required authentication mode for the allowed traffic, if any.
    pub mode: CiliumNetworkPolicyEgressItemAuthenticationModeKind,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemIcmpsItemFieldsItemFamilyKind {
    #[serde(rename = "IPv4")]
    IPv4,
    #[serde(rename = "IPv6")]
    IPv6,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemIcmpsItemFieldsItem {
    /// Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.
    #[serde(default)]
    pub family: Option<CiliumNetworkPolicyEgressItemIcmpsItemFieldsItemFamilyKind>,
    /// Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, "EchoReply"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply
    pub r#type: serde_json::Value,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemIcmpsItem {
    /// Fields is a list of ICMP fields.
    #[serde(default)]
    pub fields: Option<Vec<CiliumNetworkPolicyEgressItemIcmpsItemFieldsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToCIDRSetItem {
    /// CIDR is a CIDR prefix / IP Block.
    #[serde(default)]
    pub cidr: Option<String>,
    /// CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.
    #[serde(default)]
    pub cidr_group_ref: Option<String>,
    /// ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.
    #[serde(default)]
    pub except: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToEndpointsItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToEndpointsItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressItemToEndpointsItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToEndpointsItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressItemToEndpointsItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToEntitiesItemKind {
    #[serde(rename = "all")]
    All,
    #[serde(rename = "world")]
    World,
    #[serde(rename = "cluster")]
    Cluster,
    #[serde(rename = "host")]
    Host,
    #[serde(rename = "init")]
    Init,
    #[serde(rename = "ingress")]
    Ingress,
    #[serde(rename = "unmanaged")]
    Unmanaged,
    #[serde(rename = "remote-node")]
    RemoteNode,
    #[serde(rename = "health")]
    Health,
    #[serde(rename = "none")]
    None,
    #[serde(rename = "kube-apiserver")]
    KubeApiserver,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToFQDNsItem {
    /// MatchName matches literal DNS names. A trailing "." is automatically added when missing.
    #[serde(default)]
    pub match_name: Option<String>,
    /// MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - "*" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a "*" as the leftmost character, without a following "." matches all subdomains as well as the name to the right. A trailing "." is automatically added when missing.
    /// Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" except those containing "." separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with "sub" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not
    #[serde(default)]
    pub match_pattern: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToGroupsItemAws {
    #[serde(default)]
    pub labels: Option<std::collections::HashMap<String, String>>,
    #[serde(default)]
    pub region: Option<String>,
    #[serde(default)]
    pub security_groups_ids: Option<Vec<String>>,
    #[serde(default)]
    pub security_groups_names: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToGroupsItem {
    /// AWSGroup is an structure that can be used to whitelisting information from AWS integration
    #[serde(default)]
    pub aws: Option<CiliumNetworkPolicyEgressItemToGroupsItemAws>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToNodesItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToNodesItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressItemToNodesItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToNodesItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressItemToNodesItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToPortsItemListenerEnvoyConfigKindKind {
    #[serde(rename = "CiliumEnvoyConfig")]
    CiliumEnvoyConfig,
    #[serde(rename = "CiliumClusterwideEnvoyConfig")]
    CiliumClusterwideEnvoyConfig,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemListenerEnvoyConfig {
    /// Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed.
    #[serde(default)]
    pub kind: Option<CiliumNetworkPolicyEgressItemToPortsItemListenerEnvoyConfigKindKind>,
    /// Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in.
    pub name: String,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemListener {
    /// EnvoyConfig is a reference to the CEC or CCEC resource in which the listener is defined.
    pub envoy_config: CiliumNetworkPolicyEgressItemToPortsItemListenerEnvoyConfig,
    /// Name is the name of the listener.
    pub name: String,
    /// Priority for this Listener that is used when multiple rules would apply different listeners to a policy map entry. Behavior of this is implementation dependent.
    #[serde(default)]
    pub priority: Option<i64>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemOriginatingTLSSecret {
    /// Name is the name of the secret.
    pub name: String,
    /// Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., "default").
    #[serde(default)]
    pub namespace: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemOriginatingTLS {
    /// Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub certificate: Option<String>,
    /// PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub private_key: Option<String>,
    /// Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.
    pub secret: CiliumNetworkPolicyEgressItemToPortsItemOriginatingTLSSecret,
    /// TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub trusted_c_a: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToPortsItemPortsItemProtocolKind {
    #[serde(rename = "TCP")]
    TCP,
    #[serde(rename = "UDP")]
    UDP,
    #[serde(rename = "SCTP")]
    SCTP,
    #[serde(rename = "ANY")]
    ANY,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemPortsItem {
    /// EndPort can only be an L4 port number.
    #[serde(default)]
    pub end_port: Option<i64>,
    /// Port can be an L4 port number, or a name in the form of "http" or "http-8080".
    pub port: String,
    /// Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: "TCP", "UDP", "SCTP", "ANY"
    /// Matching on ICMP is not supported.
    /// Named port specified for a container may narrow this down, but may not contradict this.
    #[serde(default)]
    pub protocol: Option<CiliumNetworkPolicyEgressItemToPortsItemPortsItemProtocolKind>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemRulesDnsItem {
    /// MatchName matches literal DNS names. A trailing "." is automatically added when missing.
    #[serde(default)]
    pub match_name: Option<String>,
    /// MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - "*" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a "*" as the leftmost character, without a following "." matches all subdomains as well as the name to the right. A trailing "." is automatically added when missing.
    /// Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" except those containing "." separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with "sub" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not
    #[serde(default)]
    pub match_pattern: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItemHeaderMatchesItemMismatchKind {
    #[serde(rename = "LOG")]
    LOG,
    #[serde(rename = "ADD")]
    ADD,
    #[serde(rename = "DELETE")]
    DELETE,
    #[serde(rename = "REPLACE")]
    REPLACE,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItemHeaderMatchesItemSecret {
    /// Name is the name of the secret.
    pub name: String,
    /// Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., "default").
    #[serde(default)]
    pub namespace: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItemHeaderMatchesItem {
    /// Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log.
    #[serde(default)]
    pub mismatch: Option<CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItemHeaderMatchesItemMismatchKind>,
    /// Name identifies the header.
    pub name: String,
    /// Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no "Value" specified, the match will fail.
    #[serde(default)]
    pub secret: Option<CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItemHeaderMatchesItemSecret>,
    /// Value matches the exact value of the header. Can be specified either alone or together with "Secret"; will be used as the header value if the secret can not be found in the latter case.
    #[serde(default)]
    pub value: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItem {
    /// HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match.
    #[serde(default)]
    pub header_matches: Option<Vec<CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItemHeaderMatchesItem>>,
    /// Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present.
    #[serde(default)]
    pub headers: Option<Vec<String>>,
    /// Host is an extended POSIX regex matched against the host header of a request. Examples:
    /// - foo.bar.com will match the host fooXbar.com or foo-bar.com - foo\.bar\.com will only match the host foo.bar.com
    /// If omitted or empty, the value of the host header is ignored.
    #[serde(default)]
    pub host: Option<String>,
    /// Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ...
    /// If omitted or empty, all methods are allowed.
    #[serde(default)]
    pub method: Option<String>,
    /// Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986.
    /// If omitted or empty, all paths are all allowed.
    #[serde(default)]
    pub path: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToPortsItemRulesKafkaItemRoleKind {
    #[serde(rename = "produce")]
    Produce,
    #[serde(rename = "consume")]
    Consume,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemRulesKafkaItem {
    /// APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys
    /// If omitted or empty, and if Role is not specified, then all keys are allowed.
    #[serde(default)]
    pub api_key: Option<String>,
    /// APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer.
    /// If omitted or empty, all versions are allowed.
    #[serde(default)]
    pub api_version: Option<String>,
    /// ClientID is the client identifier as provided in the request.
    /// From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client.
    /// If omitted or empty, all client identifiers are allowed.
    #[serde(default)]
    pub client_i_d: Option<String>,
    /// Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as "produce" or "consume". A Role automatically expands into all APIKeys required to perform the specified higher-level operation.
    /// The following values are supported: - "produce": Allow producing to the topics specified in the rule - "consume": Allow consuming from the topics specified in the rule
    /// This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule.
    /// If omitted or empty, and if APIKey is not specified, then all keys are allowed.
    #[serde(default)]
    pub role: Option<CiliumNetworkPolicyEgressItemToPortsItemRulesKafkaItemRoleKind>,
    /// Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected.
    /// This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _.
    /// Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255.
    /// If omitted or empty, all topics are allowed.
    #[serde(default)]
    pub topic: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemRules {
    /// DNS-specific rules.
    #[serde(default)]
    pub dns: Option<Vec<CiliumNetworkPolicyEgressItemToPortsItemRulesDnsItem>>,
    /// HTTP specific rules.
    #[serde(default)]
    pub http: Option<Vec<CiliumNetworkPolicyEgressItemToPortsItemRulesHttpItem>>,
    /// Kafka-specific rules.
    #[serde(default)]
    pub kafka: Option<Vec<CiliumNetworkPolicyEgressItemToPortsItemRulesKafkaItem>>,
    /// Key-value pair rules.
    #[serde(default)]
    pub l7: Option<Vec<std::collections::HashMap<String, String>>>,
    /// Name of the L7 protocol for which the Key-value pair rules apply.
    #[serde(default)]
    pub l7proto: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemTerminatingTLSSecret {
    /// Name is the name of the secret.
    pub name: String,
    /// Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., "default").
    #[serde(default)]
    pub namespace: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItemTerminatingTLS {
    /// Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub certificate: Option<String>,
    /// PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub private_key: Option<String>,
    /// Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.
    pub secret: CiliumNetworkPolicyEgressItemToPortsItemTerminatingTLSSecret,
    /// TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub trusted_c_a: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToPortsItem {
    /// listener specifies the name of a custom Envoy listener to which this traffic should be redirected to.
    #[serde(default)]
    pub listener: Option<CiliumNetworkPolicyEgressItemToPortsItemListener>,
    /// OriginatingTLS is the TLS context for the connections originated by the L7 proxy.  For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint.
    #[serde(default)]
    pub originating_t_l_s: Option<CiliumNetworkPolicyEgressItemToPortsItemOriginatingTLS>,
    /// Ports is a list of L4 port/protocol
    #[serde(default)]
    pub ports: Option<Vec<CiliumNetworkPolicyEgressItemToPortsItemPortsItem>>,
    /// Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced.
    #[serde(default)]
    pub rules: Option<CiliumNetworkPolicyEgressItemToPortsItemRules>,
    /// ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake.
    #[serde(default)]
    pub server_names: Option<Vec<String>>,
    /// TerminatingTLS is the TLS context for the connection terminated by the L7 proxy.  For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy.
    #[serde(default)]
    pub terminating_t_l_s: Option<CiliumNetworkPolicyEgressItemToPortsItemTerminatingTLS>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToRequiresItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToRequiresItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressItemToRequiresItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToRequiresItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressItemToRequiresItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToServicesItemK8sService {
    #[serde(default)]
    pub namespace: Option<String>,
    #[serde(default)]
    pub service_name: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelectorSelector {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelector {
    #[serde(default)]
    pub namespace: Option<String>,
    /// ServiceSelector is a label selector for k8s services
    pub selector: CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelectorSelector,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItemToServicesItem {
    /// K8sService selects service by name and namespace pair
    #[serde(default)]
    pub k8s_service: Option<CiliumNetworkPolicyEgressItemToServicesItemK8sService>,
    /// K8sServiceSelector selects services by k8s labels and namespace
    #[serde(default)]
    pub k8s_service_selector: Option<CiliumNetworkPolicyEgressItemToServicesItemK8sServiceSelector>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressItem {
    /// Authentication is the required authentication type for the allowed traffic, if any.
    #[serde(default)]
    pub authentication: Option<CiliumNetworkPolicyEgressItemAuthentication>,
    /// ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to.
    /// Example: Any endpoint with the label "app=httpd" is allowed to initiate type 8 ICMP connections.
    #[serde(default)]
    pub icmps: Option<Vec<CiliumNetworkPolicyEgressItemIcmpsItem>>,
    /// ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules.  This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
    /// Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24
    #[serde(default)]
    pub to_c_i_d_r: Option<Vec<String>>,
    /// ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
    /// Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.
    #[serde(default)]
    pub to_c_i_d_r_set: Option<Vec<CiliumNetworkPolicyEgressItemToCIDRSetItem>>,
    /// ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate.
    /// Example: Any endpoint with the label "role=frontend" can communicate with any endpoint carrying the label "role=backend".
    #[serde(default)]
    pub to_endpoints: Option<Vec<CiliumNetworkPolicyEgressItemToEndpointsItem>>,
    /// ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, `health`,`unmanaged` and `all`.
    #[serde(default)]
    pub to_entities: Option<Vec<CiliumNetworkPolicyEgressItemToEntitiesItemKind>>,
    /// ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules.
    #[serde(default)]
    pub to_f_q_d_ns: Option<Vec<CiliumNetworkPolicyEgressItemToFQDNsItem>>,
    /// ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives:
    /// Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'
    #[serde(default)]
    pub to_groups: Option<Vec<CiliumNetworkPolicyEgressItemToGroupsItem>>,
    /// ToNodes is a list of nodes identified by an EndpointSelector to which endpoints subject to the rule is allowed to communicate.
