Packages:

controlplane.antrea.io/v1beta2

Package v1beta2 is the v1beta2 version of the Antrea NetworkPolicy API messages.

Resource Types:

AddressGroup

AddressGroup is the message format of antrea/pkg/controller/types.AddressGroup in an API response.

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
AddressGroup
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
groupMembers
[]GroupMember

AppliedToGroup

AppliedToGroup is the message format of antrea/pkg/controller/types.AppliedToGroup in an API response.

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
AppliedToGroup
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
groupMembers
[]GroupMember

GroupMembers is list of resources selected by this group.

ClusterGroupMembers

ClusterGroupMembers is a list of GroupMember objects or ipBlocks that are currently selected by a ClusterGroup.

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
ClusterGroupMembers
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
effectiveMembers
[]GroupMember
effectiveIPBlocks
[]IPNet
totalMembers
int64
totalPages
int64
currentPage
int64

EgressGroup

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
EgressGroup
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
groupMembers
[]GroupMember

GroupMembers is list of resources selected by this group.

GroupAssociation

GroupAssociation is the message format in an API response for groupassociation queries.

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
GroupAssociation
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
associatedGroups
[]GroupReference

AssociatedGroups is a list of GroupReferences that is associated with the Pod/ExternalEntity being queried.

IPGroupAssociation

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
IPGroupAssociation
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
associatedGroups
[]GroupReference

AssociatedGroups is a list of GroupReferences that is associated with the IP address being queried.

NetworkPolicy

NetworkPolicy is the message format of antrea/pkg/controller/types.NetworkPolicy in an API response.

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
NetworkPolicy
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
rules
[]NetworkPolicyRule

Rules is a list of rules to be applied to the selected GroupMembers.

appliedToGroups
[]string

AppliedToGroups is a list of names of AppliedToGroups to which this policy applies. Cannot be set in conjunction with any NetworkPolicyRule.AppliedToGroups in Rules.

priority
float64

Priority represents the relative priority of this Network Policy as compared to other Network Policies. Priority will be unset (nil) for K8s NetworkPolicy.

tierPriority
int32

TierPriority represents the priority of the Tier associated with this Network Policy. The TierPriority will remain nil for K8s NetworkPolicy.

sourceRef
NetworkPolicyReference

Reference to the original NetworkPolicy that the internal NetworkPolicy is created for.

NodeStatsSummary

NodeStatsSummary contains stats produced on a Node. It’s used by the antrea-agents to report stats to the antrea-controller.

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
NodeStatsSummary
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
networkPolicies
[]NetworkPolicyStats

The TrafficStats of K8s NetworkPolicies collected from the Node.

antreaClusterNetworkPolicies
[]NetworkPolicyStats

The TrafficStats of Antrea ClusterNetworkPolicies collected from the Node.

antreaNetworkPolicies
[]NetworkPolicyStats

The TrafficStats of Antrea NetworkPolicies collected from the Node.

multicast
[]MulticastGroupInfo

Multicast group information collected from the Node.

SupportBundleCollection

SupportBundleCollection is the message format of antrea/pkg/controller/types.SupportBundleCollection in an API response.

FieldDescription
apiVersion
string
controlplane.antrea.io/v1beta2
kind
string
SupportBundleCollection
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
expiredAt
Kubernetes meta/v1.Time
sinceTime
string
fileServer
BundleFileServer
authentication
BundleServerAuthConfiguration

AddressGroupPatch

AddressGroupPatch describes the incremental update of an AddressGroup.

FieldDescription
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
addedGroupMembers
[]GroupMember
removedGroupMembers
[]GroupMember

AppliedToGroupPatch

AppliedToGroupPatch describes the incremental update of an AppliedToGroup.

FieldDescription
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
addedGroupMembers
[]GroupMember
removedGroupMembers
[]GroupMember

BasicAuthentication

(Appears on: BundleServerAuthConfiguration)

FieldDescription
username
string
password
string

BundleFileServer

(Appears on: SupportBundleCollection)

FieldDescription
url
string

BundleServerAuthConfiguration

(Appears on: SupportBundleCollection)

FieldDescription
bearerToken
string
apiKey
string
basicAuthentication
BasicAuthentication

Direction (string alias)

(Appears on: NetworkPolicyRule)

Direction defines traffic direction of NetworkPolicyRule.

EgressGroupPatch

EgressGroupPatch describes the incremental update of an EgressGroup.

FieldDescription
ObjectMeta
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
AddedGroupMembers
[]GroupMember
RemovedGroupMembers
[]GroupMember

ExternalEntityReference

(Appears on: GroupMember)

ExternalEntityReference represents a ExternalEntity Reference.

FieldDescription
name
string

The name of this ExternalEntity.

namespace
string

The Namespace of this ExternalEntity.