    #[serde(default)]
    pub to_nodes: Option<Vec<CiliumNetworkPolicyEgressItemToNodesItem>>,
    /// ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to.
    /// Example: Any endpoint with the label "role=frontend" is allowed to initiate connections to destination port 8080/tcp
    #[serde(default)]
    pub to_ports: Option<Vec<CiliumNetworkPolicyEgressItemToPortsItem>>,
    /// ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints.
    /// Example: Any Endpoint with the label "team=A" requires any endpoint to which it communicates to also carry the label "team=A".
    #[serde(default)]
    pub to_requires: Option<Vec<CiliumNetworkPolicyEgressItemToRequiresItem>>,
    /// ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors.
    /// Example: Any endpoint with the label "app=backend-app" is allowed to initiate connections to all cidrs backing the "external-service" service
    #[serde(default)]
    pub to_services: Option<Vec<CiliumNetworkPolicyEgressItemToServicesItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressDenyItemIcmpsItemFieldsItemFamilyKind {
    #[serde(rename = "IPv4")]
    IPv4,
    #[serde(rename = "IPv6")]
    IPv6,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemIcmpsItemFieldsItem {
    /// Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.
    #[serde(default)]
    pub family: Option<CiliumNetworkPolicyEgressDenyItemIcmpsItemFieldsItemFamilyKind>,
    /// Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, "EchoReply"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply
    pub r#type: serde_json::Value,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemIcmpsItem {
    /// Fields is a list of ICMP fields.
    #[serde(default)]
    pub fields: Option<Vec<CiliumNetworkPolicyEgressDenyItemIcmpsItemFieldsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToCIDRSetItem {
    /// CIDR is a CIDR prefix / IP Block.
    #[serde(default)]
    pub cidr: Option<String>,
    /// CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.
    #[serde(default)]
    pub cidr_group_ref: Option<String>,
    /// ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.
    #[serde(default)]
    pub except: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressDenyItemToEndpointsItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToEndpointsItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressDenyItemToEndpointsItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToEndpointsItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressDenyItemToEndpointsItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressDenyItemToEntitiesItemKind {
    #[serde(rename = "all")]
    All,
    #[serde(rename = "world")]
    World,
    #[serde(rename = "cluster")]
    Cluster,
    #[serde(rename = "host")]
    Host,
    #[serde(rename = "init")]
    Init,
    #[serde(rename = "ingress")]
    Ingress,
    #[serde(rename = "unmanaged")]
    Unmanaged,
    #[serde(rename = "remote-node")]
    RemoteNode,
    #[serde(rename = "health")]
    Health,
    #[serde(rename = "none")]
    None,
    #[serde(rename = "kube-apiserver")]
    KubeApiserver,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToGroupsItemAws {
    #[serde(default)]
    pub labels: Option<std::collections::HashMap<String, String>>,
    #[serde(default)]
    pub region: Option<String>,
    #[serde(default)]
    pub security_groups_ids: Option<Vec<String>>,
    #[serde(default)]
    pub security_groups_names: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToGroupsItem {
    /// AWSGroup is an structure that can be used to whitelisting information from AWS integration
    #[serde(default)]
    pub aws: Option<CiliumNetworkPolicyEgressDenyItemToGroupsItemAws>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressDenyItemToNodesItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToNodesItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressDenyItemToNodesItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToNodesItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressDenyItemToNodesItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressDenyItemToPortsItemPortsItemProtocolKind {
    #[serde(rename = "TCP")]
    TCP,
    #[serde(rename = "UDP")]
    UDP,
    #[serde(rename = "SCTP")]
    SCTP,
    #[serde(rename = "ANY")]
    ANY,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToPortsItemPortsItem {
    /// EndPort can only be an L4 port number.
    #[serde(default)]
    pub end_port: Option<i64>,
    /// Port can be an L4 port number, or a name in the form of "http" or "http-8080".
    pub port: String,
    /// Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: "TCP", "UDP", "SCTP", "ANY"
    /// Matching on ICMP is not supported.
    /// Named port specified for a container may narrow this down, but may not contradict this.
    #[serde(default)]
    pub protocol: Option<CiliumNetworkPolicyEgressDenyItemToPortsItemPortsItemProtocolKind>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToPortsItem {
    /// Ports is a list of L4 port/protocol
    #[serde(default)]
    pub ports: Option<Vec<CiliumNetworkPolicyEgressDenyItemToPortsItemPortsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressDenyItemToRequiresItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToRequiresItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressDenyItemToRequiresItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToRequiresItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressDenyItemToRequiresItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToServicesItemK8sService {
    #[serde(default)]
    pub namespace: Option<String>,
    #[serde(default)]
    pub service_name: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelectorSelector {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelectorSelectorMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelector {
    #[serde(default)]
    pub namespace: Option<String>,
    /// ServiceSelector is a label selector for k8s services
    pub selector: CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelectorSelector,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItemToServicesItem {
    /// K8sService selects service by name and namespace pair
    #[serde(default)]
    pub k8s_service: Option<CiliumNetworkPolicyEgressDenyItemToServicesItemK8sService>,
    /// K8sServiceSelector selects services by k8s labels and namespace
    #[serde(default)]
    pub k8s_service_selector: Option<CiliumNetworkPolicyEgressDenyItemToServicesItemK8sServiceSelector>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEgressDenyItem {
    /// ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to.
    /// Example: Any endpoint with the label "app=httpd" is not allowed to initiate type 8 ICMP connections.
    #[serde(default)]
    pub icmps: Option<Vec<CiliumNetworkPolicyEgressDenyItemIcmpsItem>>,
    /// ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules.  This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
    /// Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24
    #[serde(default)]
    pub to_c_i_d_r: Option<Vec<String>>,
    /// ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet.
    /// Example: Any endpoint with the label "app=database-proxy" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.
    #[serde(default)]
    pub to_c_i_d_r_set: Option<Vec<CiliumNetworkPolicyEgressDenyItemToCIDRSetItem>>,
    /// ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate.
    /// Example: Any endpoint with the label "role=frontend" can communicate with any endpoint carrying the label "role=backend".
    #[serde(default)]
    pub to_endpoints: Option<Vec<CiliumNetworkPolicyEgressDenyItemToEndpointsItem>>,
    /// ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, `health`,`unmanaged` and `all`.
    #[serde(default)]
    pub to_entities: Option<Vec<CiliumNetworkPolicyEgressDenyItemToEntitiesItemKind>>,
    /// ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives:
    /// Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'
    #[serde(default)]
    pub to_groups: Option<Vec<CiliumNetworkPolicyEgressDenyItemToGroupsItem>>,
    /// ToNodes is a list of nodes identified by an EndpointSelector to which endpoints subject to the rule is allowed to communicate.
    #[serde(default)]
    pub to_nodes: Option<Vec<CiliumNetworkPolicyEgressDenyItemToNodesItem>>,
    /// ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to.
    /// Example: Any endpoint with the label "role=frontend" is not allowed to initiate connections to destination port 8080/tcp
    #[serde(default)]
    pub to_ports: Option<Vec<CiliumNetworkPolicyEgressDenyItemToPortsItem>>,
    /// ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints.
    /// Example: Any Endpoint with the label "team=A" requires any endpoint to which it communicates to also carry the label "team=A".
    #[serde(default)]
    pub to_requires: Option<Vec<CiliumNetworkPolicyEgressDenyItemToRequiresItem>>,
    /// ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors.
    /// Example: Any endpoint with the label "app=backend-app" is allowed to initiate connections to all cidrs backing the "external-service" service
    #[serde(default)]
    pub to_services: Option<Vec<CiliumNetworkPolicyEgressDenyItemToServicesItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEnableDefaultDeny {
    /// Whether or not the endpoint should have a default-deny rule applied to egress traffic.
    #[serde(default)]
    pub egress: Option<bool>,
    /// Whether or not the endpoint should have a default-deny rule applied to ingress traffic.
    #[serde(default)]
    pub ingress: Option<bool>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyEndpointSelectorMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEndpointSelectorMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyEndpointSelectorMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyEndpointSelector {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyEndpointSelectorMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemAuthenticationModeKind {
    #[serde(rename = "disabled")]
    Disabled,
    #[serde(rename = "required")]
    Required,
    #[serde(rename = "test-always-fail")]
    TestAlwaysFail,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemAuthentication {
    /// Mode is the required authentication mode for the allowed traffic, if any.
    pub mode: CiliumNetworkPolicyIngressItemAuthenticationModeKind,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromCIDRSetItem {
    /// CIDR is a CIDR prefix / IP Block.
    #[serde(default)]
    pub cidr: Option<String>,
    /// CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.
    #[serde(default)]
    pub cidr_group_ref: Option<String>,
    /// ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.
    #[serde(default)]
    pub except: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemFromEndpointsItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromEndpointsItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyIngressItemFromEndpointsItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromEndpointsItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyIngressItemFromEndpointsItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemFromEntitiesItemKind {
    #[serde(rename = "all")]
    All,
    #[serde(rename = "world")]
    World,
    #[serde(rename = "cluster")]
    Cluster,
    #[serde(rename = "host")]
    Host,
    #[serde(rename = "init")]
    Init,
    #[serde(rename = "ingress")]
    Ingress,
    #[serde(rename = "unmanaged")]
    Unmanaged,
    #[serde(rename = "remote-node")]
    RemoteNode,
    #[serde(rename = "health")]
    Health,
    #[serde(rename = "none")]
    None,
    #[serde(rename = "kube-apiserver")]
    KubeApiserver,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromGroupsItemAws {
    #[serde(default)]
    pub labels: Option<std::collections::HashMap<String, String>>,
    #[serde(default)]
    pub region: Option<String>,
    #[serde(default)]
    pub security_groups_ids: Option<Vec<String>>,
    #[serde(default)]
    pub security_groups_names: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromGroupsItem {
    /// AWSGroup is an structure that can be used to whitelisting information from AWS integration
    #[serde(default)]
    pub aws: Option<CiliumNetworkPolicyIngressItemFromGroupsItemAws>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemFromNodesItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromNodesItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyIngressItemFromNodesItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromNodesItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyIngressItemFromNodesItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemFromRequiresItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromRequiresItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyIngressItemFromRequiresItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemFromRequiresItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyIngressItemFromRequiresItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemIcmpsItemFieldsItemFamilyKind {
    #[serde(rename = "IPv4")]
    IPv4,
    #[serde(rename = "IPv6")]
    IPv6,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemIcmpsItemFieldsItem {
    /// Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.
    #[serde(default)]
    pub family: Option<CiliumNetworkPolicyIngressItemIcmpsItemFieldsItemFamilyKind>,
    /// Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, "EchoReply"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply
    pub r#type: serde_json::Value,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemIcmpsItem {
    /// Fields is a list of ICMP fields.
    #[serde(default)]
    pub fields: Option<Vec<CiliumNetworkPolicyIngressItemIcmpsItemFieldsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemToPortsItemListenerEnvoyConfigKindKind {
    #[serde(rename = "CiliumEnvoyConfig")]
    CiliumEnvoyConfig,
    #[serde(rename = "CiliumClusterwideEnvoyConfig")]
    CiliumClusterwideEnvoyConfig,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemListenerEnvoyConfig {
    /// Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed.
    #[serde(default)]
    pub kind: Option<CiliumNetworkPolicyIngressItemToPortsItemListenerEnvoyConfigKindKind>,
    /// Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in.
    pub name: String,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemListener {
    /// EnvoyConfig is a reference to the CEC or CCEC resource in which the listener is defined.
    pub envoy_config: CiliumNetworkPolicyIngressItemToPortsItemListenerEnvoyConfig,
    /// Name is the name of the listener.
    pub name: String,
    /// Priority for this Listener that is used when multiple rules would apply different listeners to a policy map entry. Behavior of this is implementation dependent.
    #[serde(default)]
    pub priority: Option<i64>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemOriginatingTLSSecret {
    /// Name is the name of the secret.
    pub name: String,
    /// Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., "default").
    #[serde(default)]
    pub namespace: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemOriginatingTLS {
    /// Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub certificate: Option<String>,
    /// PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub private_key: Option<String>,
    /// Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.
    pub secret: CiliumNetworkPolicyIngressItemToPortsItemOriginatingTLSSecret,
    /// TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub trusted_c_a: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemToPortsItemPortsItemProtocolKind {
    #[serde(rename = "TCP")]
    TCP,
    #[serde(rename = "UDP")]
    UDP,
    #[serde(rename = "SCTP")]
    SCTP,
    #[serde(rename = "ANY")]
    ANY,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemPortsItem {
    /// EndPort can only be an L4 port number.
    #[serde(default)]
    pub end_port: Option<i64>,
    /// Port can be an L4 port number, or a name in the form of "http" or "http-8080".
    pub port: String,
    /// Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: "TCP", "UDP", "SCTP", "ANY"
    /// Matching on ICMP is not supported.
    /// Named port specified for a container may narrow this down, but may not contradict this.
    #[serde(default)]
    pub protocol: Option<CiliumNetworkPolicyIngressItemToPortsItemPortsItemProtocolKind>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemRulesDnsItem {
    /// MatchName matches literal DNS names. A trailing "." is automatically added when missing.
    #[serde(default)]
    pub match_name: Option<String>,
    /// MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - "*" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a "*" as the leftmost character, without a following "." matches all subdomains as well as the name to the right. A trailing "." is automatically added when missing.
    /// Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io" except those containing "." separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with "sub" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not
    #[serde(default)]
    pub match_pattern: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItemHeaderMatchesItemMismatchKind {
    #[serde(rename = "LOG")]
    LOG,
    #[serde(rename = "ADD")]
    ADD,
    #[serde(rename = "DELETE")]
    DELETE,
    #[serde(rename = "REPLACE")]
    REPLACE,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItemHeaderMatchesItemSecret {
    /// Name is the name of the secret.
    pub name: String,
    /// Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., "default").
    #[serde(default)]
    pub namespace: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItemHeaderMatchesItem {
    /// Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log.
    #[serde(default)]
    pub mismatch: Option<CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItemHeaderMatchesItemMismatchKind>,
    /// Name identifies the header.
    pub name: String,
    /// Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no "Value" specified, the match will fail.
    #[serde(default)]
    pub secret: Option<CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItemHeaderMatchesItemSecret>,
    /// Value matches the exact value of the header. Can be specified either alone or together with "Secret"; will be used as the header value if the secret can not be found in the latter case.
    #[serde(default)]
    pub value: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItem {
    /// HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match.
    #[serde(default)]
    pub header_matches: Option<Vec<CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItemHeaderMatchesItem>>,
    /// Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present.
    #[serde(default)]
    pub headers: Option<Vec<String>>,
    /// Host is an extended POSIX regex matched against the host header of a request. Examples:
    /// - foo.bar.com will match the host fooXbar.com or foo-bar.com - foo\.bar\.com will only match the host foo.bar.com
    /// If omitted or empty, the value of the host header is ignored.
    #[serde(default)]
    pub host: Option<String>,
    /// Method is an extended POSIX regex matched against the method of a request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ...
    /// If omitted or empty, all methods are allowed.
    #[serde(default)]
    pub method: Option<String>,
    /// Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986.
    /// If omitted or empty, all paths are all allowed.
    #[serde(default)]
    pub path: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressItemToPortsItemRulesKafkaItemRoleKind {
    #[serde(rename = "produce")]
    Produce,
    #[serde(rename = "consume")]
    Consume,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemRulesKafkaItem {
    /// APIKey is a case-insensitive string matched against the key of a request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys
    /// If omitted or empty, and if Role is not specified, then all keys are allowed.
    #[serde(default)]
    pub api_key: Option<String>,
    /// APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer.
    /// If omitted or empty, all versions are allowed.
    #[serde(default)]
    pub api_version: Option<String>,
    /// ClientID is the client identifier as provided in the request.
    /// From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client.
    /// If omitted or empty, all client identifiers are allowed.
    #[serde(default)]
    pub client_i_d: Option<String>,
    /// Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as "produce" or "consume". A Role automatically expands into all APIKeys required to perform the specified higher-level operation.
    /// The following values are supported: - "produce": Allow producing to the topics specified in the rule - "consume": Allow consuming from the topics specified in the rule
    /// This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule.
    /// If omitted or empty, and if APIKey is not specified, then all keys are allowed.
    #[serde(default)]
    pub role: Option<CiliumNetworkPolicyIngressItemToPortsItemRulesKafkaItemRoleKind>,
    /// Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected.
    /// This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _.
    /// Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255.
    /// If omitted or empty, all topics are allowed.
    #[serde(default)]
    pub topic: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemRules {
    /// DNS-specific rules.
    #[serde(default)]
    pub dns: Option<Vec<CiliumNetworkPolicyIngressItemToPortsItemRulesDnsItem>>,
    /// HTTP specific rules.
    #[serde(default)]
    pub http: Option<Vec<CiliumNetworkPolicyIngressItemToPortsItemRulesHttpItem>>,
    /// Kafka-specific rules.
    #[serde(default)]
    pub kafka: Option<Vec<CiliumNetworkPolicyIngressItemToPortsItemRulesKafkaItem>>,
    /// Key-value pair rules.
    #[serde(default)]
    pub l7: Option<Vec<std::collections::HashMap<String, String>>>,
    /// Name of the L7 protocol for which the Key-value pair rules apply.
    #[serde(default)]
    pub l7proto: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemTerminatingTLSSecret {
    /// Name is the name of the secret.
    pub name: String,
    /// Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., "default").
    #[serde(default)]
    pub namespace: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItemTerminatingTLS {
    /// Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub certificate: Option<String>,
    /// PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub private_key: Option<String>,
    /// Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.
    pub secret: CiliumNetworkPolicyIngressItemToPortsItemTerminatingTLSSecret,
    /// TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.
    #[serde(default)]
    pub trusted_c_a: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItemToPortsItem {
    /// listener specifies the name of a custom Envoy listener to which this traffic should be redirected to.
    #[serde(default)]
    pub listener: Option<CiliumNetworkPolicyIngressItemToPortsItemListener>,
    /// OriginatingTLS is the TLS context for the connections originated by the L7 proxy.  For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint.
    #[serde(default)]
    pub originating_t_l_s: Option<CiliumNetworkPolicyIngressItemToPortsItemOriginatingTLS>,
    /// Ports is a list of L4 port/protocol
    #[serde(default)]
    pub ports: Option<Vec<CiliumNetworkPolicyIngressItemToPortsItemPortsItem>>,
    /// Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced.
    #[serde(default)]
    pub rules: Option<CiliumNetworkPolicyIngressItemToPortsItemRules>,
    /// ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake.
    #[serde(default)]
    pub server_names: Option<Vec<String>>,
    /// TerminatingTLS is the TLS context for the connection terminated by the L7 proxy.  For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy.
    #[serde(default)]
    pub terminating_t_l_s: Option<CiliumNetworkPolicyIngressItemToPortsItemTerminatingTLS>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressItem {
    /// Authentication is the required authentication type for the allowed traffic, if any.
    #[serde(default)]
    pub authentication: Option<CiliumNetworkPolicyIngressItemAuthentication>,
    /// FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do *not* originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field.  This will match on the source IP address of incoming connections. Adding  a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are allowed between FromCIDR and FromCIDRSet.
    /// Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.3.9.1
    #[serde(default)]
    pub from_c_i_d_r: Option<Vec<String>>,
    /// FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.
    /// Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.
    #[serde(default)]
    pub from_c_i_d_r_set: Option<Vec<CiliumNetworkPolicyIngressItemFromCIDRSetItem>>,
    /// FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.
    /// Example: Any endpoint with the label "role=backend" can be consumed by any endpoint carrying the label "role=frontend".
    #[serde(default)]
    pub from_endpoints: Option<Vec<CiliumNetworkPolicyIngressItemFromEndpointsItem>>,
    /// FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are `world`, `cluster` and `host`
    #[serde(default)]
    pub from_entities: Option<Vec<CiliumNetworkPolicyIngressItemFromEntitiesItemKind>>,
    /// FromGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives:
    /// Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'
    #[serde(default)]
    pub from_groups: Option<Vec<CiliumNetworkPolicyIngressItemFromGroupsItem>>,
    /// FromNodes is a list of nodes identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.
    #[serde(default)]
    pub from_nodes: Option<Vec<CiliumNetworkPolicyIngressItemFromNodesItem>>,
    /// FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints.
    /// Example: Any Endpoint with the label "team=A" requires consuming endpoint to also carry the label "team=A".
    #[serde(default)]
    pub from_requires: Option<Vec<CiliumNetworkPolicyIngressItemFromRequiresItem>>,
    /// ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on.
    /// Example: Any endpoint with the label "app=httpd" can only accept incoming type 8 ICMP connections.
    #[serde(default)]
    pub icmps: Option<Vec<CiliumNetworkPolicyIngressItemIcmpsItem>>,
    /// ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on.
    /// Example: Any endpoint with the label "app=httpd" can only accept incoming connections on port 80/tcp.
    #[serde(default)]
    pub to_ports: Option<Vec<CiliumNetworkPolicyIngressItemToPortsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromCIDRSetItem {
    /// CIDR is a CIDR prefix / IP Block.
    #[serde(default)]
    pub cidr: Option<String>,
    /// CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.
    #[serde(default)]
    pub cidr_group_ref: Option<String>,
    /// ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.
    #[serde(default)]
    pub except: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressDenyItemFromEndpointsItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromEndpointsItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyIngressDenyItemFromEndpointsItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromEndpointsItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromEndpointsItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressDenyItemFromEntitiesItemKind {
    #[serde(rename = "all")]
    All,
    #[serde(rename = "world")]
    World,
    #[serde(rename = "cluster")]
    Cluster,
    #[serde(rename = "host")]
    Host,
    #[serde(rename = "init")]
    Init,
    #[serde(rename = "ingress")]
    Ingress,
    #[serde(rename = "unmanaged")]
    Unmanaged,
    #[serde(rename = "remote-node")]
    RemoteNode,
    #[serde(rename = "health")]
    Health,
    #[serde(rename = "none")]
    None,
    #[serde(rename = "kube-apiserver")]
    KubeApiserver,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromGroupsItemAws {
    #[serde(default)]
    pub labels: Option<std::collections::HashMap<String, String>>,
    #[serde(default)]
    pub region: Option<String>,
    #[serde(default)]
    pub security_groups_ids: Option<Vec<String>>,
    #[serde(default)]
    pub security_groups_names: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromGroupsItem {
    /// AWSGroup is an structure that can be used to whitelisting information from AWS integration
    #[serde(default)]
    pub aws: Option<CiliumNetworkPolicyIngressDenyItemFromGroupsItemAws>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressDenyItemFromNodesItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromNodesItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyIngressDenyItemFromNodesItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromNodesItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromNodesItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressDenyItemFromRequiresItemMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromRequiresItemMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyIngressDenyItemFromRequiresItemMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemFromRequiresItem {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromRequiresItemMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressDenyItemIcmpsItemFieldsItemFamilyKind {
    #[serde(rename = "IPv4")]
    IPv4,
    #[serde(rename = "IPv6")]
    IPv6,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemIcmpsItemFieldsItem {
    /// Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.
    #[serde(default)]
    pub family: Option<CiliumNetworkPolicyIngressDenyItemIcmpsItemFieldsItemFamilyKind>,
    /// Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, "EchoReply"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply
    pub r#type: serde_json::Value,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemIcmpsItem {
    /// Fields is a list of ICMP fields.
    #[serde(default)]
    pub fields: Option<Vec<CiliumNetworkPolicyIngressDenyItemIcmpsItemFieldsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyIngressDenyItemToPortsItemPortsItemProtocolKind {
    #[serde(rename = "TCP")]
    TCP,
    #[serde(rename = "UDP")]
    UDP,
    #[serde(rename = "SCTP")]
    SCTP,
    #[serde(rename = "ANY")]
    ANY,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemToPortsItemPortsItem {
    /// EndPort can only be an L4 port number.
    #[serde(default)]
    pub end_port: Option<i64>,
    /// Port can be an L4 port number, or a name in the form of "http" or "http-8080".
    pub port: String,
    /// Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: "TCP", "UDP", "SCTP", "ANY"
    /// Matching on ICMP is not supported.
    /// Named port specified for a container may narrow this down, but may not contradict this.
    #[serde(default)]
    pub protocol: Option<CiliumNetworkPolicyIngressDenyItemToPortsItemPortsItemProtocolKind>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItemToPortsItem {
    /// Ports is a list of L4 port/protocol
    #[serde(default)]
    pub ports: Option<Vec<CiliumNetworkPolicyIngressDenyItemToPortsItemPortsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyIngressDenyItem {
    /// FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do *not* originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field.  This will match on the source IP address of incoming connections. Adding  a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are allowed between FromCIDR and FromCIDRSet.
    /// Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.3.9.1
    #[serde(default)]
    pub from_c_i_d_r: Option<Vec<String>>,
    /// FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.
    /// Example: Any endpoint with the label "app=my-legacy-pet" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.
    #[serde(default)]
    pub from_c_i_d_r_set: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromCIDRSetItem>>,
    /// FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.
    /// Example: Any endpoint with the label "role=backend" can be consumed by any endpoint carrying the label "role=frontend".
    #[serde(default)]
    pub from_endpoints: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromEndpointsItem>>,
    /// FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are `world`, `cluster` and `host`
    #[serde(default)]
    pub from_entities: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromEntitiesItemKind>>,
    /// FromGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives:
    /// Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'
    #[serde(default)]
    pub from_groups: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromGroupsItem>>,
    /// FromNodes is a list of nodes identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.
    #[serde(default)]
    pub from_nodes: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromNodesItem>>,
    /// FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints.
    /// Example: Any Endpoint with the label "team=A" requires consuming endpoint to also carry the label "team=A".
    #[serde(default)]
    pub from_requires: Option<Vec<CiliumNetworkPolicyIngressDenyItemFromRequiresItem>>,
    /// ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on.
    /// Example: Any endpoint with the label "app=httpd" can not accept incoming type 8 ICMP connections.
    #[serde(default)]
    pub icmps: Option<Vec<CiliumNetworkPolicyIngressDenyItemIcmpsItem>>,
    /// ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on.
    /// Example: Any endpoint with the label "app=httpd" can not accept incoming connections on port 80/tcp.
    #[serde(default)]
    pub to_ports: Option<Vec<CiliumNetworkPolicyIngressDenyItemToPortsItem>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyLabelsItem {
    pub key: String,
    /// Source can be one of the above values (e.g.: LabelSourceContainer).
    #[serde(default)]
    pub source: Option<String>,
    #[serde(default)]
    pub value: Option<String>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum CiliumNetworkPolicyNodeSelectorMatchExpressionsItemOperatorKind {
    #[serde(rename = "In")]
    In,
    #[serde(rename = "NotIn")]
    NotIn,
    #[serde(rename = "Exists")]
    Exists,
    #[serde(rename = "DoesNotExist")]
    DoesNotExist,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyNodeSelectorMatchExpressionsItem {
    /// key is the label key that the selector applies to.
    pub key: String,
    /// operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.
    pub operator: CiliumNetworkPolicyNodeSelectorMatchExpressionsItemOperatorKind,
    /// values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.
    #[serde(default)]
    pub values: Option<Vec<String>>,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CiliumNetworkPolicyNodeSelector {
    /// matchExpressions is a list of label selector requirements. The requirements are ANDed.
    #[serde(default)]
    pub match_expressions: Option<Vec<CiliumNetworkPolicyNodeSelectorMatchExpressionsItem>>,
    /// matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is "key", the operator is "In", and the values array contains only "value". The requirements are ANDed.
    #[serde(default)]
    pub match_labels: Option<std::collections::HashMap<String, String>>,
}


// ── Render metadata (consumed by tatara-render) ──────────

impl tatara_lisp::RenderableDomain for CiliumNetworkPolicySpec {
    const API_VERSION: &'static str = "cilium.io/v2";
    const KIND: &'static str = "CiliumNetworkPolicy";
    const NAME_FIELD: &'static str = "name";
}

// ── Documentation metadata (consumed by tatara-doc / IDE) ──

impl tatara_lisp::DocumentedDomain for CiliumNetworkPolicySpec {
    const DOCSTRING: &'static str = "CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy.";
    const FIELD_DOCS: &'static [(&'static str, &'static str)] = &[
        ("description", "Description is a free form string, it can be used by the creator of the rule to store human readable explanation of the purpose of this rule. Rules cannot be identified by comment."),
        ("egress", "Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress."),
        ("egress_deny", "EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will be denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress."),
        ("enable_default_deny", "EnableDefaultDeny determines whether this policy configures the subject endpoint(s) to have a default deny mode. If enabled, this causes all traffic not explicitly allowed by a network policy to be dropped. If not specified, the default is true for each traffic direction that has rules, and false otherwise. For example, if a policy only has Ingress or IngressDeny rules, then the default for ingress is true and egress is false. If multiple policies apply to an endpoint, that endpoint's default deny will be enabled if any policy requests it. This is useful for creating broad-based network policies that will not cause endpoints to enter default-deny mode."),
        ("endpoint_selector", "EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive."),
        ("ingress", "Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress."),
        ("ingress_deny", "IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will be denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress."),
        ("labels", "Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels."),
        ("node_selector", "NodeSelector selects all nodes which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies."),
    ];
}

// ── Default capabilities (Layers 3/4/7/8/9/10/11/12) ──

tatara_lisp::impl_default_capabilities!(CiliumNetworkPolicySpec);

// ── Attestation metadata (consumed by tameshi BLAKE3 chain) ──

impl tatara_lisp::AttestableDomain for CiliumNetworkPolicySpec {
    const ATTESTATION_NAMESPACE: &'static str = "cilium.io";
}

// ── Schema metadata (consumed by IDEs / openapi exporters) ──

impl tatara_lisp::SchematicDomain for CiliumNetworkPolicySpec {
    const SCHEMA_JSON: &'static str = "{\"description\":\"CiliumNetworkPolicy is a Kubernetes third-party resource with an extended version of NetworkPolicy.\",\"properties\":{\"apiVersion\":{\"description\":\"APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources\",\"type\":\"string\"},\"kind\":{\"description\":\"Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds\",\"type\":\"string\"},\"metadata\":{\"type\":\"object\"},\"spec\":{\"description\":\"Spec is the desired Cilium specific rule specification.\",\"oneOf\":[{\"properties\":{\"endpointSelector\":{}},\"required\":[\"endpointSelector\"]},{\"properties\":{\"nodeSelector\":{}},\"required\":[\"nodeSelector\"]}],\"properties\":{\"description\":{\"description\":\"Description is a free form string, it can be used by the creator of the rule to store human readable explanation of the purpose of this rule. Rules cannot be identified by comment.\",\"type\":\"string\"},\"egress\":{\"description\":\"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress.\",\"items\":{\"description\":\"EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members of the structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the ToRequires member; the effects of any Requires field in any rule will apply to all other rules as well. \\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"authentication\":{\"description\":\"Authentication is the required authentication type for the allowed traffic, if any.\",\"properties\":{\"mode\":{\"description\":\"Mode is the required authentication mode for the allowed traffic, if any.\",\"enum\":[\"disabled\",\"required\",\"test-always-fail\"],\"type\":\"string\"}},\"required\":[\"mode\"],\"type\":\"object\"},\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \\n Example: Any endpoint with the label \\\"app=httpd\\\" is allowed to initiate type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toCIDR\":{\"description\":\"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules.  This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"toCIDRSet\":{\"description\":\"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEndpoints\":{\"description\":\"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \\n Example: Any endpoint with the label \\\"role=frontend\\\" can communicate with any endpoint carrying the label \\\"role=backend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEntities\":{\"description\":\"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, `health`,`unmanaged` and `all`.\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"toFQDNs\":{\"description\":\"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules.\",\"items\":{\"oneOf\":[{\"properties\":{\"matchName\":{}},\"required\":[\"matchName\"]},{\"properties\":{\"matchPattern\":{}},\"required\":[\"matchPattern\"]}],\"properties\":{\"matchName\":{\"description\":\"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added when missing.\",\"pattern\":\"^([-a-zA-Z0-9_]+[.]?)+$\",\"type\":\"string\"},\"matchPattern\":{\"description\":\"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \\\"*\\\" as the leftmost character, without a following \\\".\\\" matches all subdomains as well as the name to the right. A trailing \\\".\\\" is automatically added when missing. \\n Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\" except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \\\"sub\\\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not\",\"pattern\":\"^([-a-zA-Z0-9_*]+[.]?)+$\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"toGroups\":{\"description\":\"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toNodes\":{\"description\":\"ToNodes is a list of nodes identified by an EndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \\n Example: Any endpoint with the label \\\"role=frontend\\\" is allowed to initiate connections to destination port 8080/tcp\",\"items\":{\"description\":\"PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.\",\"properties\":{\"listener\":{\"description\":\"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to.\",\"properties\":{\"envoyConfig\":{\"description\":\"EnvoyConfig is a reference to the CEC or CCEC resource in which the listener is defined.\",\"properties\":{\"kind\":{\"description\":\"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed.\",\"enum\":[\"CiliumEnvoyConfig\",\"CiliumClusterwideEnvoyConfig\"],\"type\":\"string\"},\"name\":{\"description\":\"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in.\",\"minLength\":1,\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"name\":{\"description\":\"Name is the name of the listener.\",\"minLength\":1,\"type\":\"string\"},\"priority\":{\"description\":\"Priority for this Listener that is used when multiple rules would apply different listeners to a policy map entry. Behavior of this is implementation dependent.\",\"maximum\":100,\"minimum\":1,\"type\":\"integer\"}},\"required\":[\"envoyConfig\",\"name\"],\"type\":\"object\"},\"originatingTLS\":{\"description\":\"OriginatingTLS is the TLS context for the connections originated by the L7 proxy.  For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"},\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"},\"rules\":{\"description\":\"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced.\",\"oneOf\":[{\"properties\":{\"http\":{}},\"required\":[\"http\"]},{\"properties\":{\"kafka\":{}},\"required\":[\"kafka\"]},{\"properties\":{\"dns\":{}},\"required\":[\"dns\"]},{\"properties\":{\"l7proto\":{}},\"required\":[\"l7proto\"]}],\"properties\":{\"dns\":{\"description\":\"DNS-specific rules.\",\"items\":{\"description\":\"PortRuleDNS is a list of allowed DNS lookups.\",\"oneOf\":[{\"properties\":{\"matchName\":{}},\"required\":[\"matchName\"]},{\"properties\":{\"matchPattern\":{}},\"required\":[\"matchPattern\"]}],\"properties\":{\"matchName\":{\"description\":\"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added when missing.\",\"pattern\":\"^([-a-zA-Z0-9_]+[.]?)+$\",\"type\":\"string\"},\"matchPattern\":{\"description\":\"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \\\"*\\\" as the leftmost character, without a following \\\".\\\" matches all subdomains as well as the name to the right. A trailing \\\".\\\" is automatically added when missing. \\n Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\" except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \\\"sub\\\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not\",\"pattern\":\"^([-a-zA-Z0-9_*]+[.]?)+$\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"http\":{\"description\":\"HTTP specific rules.\",\"items\":{\"description\":\"PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. \\n All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986.\",\"properties\":{\"headerMatches\":{\"description\":\"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match.\",\"items\":{\"description\":\"HeaderMatch extends the HeaderValue for matching requirement of a named header field against an immediate string, a secret value, or a regex.  If none of the optional fields is present, then the header value is not matched, only presence of the header is enough.\",\"properties\":{\"mismatch\":{\"description\":\"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log.\",\"enum\":[\"LOG\",\"ADD\",\"DELETE\",\"REPLACE\"],\"type\":\"string\"},\"name\":{\"description\":\"Name identifies the header.\",\"minLength\":1,\"type\":\"string\"},\"secret\":{\"description\":\"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \\\"Value\\\" specified, the match will fail.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"value\":{\"description\":\"Value matches the exact value of the header. Can be specified either alone or together with \\\"Secret\\\"; will be used as the header value if the secret can not be found in the latter case.\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"type\":\"array\"},\"headers\":{\"description\":\"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"host\":{\"description\":\"Host is an extended POSIX regex matched against the host header of a request. Examples: \\n - foo.bar.com will match the host fooXbar.com or foo-bar.com - foo\\\\.bar\\\\.com will only match the host foo.bar.com \\n If omitted or empty, the value of the host header is ignored.\",\"format\":\"idn-hostname\",\"type\":\"string\"},\"method\":{\"description\":\"Method is an extended POSIX regex matched against the method of a request, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ... \\n If omitted or empty, all methods are allowed.\",\"type\":\"string\"},\"path\":{\"description\":\"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986. \\n If omitted or empty, all paths are all allowed.\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"kafka\":{\"description\":\"Kafka-specific rules.\",\"items\":{\"description\":\"PortRule is a list of Kafka protocol constraints. All fields are optional, if all fields are empty or missing, the rule will match all Kafka messages.\",\"properties\":{\"apiKey\":{\"description\":\"APIKey is a case-insensitive string matched against the key of a request, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \\n If omitted or empty, and if Role is not specified, then all keys are allowed.\",\"type\":\"string\"},\"apiVersion\":{\"description\":\"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \\n If omitted or empty, all versions are allowed.\",\"type\":\"string\"},\"clientID\":{\"description\":\"ClientID is the client identifier as provided in the request. \\n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \\n If omitted or empty, all client identifiers are allowed.\",\"type\":\"string\"},\"role\":{\"description\":\"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \\\"produce\\\" or \\\"consume\\\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \\n The following values are supported: - \\\"produce\\\": Allow producing to the topics specified in the rule - \\\"consume\\\": Allow consuming from the topics specified in the rule \\n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \\n If omitted or empty, and if APIKey is not specified, then all keys are allowed.\",\"enum\":[\"produce\",\"consume\"],\"type\":\"string\"},\"topic\":{\"description\":\"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \\n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \\n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \\n If omitted or empty, all topics are allowed.\",\"maxLength\":255,\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"l7\":{\"description\":\"Key-value pair rules.\",\"items\":{\"additionalProperties\":{\"type\":\"string\"},\"description\":\"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.\",\"type\":\"object\"},\"type\":\"array\"},\"l7proto\":{\"description\":\"Name of the L7 protocol for which the Key-value pair rules apply.\",\"type\":\"string\"}},\"type\":\"object\"},\"serverNames\":{\"description\":\"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"terminatingTLS\":{\"description\":\"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy.  For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toRequires\":{\"description\":\"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires any endpoint to which it communicates to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toServices\":{\"description\":\"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \\n Example: Any endpoint with the label \\\"app=backend-app\\\" is allowed to initiate connections to all cidrs backing the \\\"external-service\\\" service\",\"items\":{\"description\":\"Service wraps around selectors for services\",\"properties\":{\"k8sService\":{\"description\":\"K8sService selects service by name and namespace pair\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"serviceName\":{\"type\":\"string\"}},\"type\":\"object\"},\"k8sServiceSelector\":{\"description\":\"K8sServiceSelector selects services by k8s labels and namespace\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"selector\":{\"description\":\"ServiceSelector is a label selector for k8s services\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"}},\"required\":[\"selector\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"egressDeny\":{\"description\":\"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will be denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress.\",\"items\":{\"description\":\"EgressDenyRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members of the structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the ToRequires member; the effects of any Requires field in any rule will apply to all other rules as well. \\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \\n Example: Any endpoint with the label \\\"app=httpd\\\" is not allowed to initiate type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toCIDR\":{\"description\":\"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules.  This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"toCIDRSet\":{\"description\":\"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEndpoints\":{\"description\":\"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \\n Example: Any endpoint with the label \\\"role=frontend\\\" can communicate with any endpoint carrying the label \\\"role=backend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEntities\":{\"description\":\"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, `health`,`unmanaged` and `all`.\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"toGroups\":{\"description\":\"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toNodes\":{\"description\":\"ToNodes is a list of nodes identified by an EndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \\n Example: Any endpoint with the label \\\"role=frontend\\\" is not allowed to initiate connections to destination port 8080/tcp\",\"items\":{\"description\":\"PortDenyRule is a list of ports/protocol that should be used for deny policies. This structure lacks the L7Rules since it's not supported in deny policies.\",\"properties\":{\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toRequires\":{\"description\":\"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires any endpoint to which it communicates to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toServices\":{\"description\":\"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \\n Example: Any endpoint with the label \\\"app=backend-app\\\" is allowed to initiate connections to all cidrs backing the \\\"external-service\\\" service\",\"items\":{\"description\":\"Service wraps around selectors for services\",\"properties\":{\"k8sService\":{\"description\":\"K8sService selects service by name and namespace pair\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"serviceName\":{\"type\":\"string\"}},\"type\":\"object\"},\"k8sServiceSelector\":{\"description\":\"K8sServiceSelector selects services by k8s labels and namespace\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"selector\":{\"description\":\"ServiceSelector is a label selector for k8s services\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"}},\"required\":[\"selector\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"enableDefaultDeny\":{\"description\":\"EnableDefaultDeny determines whether this policy configures the subject endpoint(s) to have a default deny mode. If enabled, this causes all traffic not explicitly allowed by a network policy to be dropped. \\n If not specified, the default is true for each traffic direction that has rules, and false otherwise. For example, if a policy only has Ingress or IngressDeny rules, then the default for ingress is true and egress is false. \\n If multiple policies apply to an endpoint, that endpoint's default deny will be enabled if any policy requests it. \\n This is useful for creating broad-based network policies that will not cause endpoints to enter default-deny mode.\",\"properties\":{\"egress\":{\"description\":\"Whether or not the endpoint should have a default-deny rule applied to egress traffic.\",\"type\":\"boolean\"},\"ingress\":{\"description\":\"Whether or not the endpoint should have a default-deny rule applied to ingress traffic.\",\"type\":\"boolean\"}},\"type\":\"object\"},\"endpointSelector\":{\"description\":\"EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"ingress\":{\"description\":\"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress.\",\"items\":{\"description\":\"IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members are set, all of them need to match in order for the rule to take effect. The exception to this rule is FromRequires field; the effects of any Requires field in any rule will apply to all other rules as well. \\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"authentication\":{\"description\":\"Authentication is the required authentication type for the allowed traffic, if any.\",\"properties\":{\"mode\":{\"description\":\"Mode is the required authentication mode for the allowed traffic, if any.\",\"enum\":[\"disabled\",\"required\",\"test-always-fail\"],\"type\":\"string\"}},\"required\":[\"mode\"],\"type\":\"object\"},\"fromCIDR\":{\"description\":\"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do *not* originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field.  This will match on the source IP address of incoming connections. Adding  a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.3.9.1\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"fromCIDRSet\":{\"description\":\"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEndpoints\":{\"description\":\"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \\n Example: Any endpoint with the label \\\"role=backend\\\" can be consumed by any endpoint carrying the label \\\"role=frontend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEntities\":{\"description\":\"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are `world`, `cluster` and `host`\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"fromGroups\":{\"description\":\"FromGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromNodes\":{\"description\":\"FromNodes is a list of nodes identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromRequires\":{\"description\":\"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires consuming endpoint to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can only accept incoming type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can only accept incoming connections on port 80/tcp.\",\"items\":{\"description\":\"PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.\",\"properties\":{\"listener\":{\"description\":\"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to.\",\"properties\":{\"envoyConfig\":{\"description\":\"EnvoyConfig is a reference to the CEC or CCEC resource in which the listener is defined.\",\"properties\":{\"kind\":{\"description\":\"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed.\",\"enum\":[\"CiliumEnvoyConfig\",\"CiliumClusterwideEnvoyConfig\"],\"type\":\"string\"},\"name\":{\"description\":\"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in.\",\"minLength\":1,\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"name\":{\"description\":\"Name is the name of the listener.\",\"minLength\":1,\"type\":\"string\"},\"priority\":{\"description\":\"Priority for this Listener that is used when multiple rules would apply different listeners to a policy map entry. Behavior of this is implementation dependent.\",\"maximum\":100,\"minimum\":1,\"type\":\"integer\"}},\"required\":[\"envoyConfig\",\"name\"],\"type\":\"object\"},\"originatingTLS\":{\"description\":\"OriginatingTLS is the TLS context for the connections originated by the L7 proxy.  For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"},\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"},\"rules\":{\"description\":\"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced.\",\"oneOf\":[{\"properties\":{\"http\":{}},\"required\":[\"http\"]},{\"properties\":{\"kafka\":{}},\"required\":[\"kafka\"]},{\"properties\":{\"dns\":{}},\"required\":[\"dns\"]},{\"properties\":{\"l7proto\":{}},\"required\":[\"l7proto\"]}],\"properties\":{\"dns\":{\"description\":\"DNS-specific rules.\",\"items\":{\"description\":\"PortRuleDNS is a list of allowed DNS lookups.\",\"oneOf\":[{\"properties\":{\"matchName\":{}},\"required\":[\"matchName\"]},{\"properties\":{\"matchPattern\":{}},\"required\":[\"matchPattern\"]}],\"properties\":{\"matchName\":{\"description\":\"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added when missing.\",\"pattern\":\"^([-a-zA-Z0-9_]+[.]?)+$\",\"type\":\"string\"},\"matchPattern\":{\"description\":\"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \\\"*\\\" as the leftmost character, without a following \\\".\\\" matches all subdomains as well as the name to the right. A trailing \\\".\\\" is automatically added when missing. \\n Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\" except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \\\"sub\\\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not\",\"pattern\":\"^([-a-zA-Z0-9_*]+[.]?)+$\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"http\":{\"description\":\"HTTP specific rules.\",\"items\":{\"description\":\"PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. \\n All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986.\",\"properties\":{\"headerMatches\":{\"description\":\"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match.\",\"items\":{\"description\":\"HeaderMatch extends the HeaderValue for matching requirement of a named header field against an immediate string, a secret value, or a regex.  If none of the optional fields is present, then the header value is not matched, only presence of the header is enough.\",\"properties\":{\"mismatch\":{\"description\":\"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log.\",\"enum\":[\"LOG\",\"ADD\",\"DELETE\",\"REPLACE\"],\"type\":\"string\"},\"name\":{\"description\":\"Name identifies the header.\",\"minLength\":1,\"type\":\"string\"},\"secret\":{\"description\":\"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \\\"Value\\\" specified, the match will fail.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"value\":{\"description\":\"Value matches the exact value of the header. Can be specified either alone or together with \\\"Secret\\\"; will be used as the header value if the secret can not be found in the latter case.\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"type\":\"array\"},\"headers\":{\"description\":\"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"host\":{\"description\":\"Host is an extended POSIX regex matched against the host header of a request. Examples: \\n - foo.bar.com will match the host fooXbar.com or foo-bar.com - foo\\\\.bar\\\\.com will only match the host foo.bar.com \\n If omitted or empty, the value of the host header is ignored.\",\"format\":\"idn-hostname\",\"type\":\"string\"},\"method\":{\"description\":\"Method is an extended POSIX regex matched against the method of a request, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ... \\n If omitted or empty, all methods are allowed.\",\"type\":\"string\"},\"path\":{\"description\":\"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986. \\n If omitted or empty, all paths are all allowed.\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"kafka\":{\"description\":\"Kafka-specific rules.\",\"items\":{\"description\":\"PortRule is a list of Kafka protocol constraints. All fields are optional, if all fields are empty or missing, the rule will match all Kafka messages.\",\"properties\":{\"apiKey\":{\"description\":\"APIKey is a case-insensitive string matched against the key of a request, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \\n If omitted or empty, and if Role is not specified, then all keys are allowed.\",\"type\":\"string\"},\"apiVersion\":{\"description\":\"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \\n If omitted or empty, all versions are allowed.\",\"type\":\"string\"},\"clientID\":{\"description\":\"ClientID is the client identifier as provided in the request. \\n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \\n If omitted or empty, all client identifiers are allowed.\",\"type\":\"string\"},\"role\":{\"description\":\"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \\\"produce\\\" or \\\"consume\\\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \\n The following values are supported: - \\\"produce\\\": Allow producing to the topics specified in the rule - \\\"consume\\\": Allow consuming from the topics specified in the rule \\n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \\n If omitted or empty, and if APIKey is not specified, then all keys are allowed.\",\"enum\":[\"produce\",\"consume\"],\"type\":\"string\"},\"topic\":{\"description\":\"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \\n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \\n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \\n If omitted or empty, all topics are allowed.\",\"maxLength\":255,\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"l7\":{\"description\":\"Key-value pair rules.\",\"items\":{\"additionalProperties\":{\"type\":\"string\"},\"description\":\"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.\",\"type\":\"object\"},\"type\":\"array\"},\"l7proto\":{\"description\":\"Name of the L7 protocol for which the Key-value pair rules apply.\",\"type\":\"string\"}},\"type\":\"object\"},\"serverNames\":{\"description\":\"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"terminatingTLS\":{\"description\":\"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy.  For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"ingressDeny\":{\"description\":\"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will be denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress.\",\"items\":{\"description\":\"IngressDenyRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members are set, all of them need to match in order for the rule to take effect. The exception to this rule is FromRequires field; the effects of any Requires field in any rule will apply to all other rules as well. \\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"fromCIDR\":{\"description\":\"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do *not* originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field.  This will match on the source IP address of incoming connections. Adding  a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.3.9.1\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"fromCIDRSet\":{\"description\":\"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEndpoints\":{\"description\":\"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \\n Example: Any endpoint with the label \\\"role=backend\\\" can be consumed by any endpoint carrying the label \\\"role=frontend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEntities\":{\"description\":\"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are `world`, `cluster` and `host`\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"fromGroups\":{\"description\":\"FromGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromNodes\":{\"description\":\"FromNodes is a list of nodes identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromRequires\":{\"description\":\"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires consuming endpoint to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can not accept incoming type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can not accept incoming connections on port 80/tcp.\",\"items\":{\"description\":\"PortDenyRule is a list of ports/protocol that should be used for deny policies. This structure lacks the L7Rules since it's not supported in deny policies.\",\"properties\":{\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"labels\":{\"description\":\"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels.\",\"items\":{\"description\":\"Label is the Cilium's representation of a container label.\",\"properties\":{\"key\":{\"type\":\"string\"},\"source\":{\"description\":\"Source can be one of the above values (e.g.: LabelSourceContainer).\",\"type\":\"string\"},\"value\":{\"type\":\"string\"}},\"required\":[\"key\"],\"type\":\"object\"},\"type\":\"array\"},\"nodeSelector\":{\"description\":\"NodeSelector selects all nodes which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"}},\"type\":\"object\"},\"specs\":{\"description\":\"Specs is a list of desired Cilium specific rule specification.\",\"items\":{\"description\":\"Rule is a policy rule which must be applied to all endpoints which match the labels contained in the endpointSelector \\n Each rule is split into an ingress section which contains all rules applicable at ingress, and an egress section applicable at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both ingress and egress, both ingress and egress side have to either specifically allow the connection or one side has to be omitted. \\n Either ingress, egress, or both can be provided. If both ingress and egress are omitted, the rule has no effect.\",\"oneOf\":[{\"properties\":{\"endpointSelector\":{}},\"required\":[\"endpointSelector\"]},{\"properties\":{\"nodeSelector\":{}},\"required\":[\"nodeSelector\"]}],\"properties\":{\"description\":{\"description\":\"Description is a free form string, it can be used by the creator of the rule to store human readable explanation of the purpose of this rule. Rules cannot be identified by comment.\",\"type\":\"string\"},\"egress\":{\"description\":\"Egress is a list of EgressRule which are enforced at egress. If omitted or empty, this rule does not apply at egress.\",\"items\":{\"description\":\"EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members of the structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the ToRequires member; the effects of any Requires field in any rule will apply to all other rules as well. \\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"authentication\":{\"description\":\"Authentication is the required authentication type for the allowed traffic, if any.\",\"properties\":{\"mode\":{\"description\":\"Mode is the required authentication mode for the allowed traffic, if any.\",\"enum\":[\"disabled\",\"required\",\"test-always-fail\"],\"type\":\"string\"}},\"required\":[\"mode\"],\"type\":\"object\"},\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to connect to. \\n Example: Any endpoint with the label \\\"app=httpd\\\" is allowed to initiate type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toCIDR\":{\"description\":\"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules.  This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"toCIDRSet\":{\"description\":\"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEndpoints\":{\"description\":\"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \\n Example: Any endpoint with the label \\\"role=frontend\\\" can communicate with any endpoint carrying the label \\\"role=backend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEntities\":{\"description\":\"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, `health`,`unmanaged` and `all`.\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"toFQDNs\":{\"description\":\"ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result from DNS resolution of `ToFQDN.MatchName`s are added to the same EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and L7 rules within this EgressRule will also apply to these IPs. The DNS -> IP mapping is re-resolved periodically from within the cilium-agent, and the IPs in the DNS response are effected in the policy for selected pods as-is (i.e. the list of IPs is not modified in any way). Note: An explicit rule to allow for DNS traffic is needed for the pods, as ToFQDN counts as an egress rule and will enforce egress policy when PolicyEnforcment=default. Note: If the resolved IPs are IPs within the kubernetes cluster, the ToFQDN rule will not apply to that IP. Note: ToFQDN cannot occur in the same policy as other To* rules.\",\"items\":{\"oneOf\":[{\"properties\":{\"matchName\":{}},\"required\":[\"matchName\"]},{\"properties\":{\"matchPattern\":{}},\"required\":[\"matchPattern\"]}],\"properties\":{\"matchName\":{\"description\":\"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added when missing.\",\"pattern\":\"^([-a-zA-Z0-9_]+[.]?)+$\",\"type\":\"string\"},\"matchPattern\":{\"description\":\"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \\\"*\\\" as the leftmost character, without a following \\\".\\\" matches all subdomains as well as the name to the right. A trailing \\\".\\\" is automatically added when missing. \\n Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\" except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \\\"sub\\\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not\",\"pattern\":\"^([-a-zA-Z0-9_*]+[.]?)+$\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"toGroups\":{\"description\":\"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toNodes\":{\"description\":\"ToNodes is a list of nodes identified by an EndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to connect to. \\n Example: Any endpoint with the label \\\"role=frontend\\\" is allowed to initiate connections to destination port 8080/tcp\",\"items\":{\"description\":\"PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.\",\"properties\":{\"listener\":{\"description\":\"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to.\",\"properties\":{\"envoyConfig\":{\"description\":\"EnvoyConfig is a reference to the CEC or CCEC resource in which the listener is defined.\",\"properties\":{\"kind\":{\"description\":\"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed.\",\"enum\":[\"CiliumEnvoyConfig\",\"CiliumClusterwideEnvoyConfig\"],\"type\":\"string\"},\"name\":{\"description\":\"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in.\",\"minLength\":1,\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"name\":{\"description\":\"Name is the name of the listener.\",\"minLength\":1,\"type\":\"string\"},\"priority\":{\"description\":\"Priority for this Listener that is used when multiple rules would apply different listeners to a policy map entry. Behavior of this is implementation dependent.\",\"maximum\":100,\"minimum\":1,\"type\":\"integer\"}},\"required\":[\"envoyConfig\",\"name\"],\"type\":\"object\"},\"originatingTLS\":{\"description\":\"OriginatingTLS is the TLS context for the connections originated by the L7 proxy.  For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"},\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"},\"rules\":{\"description\":\"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced.\",\"oneOf\":[{\"properties\":{\"http\":{}},\"required\":[\"http\"]},{\"properties\":{\"kafka\":{}},\"required\":[\"kafka\"]},{\"properties\":{\"dns\":{}},\"required\":[\"dns\"]},{\"properties\":{\"l7proto\":{}},\"required\":[\"l7proto\"]}],\"properties\":{\"dns\":{\"description\":\"DNS-specific rules.\",\"items\":{\"description\":\"PortRuleDNS is a list of allowed DNS lookups.\",\"oneOf\":[{\"properties\":{\"matchName\":{}},\"required\":[\"matchName\"]},{\"properties\":{\"matchPattern\":{}},\"required\":[\"matchPattern\"]}],\"properties\":{\"matchName\":{\"description\":\"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added when missing.\",\"pattern\":\"^([-a-zA-Z0-9_]+[.]?)+$\",\"type\":\"string\"},\"matchPattern\":{\"description\":\"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \\\"*\\\" as the leftmost character, without a following \\\".\\\" matches all subdomains as well as the name to the right. A trailing \\\".\\\" is automatically added when missing. \\n Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\" except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \\\"sub\\\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not\",\"pattern\":\"^([-a-zA-Z0-9_*]+[.]?)+$\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"http\":{\"description\":\"HTTP specific rules.\",\"items\":{\"description\":\"PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. \\n All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986.\",\"properties\":{\"headerMatches\":{\"description\":\"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match.\",\"items\":{\"description\":\"HeaderMatch extends the HeaderValue for matching requirement of a named header field against an immediate string, a secret value, or a regex.  If none of the optional fields is present, then the header value is not matched, only presence of the header is enough.\",\"properties\":{\"mismatch\":{\"description\":\"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log.\",\"enum\":[\"LOG\",\"ADD\",\"DELETE\",\"REPLACE\"],\"type\":\"string\"},\"name\":{\"description\":\"Name identifies the header.\",\"minLength\":1,\"type\":\"string\"},\"secret\":{\"description\":\"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \\\"Value\\\" specified, the match will fail.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"value\":{\"description\":\"Value matches the exact value of the header. Can be specified either alone or together with \\\"Secret\\\"; will be used as the header value if the secret can not be found in the latter case.\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"type\":\"array\"},\"headers\":{\"description\":\"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"host\":{\"description\":\"Host is an extended POSIX regex matched against the host header of a request. Examples: \\n - foo.bar.com will match the host fooXbar.com or foo-bar.com - foo\\\\.bar\\\\.com will only match the host foo.bar.com \\n If omitted or empty, the value of the host header is ignored.\",\"format\":\"idn-hostname\",\"type\":\"string\"},\"method\":{\"description\":\"Method is an extended POSIX regex matched against the method of a request, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ... \\n If omitted or empty, all methods are allowed.\",\"type\":\"string\"},\"path\":{\"description\":\"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986. \\n If omitted or empty, all paths are all allowed.\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"kafka\":{\"description\":\"Kafka-specific rules.\",\"items\":{\"description\":\"PortRule is a list of Kafka protocol constraints. All fields are optional, if all fields are empty or missing, the rule will match all Kafka messages.\",\"properties\":{\"apiKey\":{\"description\":\"APIKey is a case-insensitive string matched against the key of a request, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \\n If omitted or empty, and if Role is not specified, then all keys are allowed.\",\"type\":\"string\"},\"apiVersion\":{\"description\":\"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \\n If omitted or empty, all versions are allowed.\",\"type\":\"string\"},\"clientID\":{\"description\":\"ClientID is the client identifier as provided in the request. \\n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \\n If omitted or empty, all client identifiers are allowed.\",\"type\":\"string\"},\"role\":{\"description\":\"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \\\"produce\\\" or \\\"consume\\\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \\n The following values are supported: - \\\"produce\\\": Allow producing to the topics specified in the rule - \\\"consume\\\": Allow consuming from the topics specified in the rule \\n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \\n If omitted or empty, and if APIKey is not specified, then all keys are allowed.\",\"enum\":[\"produce\",\"consume\"],\"type\":\"string\"},\"topic\":{\"description\":\"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \\n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \\n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \\n If omitted or empty, all topics are allowed.\",\"maxLength\":255,\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"l7\":{\"description\":\"Key-value pair rules.\",\"items\":{\"additionalProperties\":{\"type\":\"string\"},\"description\":\"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.\",\"type\":\"object\"},\"type\":\"array\"},\"l7proto\":{\"description\":\"Name of the L7 protocol for which the Key-value pair rules apply.\",\"type\":\"string\"}},\"type\":\"object\"},\"serverNames\":{\"description\":\"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"terminatingTLS\":{\"description\":\"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy.  For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toRequires\":{\"description\":\"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires any endpoint to which it communicates to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toServices\":{\"description\":\"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \\n Example: Any endpoint with the label \\\"app=backend-app\\\" is allowed to initiate connections to all cidrs backing the \\\"external-service\\\" service\",\"items\":{\"description\":\"Service wraps around selectors for services\",\"properties\":{\"k8sService\":{\"description\":\"K8sService selects service by name and namespace pair\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"serviceName\":{\"type\":\"string\"}},\"type\":\"object\"},\"k8sServiceSelector\":{\"description\":\"K8sServiceSelector selects services by k8s labels and namespace\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"selector\":{\"description\":\"ServiceSelector is a label selector for k8s services\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"}},\"required\":[\"selector\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"egressDeny\":{\"description\":\"EgressDeny is a list of EgressDenyRule which are enforced at egress. Any rule inserted here will be denied regardless of the allowed egress rules in the 'egress' field. If omitted or empty, this rule does not apply at egress.\",\"items\":{\"description\":\"EgressDenyRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members of the structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the ToRequires member; the effects of any Requires field in any rule will apply to all other rules as well. \\n - ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to connect to. \\n Example: Any endpoint with the label \\\"app=httpd\\\" is not allowed to initiate type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toCIDR\":{\"description\":\"ToCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections. Only connections destined for outside of the cluster and not targeting the host will be subject to CIDR rules.  This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"toCIDRSet\":{\"description\":\"ToCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to initiate connections to in addition to connections which are allowed via ToEndpoints, along with a list of subnets contained within their corresponding IP block to which traffic should not be allowed. This will match on the destination IP address of outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and ToCIDRSet. \\n Example: Any endpoint with the label \\\"app=database-proxy\\\" is allowed to initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEndpoints\":{\"description\":\"ToEndpoints is a list of endpoints identified by an EndpointSelector to which the endpoints subject to the rule are allowed to communicate. \\n Example: Any endpoint with the label \\\"role=frontend\\\" can communicate with any endpoint carrying the label \\\"role=backend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toEntities\":{\"description\":\"ToEntities is a list of special entities to which the endpoint subject to the rule is allowed to initiate connections. Supported entities are `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`, `health`,`unmanaged` and `all`.\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"toGroups\":{\"description\":\"ToGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: toGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toNodes\":{\"description\":\"ToNodes is a list of nodes identified by an EndpointSelector to which endpoints subject to the rule is allowed to communicate.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to connect to. \\n Example: Any endpoint with the label \\\"role=frontend\\\" is not allowed to initiate connections to destination port 8080/tcp\",\"items\":{\"description\":\"PortDenyRule is a list of ports/protocol that should be used for deny policies. This structure lacks the L7Rules since it's not supported in deny policies.\",\"properties\":{\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toRequires\":{\"description\":\"ToRequires is a list of additional constraints which must be met in order for the selected endpoints to be able to connect to other endpoints. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching ToEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires any endpoint to which it communicates to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"toServices\":{\"description\":\"ToServices is a list of services to which the endpoint subject to the rule is allowed to initiate connections. Currently Cilium only supports toServices for K8s services without selectors. \\n Example: Any endpoint with the label \\\"app=backend-app\\\" is allowed to initiate connections to all cidrs backing the \\\"external-service\\\" service\",\"items\":{\"description\":\"Service wraps around selectors for services\",\"properties\":{\"k8sService\":{\"description\":\"K8sService selects service by name and namespace pair\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"serviceName\":{\"type\":\"string\"}},\"type\":\"object\"},\"k8sServiceSelector\":{\"description\":\"K8sServiceSelector selects services by k8s labels and namespace\",\"properties\":{\"namespace\":{\"type\":\"string\"},\"selector\":{\"description\":\"ServiceSelector is a label selector for k8s services\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"}},\"required\":[\"selector\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"enableDefaultDeny\":{\"description\":\"EnableDefaultDeny determines whether this policy configures the subject endpoint(s) to have a default deny mode. If enabled, this causes all traffic not explicitly allowed by a network policy to be dropped. \\n If not specified, the default is true for each traffic direction that has rules, and false otherwise. For example, if a policy only has Ingress or IngressDeny rules, then the default for ingress is true and egress is false. \\n If multiple policies apply to an endpoint, that endpoint's default deny will be enabled if any policy requests it. \\n This is useful for creating broad-based network policies that will not cause endpoints to enter default-deny mode.\",\"properties\":{\"egress\":{\"description\":\"Whether or not the endpoint should have a default-deny rule applied to egress traffic.\",\"type\":\"boolean\"},\"ingress\":{\"description\":\"Whether or not the endpoint should have a default-deny rule applied to ingress traffic.\",\"type\":\"boolean\"}},\"type\":\"object\"},\"endpointSelector\":{\"description\":\"EndpointSelector selects all endpoints which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"ingress\":{\"description\":\"Ingress is a list of IngressRule which are enforced at ingress. If omitted or empty, this rule does not apply at ingress.\",\"items\":{\"description\":\"IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members are set, all of them need to match in order for the rule to take effect. The exception to this rule is FromRequires field; the effects of any Requires field in any rule will apply to all other rules as well. \\n - FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"authentication\":{\"description\":\"Authentication is the required authentication type for the allowed traffic, if any.\",\"properties\":{\"mode\":{\"description\":\"Mode is the required authentication mode for the allowed traffic, if any.\",\"enum\":[\"disabled\",\"required\",\"test-always-fail\"],\"type\":\"string\"}},\"required\":[\"mode\"],\"type\":\"object\"},\"fromCIDR\":{\"description\":\"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do *not* originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field.  This will match on the source IP address of incoming connections. Adding  a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.3.9.1\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"fromCIDRSet\":{\"description\":\"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEndpoints\":{\"description\":\"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \\n Example: Any endpoint with the label \\\"role=backend\\\" can be consumed by any endpoint carrying the label \\\"role=frontend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEntities\":{\"description\":\"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are `world`, `cluster` and `host`\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"fromGroups\":{\"description\":\"FromGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromNodes\":{\"description\":\"FromNodes is a list of nodes identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromRequires\":{\"description\":\"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires consuming endpoint to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can only accept incoming type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can only accept incoming connections on port 80/tcp.\",\"items\":{\"description\":\"PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.\",\"properties\":{\"listener\":{\"description\":\"listener specifies the name of a custom Envoy listener to which this traffic should be redirected to.\",\"properties\":{\"envoyConfig\":{\"description\":\"EnvoyConfig is a reference to the CEC or CCEC resource in which the listener is defined.\",\"properties\":{\"kind\":{\"description\":\"Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy, respectively. The only case this is currently explicitly needed is when referring to a CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener from a cluster scoped policy is not allowed.\",\"enum\":[\"CiliumEnvoyConfig\",\"CiliumClusterwideEnvoyConfig\"],\"type\":\"string\"},\"name\":{\"description\":\"Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where the listener is defined in.\",\"minLength\":1,\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"name\":{\"description\":\"Name is the name of the listener.\",\"minLength\":1,\"type\":\"string\"},\"priority\":{\"description\":\"Priority for this Listener that is used when multiple rules would apply different listeners to a policy map entry. Behavior of this is implementation dependent.\",\"maximum\":100,\"minimum\":1,\"type\":\"integer\"}},\"required\":[\"envoyConfig\",\"name\"],\"type\":\"object\"},\"originatingTLS\":{\"description\":\"OriginatingTLS is the TLS context for the connections originated by the L7 proxy.  For egress policy this specifies the client-side TLS parameters for the upstream connection originating from the L7 proxy to the remote destination. For ingress policy this specifies the client-side TLS parameters for the connection from the L7 proxy to the local endpoint.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"},\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"},\"rules\":{\"description\":\"Rules is a list of additional port level rules which must be met in order for the PortRule to allow the traffic. If omitted or empty, no layer 7 rules are enforced.\",\"oneOf\":[{\"properties\":{\"http\":{}},\"required\":[\"http\"]},{\"properties\":{\"kafka\":{}},\"required\":[\"kafka\"]},{\"properties\":{\"dns\":{}},\"required\":[\"dns\"]},{\"properties\":{\"l7proto\":{}},\"required\":[\"l7proto\"]}],\"properties\":{\"dns\":{\"description\":\"DNS-specific rules.\",\"items\":{\"description\":\"PortRuleDNS is a list of allowed DNS lookups.\",\"oneOf\":[{\"properties\":{\"matchName\":{}},\"required\":[\"matchName\"]},{\"properties\":{\"matchPattern\":{}},\"required\":[\"matchPattern\"]}],\"properties\":{\"matchName\":{\"description\":\"MatchName matches literal DNS names. A trailing \\\".\\\" is automatically added when missing.\",\"pattern\":\"^([-a-zA-Z0-9_]+[.]?)+$\",\"type\":\"string\"},\"matchPattern\":{\"description\":\"MatchPattern allows using wildcards to match DNS names. All wildcards are case insensitive. The wildcards are: - \\\"*\\\" matches 0 or more DNS valid characters, and may occur anywhere in the pattern. As a special case a \\\"*\\\" as the leftmost character, without a following \\\".\\\" matches all subdomains as well as the name to the right. A trailing \\\".\\\" is automatically added when missing. \\n Examples: `*.cilium.io` matches subomains of cilium at that level www.cilium.io and blog.cilium.io match, cilium.io and google.com do not `*cilium.io` matches cilium.io and all subdomains ends with \\\"cilium.io\\\" except those containing \\\".\\\" separator, subcilium.io and sub-cilium.io match, www.cilium.io and blog.cilium.io does not sub*.cilium.io matches subdomains of cilium where the subdomain component begins with \\\"sub\\\" sub.cilium.io and subdomain.cilium.io match, www.cilium.io, blog.cilium.io, cilium.io and google.com do not\",\"pattern\":\"^([-a-zA-Z0-9_*]+[.]?)+$\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"http\":{\"description\":\"HTTP specific rules.\",\"items\":{\"description\":\"PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect. \\n All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986.\",\"properties\":{\"headerMatches\":{\"description\":\"HeaderMatches is a list of HTTP headers which must be present and match against the given values. Mismatch field can be used to specify what to do when there is no match.\",\"items\":{\"description\":\"HeaderMatch extends the HeaderValue for matching requirement of a named header field against an immediate string, a secret value, or a regex.  If none of the optional fields is present, then the header value is not matched, only presence of the header is enough.\",\"properties\":{\"mismatch\":{\"description\":\"Mismatch identifies what to do in case there is no match. The default is to drop the request. Otherwise the overall rule is still considered as matching, but the mismatches are logged in the access log.\",\"enum\":[\"LOG\",\"ADD\",\"DELETE\",\"REPLACE\"],\"type\":\"string\"},\"name\":{\"description\":\"Name identifies the header.\",\"minLength\":1,\"type\":\"string\"},\"secret\":{\"description\":\"Secret refers to a secret that contains the value to be matched against. The secret must only contain one entry. If the referred secret does not exist, and there is no \\\"Value\\\" specified, the match will fail.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"value\":{\"description\":\"Value matches the exact value of the header. Can be specified either alone or together with \\\"Secret\\\"; will be used as the header value if the secret can not be found in the latter case.\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"type\":\"array\"},\"headers\":{\"description\":\"Headers is a list of HTTP headers which must be present in the request. If omitted or empty, requests are allowed regardless of headers present.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"host\":{\"description\":\"Host is an extended POSIX regex matched against the host header of a request. Examples: \\n - foo.bar.com will match the host fooXbar.com or foo-bar.com - foo\\\\.bar\\\\.com will only match the host foo.bar.com \\n If omitted or empty, the value of the host header is ignored.\",\"format\":\"idn-hostname\",\"type\":\"string\"},\"method\":{\"description\":\"Method is an extended POSIX regex matched against the method of a request, e.g. \\\"GET\\\", \\\"POST\\\", \\\"PUT\\\", \\\"PATCH\\\", \\\"DELETE\\\", ... \\n If omitted or empty, all methods are allowed.\",\"type\":\"string\"},\"path\":{\"description\":\"Path is an extended POSIX regex matched against the path of a request. Currently it can contain characters disallowed from the conventional \\\"path\\\" part of a URL as defined by RFC 3986. \\n If omitted or empty, all paths are all allowed.\",\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"kafka\":{\"description\":\"Kafka-specific rules.\",\"items\":{\"description\":\"PortRule is a list of Kafka protocol constraints. All fields are optional, if all fields are empty or missing, the rule will match all Kafka messages.\",\"properties\":{\"apiKey\":{\"description\":\"APIKey is a case-insensitive string matched against the key of a request, e.g. \\\"produce\\\", \\\"fetch\\\", \\\"createtopic\\\", \\\"deletetopic\\\", et al Reference: https://kafka.apache.org/protocol#protocol_api_keys \\n If omitted or empty, and if Role is not specified, then all keys are allowed.\",\"type\":\"string\"},\"apiVersion\":{\"description\":\"APIVersion is the version matched against the api version of the Kafka message. If set, it has to be a string representing a positive integer. \\n If omitted or empty, all versions are allowed.\",\"type\":\"string\"},\"clientID\":{\"description\":\"ClientID is the client identifier as provided in the request. \\n From Kafka protocol documentation: This is a user supplied identifier for the client application. The user can use any identifier they like and it will be used when logging errors, monitoring aggregates, etc. For example, one might want to monitor not just the requests per second overall, but the number coming from each client application (each of which could reside on multiple servers). This id acts as a logical grouping across all requests from a particular client. \\n If omitted or empty, all client identifiers are allowed.\",\"type\":\"string\"},\"role\":{\"description\":\"Role is a case-insensitive string and describes a group of API keys necessary to perform certain higher-level Kafka operations such as \\\"produce\\\" or \\\"consume\\\". A Role automatically expands into all APIKeys required to perform the specified higher-level operation. \\n The following values are supported: - \\\"produce\\\": Allow producing to the topics specified in the rule - \\\"consume\\\": Allow consuming from the topics specified in the rule \\n This field is incompatible with the APIKey field, i.e APIKey and Role cannot both be specified in the same rule. \\n If omitted or empty, and if APIKey is not specified, then all keys are allowed.\",\"enum\":[\"produce\",\"consume\"],\"type\":\"string\"},\"topic\":{\"description\":\"Topic is the topic name contained in the message. If a Kafka request contains multiple topics, then all topics must be allowed or the message will be rejected. \\n This constraint is ignored if the matched request message type doesn't contain any topic. Maximum size of Topic can be 249 characters as per recent Kafka spec and allowed characters are a-z, A-Z, 0-9, -, . and _. \\n Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255. \\n If omitted or empty, all topics are allowed.\",\"maxLength\":255,\"type\":\"string\"}},\"type\":\"object\"},\"type\":\"array\"},\"l7\":{\"description\":\"Key-value pair rules.\",\"items\":{\"additionalProperties\":{\"type\":\"string\"},\"description\":\"PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.\",\"type\":\"object\"},\"type\":\"array\"},\"l7proto\":{\"description\":\"Name of the L7 protocol for which the Key-value pair rules apply.\",\"type\":\"string\"}},\"type\":\"object\"},\"serverNames\":{\"description\":\"ServerNames is a list of allowed TLS SNI values. If not empty, then TLS must be present and one of the provided SNIs must be indicated in the TLS handshake.\",\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"terminatingTLS\":{\"description\":\"TerminatingTLS is the TLS context for the connection terminated by the L7 proxy.  For egress policy this specifies the server-side TLS parameters to be applied on the connections originated from the local endpoint and terminated by the L7 proxy. For ingress policy this specifies the server-side TLS parameters to be applied on the connections originated from a remote source and terminated by the L7 proxy.\",\"properties\":{\"certificate\":{\"description\":\"Certificate is the file name or k8s secret item name for the certificate chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"privateKey\":{\"description\":\"PrivateKey is the file name or k8s secret item name for the private key matching the certificate chain. If omitted, 'tls.key' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"},\"secret\":{\"description\":\"Secret is the secret that contains the certificates and private key for the TLS context. By default, Cilium will search in this secret for the following items: - 'ca.crt'  - Which represents the trusted CA to verify remote source. - 'tls.crt' - Which represents the public key certificate. - 'tls.key' - Which represents the private key matching the public key certificate.\",\"properties\":{\"name\":{\"description\":\"Name is the name of the secret.\",\"type\":\"string\"},\"namespace\":{\"description\":\"Namespace is the namespace in which the secret exists. Context of use determines the default value if left out (e.g., \\\"default\\\").\",\"type\":\"string\"}},\"required\":[\"name\"],\"type\":\"object\"},\"trustedCA\":{\"description\":\"TrustedCA is the file name or k8s secret item name for the trusted CA. If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.\",\"type\":\"string\"}},\"required\":[\"secret\"],\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"ingressDeny\":{\"description\":\"IngressDeny is a list of IngressDenyRule which are enforced at ingress. Any rule inserted here will be denied regardless of the allowed ingress rules in the 'ingress' field. If omitted or empty, this rule does not apply at ingress.\",\"items\":{\"description\":\"IngressDenyRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector. \\n - All members of this structure are optional. If omitted or empty, the member will have no effect on the rule. \\n - If multiple members are set, all of them need to match in order for the rule to take effect. The exception to this rule is FromRequires field; the effects of any Requires field in any rule will apply to all other rules as well. \\n - FromEndpoints, FromCIDR, FromCIDRSet, FromGroups and FromEntities are mutually exclusive. Only one of these members may be present within an individual rule.\",\"properties\":{\"fromCIDR\":{\"description\":\"FromCIDR is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from. Only connections which do *not* originate from the cluster or from the local host are subject to CIDR rules. In order to allow in-cluster connectivity, use the FromEndpoints field.  This will match on the source IP address of incoming connections. Adding  a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.3.9.1\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"},\"fromCIDRSet\":{\"description\":\"FromCIDRSet is a list of IP blocks which the endpoint subject to the rule is allowed to receive connections from in addition to FromEndpoints, along with a list of subnets contained within their corresponding IP block from which traffic should not be allowed. This will match on the source IP address of incoming connections. Adding a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet. \\n Example: Any endpoint with the label \\\"app=my-legacy-pet\\\" is allowed to receive connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.\",\"items\":{\"description\":\"CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication  is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.\",\"oneOf\":[{\"properties\":{\"cidr\":{}},\"required\":[\"cidr\"]},{\"properties\":{\"cidrGroupRef\":{}},\"required\":[\"cidrGroupRef\"]}],\"properties\":{\"cidr\":{\"description\":\"CIDR is a CIDR prefix / IP Block.\",\"format\":\"cidr\",\"type\":\"string\"},\"cidrGroupRef\":{\"description\":\"CIDRGroupRef is a reference to a CiliumCIDRGroup object. A CiliumCIDRGroup contains a list of CIDRs that the endpoint, subject to the rule, can (Ingress/Egress) or cannot (IngressDeny/EgressDeny) receive connections from.\",\"maxLength\":253,\"pattern\":\"^[a-z0-9]([-a-z0-9]*[a-z0-9])?(\\\\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*$\",\"type\":\"string\"},\"except\":{\"description\":\"ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule is not allowed to initiate connections to. These CIDR prefixes should be contained within Cidr, using ExceptCIDRs together with CIDRGroupRef is not supported yet. These exceptions are only applied to the Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any other CIDRRules.\",\"items\":{\"description\":\"CIDR specifies a block of IP addresses. Example: 192.0.2.1/32\",\"format\":\"cidr\",\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEndpoints\":{\"description\":\"FromEndpoints is a list of endpoints identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule. \\n Example: Any endpoint with the label \\\"role=backend\\\" can be consumed by any endpoint carrying the label \\\"role=frontend\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromEntities\":{\"description\":\"FromEntities is a list of special entities which the endpoint subject to the rule is allowed to receive connections from. Supported entities are `world`, `cluster` and `host`\",\"items\":{\"description\":\"Entity specifies the class of receiver/sender endpoints that do not have individual identities.  Entities are used to describe \\\"outside of cluster\\\", \\\"host\\\", etc.\",\"enum\":[\"all\",\"world\",\"cluster\",\"host\",\"init\",\"ingress\",\"unmanaged\",\"remote-node\",\"health\",\"none\",\"kube-apiserver\"],\"type\":\"string\"},\"type\":\"array\"},\"fromGroups\":{\"description\":\"FromGroups is a directive that allows the integration with multiple outside providers. Currently, only AWS is supported, and the rule can select by multiple sub directives: \\n Example: FromGroups: - aws: securityGroupsIds: - 'sg-XXXXXXXXXXXXX'\",\"items\":{\"description\":\"Groups structure to store all kinds of new integrations that needs a new derivative policy.\",\"properties\":{\"aws\":{\"description\":\"AWSGroup is an structure that can be used to whitelisting information from AWS integration\",\"properties\":{\"labels\":{\"additionalProperties\":{\"type\":\"string\"},\"type\":\"object\"},\"region\":{\"type\":\"string\"},\"securityGroupsIds\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"},\"securityGroupsNames\":{\"items\":{\"type\":\"string\"},\"type\":\"array\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromNodes\":{\"description\":\"FromNodes is a list of nodes identified by an EndpointSelector which are allowed to communicate with the endpoint subject to the rule.\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"fromRequires\":{\"description\":\"FromRequires is a list of additional constraints which must be met in order for the selected endpoints to be reachable. These additional constraints do no by itself grant access privileges and must always be accompanied with at least one matching FromEndpoints. \\n Example: Any Endpoint with the label \\\"team=A\\\" requires consuming endpoint to also carry the label \\\"team=A\\\".\",\"items\":{\"description\":\"EndpointSelector is a wrapper for k8s LabelSelector.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"icmps\":{\"description\":\"ICMPs is a list of ICMP rule identified by type number which the endpoint subject to the rule is not allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can not accept incoming type 8 ICMP connections.\",\"items\":{\"description\":\"ICMPRule is a list of ICMP fields.\",\"properties\":{\"fields\":{\"description\":\"Fields is a list of ICMP fields.\",\"items\":{\"description\":\"ICMPField is a ICMP field.\",\"properties\":{\"family\":{\"default\":\"IPv4\",\"description\":\"Family is a IP address version. Currently, we support `IPv4` and `IPv6`. `IPv4` is set as default.\",\"enum\":[\"IPv4\",\"IPv6\"],\"type\":\"string\"},\"type\":{\"anyOf\":[{\"type\":\"integer\"},{\"type\":\"string\"}],\"description\":\"Type is a ICMP-type. It should be an 8bit code (0-255), or it's CamelCase name (for example, \\\"EchoReply\\\"). Allowed ICMP types are: Ipv4: EchoReply | DestinationUnreachable | Redirect | Echo | EchoRequest | RouterAdvertisement | RouterSelection | TimeExceeded | ParameterProblem | Timestamp | TimestampReply | Photuris | ExtendedEcho Request | ExtendedEcho Reply Ipv6: DestinationUnreachable | PacketTooBig | TimeExceeded | ParameterProblem | EchoRequest | EchoReply | MulticastListenerQuery| MulticastListenerReport | MulticastListenerDone | RouterSolicitation | RouterAdvertisement | NeighborSolicitation | NeighborAdvertisement | RedirectMessage | RouterRenumbering | ICMPNodeInformationQuery | ICMPNodeInformationResponse | InverseNeighborDiscoverySolicitation | InverseNeighborDiscoveryAdvertisement | HomeAgentAddressDiscoveryRequest | HomeAgentAddressDiscoveryReply | MobilePrefixSolicitation | MobilePrefixAdvertisement | DuplicateAddressRequestCodeSuffix | DuplicateAddressConfirmationCodeSuffix | ExtendedEchoRequest | ExtendedEchoReply\",\"pattern\":\"^([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]|EchoReply|DestinationUnreachable|Redirect|Echo|RouterAdvertisement|RouterSelection|TimeExceeded|ParameterProblem|Timestamp|TimestampReply|Photuris|ExtendedEchoRequest|ExtendedEcho Reply|PacketTooBig|ParameterProblem|EchoRequest|MulticastListenerQuery|MulticastListenerReport|MulticastListenerDone|RouterSolicitation|RouterAdvertisement|NeighborSolicitation|NeighborAdvertisement|RedirectMessage|RouterRenumbering|ICMPNodeInformationQuery|ICMPNodeInformationResponse|InverseNeighborDiscoverySolicitation|InverseNeighborDiscoveryAdvertisement|HomeAgentAddressDiscoveryRequest|HomeAgentAddressDiscoveryReply|MobilePrefixSolicitation|MobilePrefixAdvertisement|DuplicateAddressRequestCodeSuffix|DuplicateAddressConfirmationCodeSuffix)$\",\"x-kubernetes-int-or-string\":true}},\"required\":[\"type\"],\"type\":\"object\"},\"maxItems\":40,\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"toPorts\":{\"description\":\"ToPorts is a list of destination ports identified by port number and protocol which the endpoint subject to the rule is not allowed to receive connections on. \\n Example: Any endpoint with the label \\\"app=httpd\\\" can not accept incoming connections on port 80/tcp.\",\"items\":{\"description\":\"PortDenyRule is a list of ports/protocol that should be used for deny policies. This structure lacks the L7Rules since it's not supported in deny policies.\",\"properties\":{\"ports\":{\"description\":\"Ports is a list of L4 port/protocol\",\"items\":{\"description\":\"PortProtocol specifies an L4 port with an optional transport protocol\",\"properties\":{\"endPort\":{\"description\":\"EndPort can only be an L4 port number.\",\"format\":\"int32\",\"maximum\":65535,\"minimum\":0,\"type\":\"integer\"},\"port\":{\"description\":\"Port can be an L4 port number, or a name in the form of \\\"http\\\" or \\\"http-8080\\\".\",\"pattern\":\"^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$\",\"type\":\"string\"},\"protocol\":{\"description\":\"Protocol is the L4 protocol. If omitted or empty, any protocol matches. Accepted values: \\\"TCP\\\", \\\"UDP\\\", \\\"SCTP\\\", \\\"ANY\\\" \\n Matching on ICMP is not supported. \\n Named port specified for a container may narrow this down, but may not contradict this.\",\"enum\":[\"TCP\",\"UDP\",\"SCTP\",\"ANY\"],\"type\":\"string\"}},\"required\":[\"port\"],\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"}},\"type\":\"object\"},\"type\":\"array\"},\"labels\":{\"description\":\"Labels is a list of optional strings which can be used to re-identify the rule or to store metadata. It is possible to lookup or delete strings based on labels. Labels are not required to be unique, multiple rules can have overlapping or identical labels.\",\"items\":{\"description\":\"Label is the Cilium's representation of a container label.\",\"properties\":{\"key\":{\"type\":\"string\"},\"source\":{\"description\":\"Source can be one of the above values (e.g.: LabelSourceContainer).\",\"type\":\"string\"},\"value\":{\"type\":\"string\"}},\"required\":[\"key\"],\"type\":\"object\"},\"type\":\"array\"},\"nodeSelector\":{\"description\":\"NodeSelector selects all nodes which should be subject to this rule. EndpointSelector and NodeSelector cannot be both empty and are mutually exclusive. Can only be used in CiliumClusterwideNetworkPolicies.\",\"properties\":{\"matchExpressions\":{\"description\":\"matchExpressions is a list of label selector requirements. The requirements are ANDed.\",\"items\":{\"description\":\"A label selector requirement is a selector that contains values, a key, and an operator that relates the key and values.\",\"properties\":{\"key\":{\"description\":\"key is the label key that the selector applies to.\",\"type\":\"string\"},\"operator\":{\"description\":\"operator represents a key's relationship to a set of values. Valid operators are In, NotIn, Exists and DoesNotExist.\",\"enum\":[\"In\",\"NotIn\",\"Exists\",\"DoesNotExist\"],\"type\":\"string\"},\"values\":{\"description\":\"values is an array of string values. If the operator is In or NotIn, the values array must be non-empty. If the operator is Exists or DoesNotExist, the values array must be empty. This array is replaced during a strategic merge patch.\",\"items\":{\"type\":\"string\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"}},\"required\":[\"key\",\"operator\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-type\":\"atomic\"},\"matchLabels\":{\"additionalProperties\":{\"description\":\"MatchLabelsValue represents the value from the MatchLabels {key,value} pair.\",\"maxLength\":63,\"pattern\":\"^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$\",\"type\":\"string\"},\"description\":\"matchLabels is a map of {key,value} pairs. A single {key,value} in the matchLabels map is equivalent to an element of matchExpressions, whose key field is \\\"key\\\", the operator is \\\"In\\\", and the values array contains only \\\"value\\\". The requirements are ANDed.\",\"type\":\"object\"}},\"type\":\"object\"}},\"type\":\"object\"},\"type\":\"array\"},\"status\":{\"description\":\"Status is the status of the Cilium policy rule\",\"properties\":{\"conditions\":{\"items\":{\"properties\":{\"lastTransitionTime\":{\"description\":\"The last time the condition transitioned from one status to another.\",\"format\":\"date-time\",\"type\":\"string\"},\"message\":{\"description\":\"A human readable message indicating details about the transition.\",\"type\":\"string\"},\"reason\":{\"description\":\"The reason for the condition's last transition.\",\"type\":\"string\"},\"status\":{\"description\":\"The status of the condition, one of True, False, or Unknown\",\"type\":\"string\"},\"type\":{\"description\":\"The type of the policy condition\",\"type\":\"string\"}},\"required\":[\"status\",\"type\"],\"type\":\"object\"},\"type\":\"array\",\"x-kubernetes-list-map-keys\":[\"type\"],\"x-kubernetes-list-type\":\"map\"},\"derivativePolicies\":{\"additionalProperties\":{\"description\":\"CiliumNetworkPolicyNodeStatus is the status of a Cilium policy rule for a specific node.\",\"properties\":{\"annotations\":{\"additionalProperties\":{\"type\":\"string\"},\"description\":\"Annotations corresponds to the Annotations in the ObjectMeta of the CNP that have been realized on the node for CNP. That is, if a CNP has been imported and has been assigned annotation X=Y by the user, Annotations in CiliumNetworkPolicyNodeStatus will be X=Y once the CNP that was imported corresponding to Annotation X=Y has been realized on the node.\",\"type\":\"object\"},\"enforcing\":{\"description\":\"Enforcing is set to true once all endpoints present at the time the policy has been imported are enforcing this policy.\",\"type\":\"boolean\"},\"error\":{\"description\":\"Error describes any error that occurred when parsing or importing the policy, or realizing the policy for the endpoints to which it applies on the node.\",\"type\":\"string\"},\"lastUpdated\":{\"description\":\"LastUpdated contains the last time this status was updated\",\"format\":\"date-time\",\"type\":\"string\"},\"localPolicyRevision\":{\"description\":\"Revision is the policy revision of the repository which first implemented this policy.\",\"format\":\"int64\",\"type\":\"integer\"},\"ok\":{\"description\":\"OK is true when the policy has been parsed and imported successfully into the in-memory policy repository on the node.\",\"type\":\"boolean\"}},\"type\":\"object\"},\"description\":\"DerivativePolicies is the status of all policies derived from the Cilium policy\",\"type\":\"object\"}},\"type\":\"object\"}},\"required\":[\"metadata\"],\"type\":\"object\"}";
}

/// Register every keyword form this domain exposes onto the host
/// interpreter. Embedders call this once during boot.
pub fn register() {
    tatara_lisp::register_all_capabilities!(CiliumNetworkPolicySpec);
    tatara_lisp::domain::register_render::<CiliumNetworkPolicySpec>();
    tatara_lisp::domain::register_schema::<CiliumNetworkPolicySpec>();
    tatara_lisp::domain::register_attest::<CiliumNetworkPolicySpec>();
}