GroupMember

(Appears on: AddressGroup, AppliedToGroup, ClusterGroupMembers, EgressGroup, AddressGroupPatch, AppliedToGroupPatch, EgressGroupPatch)

GroupMember represents resource member to be populated in Groups.

FieldDescription
pod
PodReference

Pod maintains the reference to the Pod.

externalEntity
ExternalEntityReference

ExternalEntity maintains the reference to the ExternalEntity.

ips
[]IPAddress

IP is the IP address of the Endpoints associated with the GroupMember.

ports
[]NamedPort

Ports is the list NamedPort of the GroupMember.

node
NodeReference

Node maintains the reference to the Node.

service
ServiceReference

Service is the reference to the Service. It can only be used in an AppliedTo Group and only a NodePort type Service can be referred by this field.

GroupMemberSet (map[antrea.io/antrea/pkg/apis/controlplane/v1beta2.groupMemberKey]*antrea.io/antrea/pkg/apis/controlplane/v1beta2.GroupMember alias)

GroupMemberSet is a set of GroupMembers.

GroupReference

(Appears on: GroupAssociation, IPGroupAssociation)

FieldDescription
namespace
string

Namespace of the Group. Empty for ClusterGroup.

name
string

Name of the Group.

uid
k8s.io/apimachinery/pkg/types.UID

UID of the Group.

HTTPProtocol

(Appears on: L7Protocol)

HTTPProtocol matches HTTP requests with specific host, method, and path. All fields could be used alone or together. If all fields are not provided, it matches all HTTP requests.

FieldDescription
host
string

Host represents the hostname present in the URI or the HTTP Host header to match. It does not contain the port associated with the host.

method
string

Method represents the HTTP method to match. It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.

path
string

Path represents the URI path to match (Ex. “/index.html”, “/admin”).

IPAddress ([]byte alias)

(Appears on: GroupMember, IPNet)

IPAddress describes a single IP address. Either an IPv4 or IPv6 address must be set.

IPBlock

(Appears on: NetworkPolicyPeer)

IPBlock describes a particular CIDR (Ex. “192.168.1.1⁄24”). The except entry describes CIDRs that should not be included within this rule.

FieldDescription
cidr
IPNet

CIDR is an IPNet represents the IP Block.

except
[]IPNet
(Optional)

Except is a slice of IPNets that should not be included within an IP Block. Except values will be rejected if they are outside the CIDR range.

IPNet

(Appears on: ClusterGroupMembers, IPBlock)

IPNet describes an IP network.

FieldDescription
ip
IPAddress
prefixLength
int32

L7Protocol

(Appears on: NetworkPolicyRule)

L7Protocol defines application layer protocol to match.

FieldDescription
http
HTTPProtocol
tls
TLSProtocol

MulticastGroupInfo

(Appears on: NodeStatsSummary)

MulticastGroupInfo contains the list of Pods that have joined a multicast group, for a given Node.

FieldDescription
group
string

Group is the IP of the multicast group.

pods
[]PodReference

Pods is the list of Pods that have joined the multicast group.

NamedPort

(Appears on: GroupMember)

NamedPort represents a Port with a name on Pod.

FieldDescription
port
int32

Port represents the Port number.

name
string

Name represents the associated name with this Port number.

protocol
Protocol

Protocol for port. Must be UDP, TCP, or SCTP.

NetworkPolicyNodeStatus

(Appears on: NetworkPolicyStatus)

NetworkPolicyNodeStatus is the status of a NetworkPolicy on a Node.

FieldDescription
nodeName
string

The name of the Node that produces the status.

generation
int64

The generation realized by the Node.

realizationFailure
bool

The flag to mark the NetworkPolicy realization is failed on the Node or not.

message
string

The error message to describe why the NetworkPolicy realization is failed on the Node.

NetworkPolicyPeer

(Appears on: NetworkPolicyRule)

NetworkPolicyPeer describes a peer of NetworkPolicyRules. It could be a list of names of AddressGroups and/or a list of IPBlock.

FieldDescription
addressGroups
[]string

A list of names of AddressGroups.

ipBlocks
[]IPBlock

A list of IPBlock.

fqdns
[]string

A list of exact FQDN names or FQDN wildcard expressions. This field can only be possibly set for NetworkPolicyPeer of egress rules.

toServices
[]ServiceReference

A list of ServiceReference. This field can only be possibly set for NetworkPolicyPeer of egress rules.

labelIdentities
[]uint32

A list of labelIdentities selected as ingress peers for stretched policy. This field can only be possibly set for NetworkPolicyPeer of ingress rules.

NetworkPolicyReference

(Appears on: NetworkPolicy, NetworkPolicyStats)

FieldDescription
type
NetworkPolicyType

Type of the NetworkPolicy.

namespace
string

Namespace of the NetworkPolicy. It’s empty for Antrea ClusterNetworkPolicy.

name
string

Name of the NetworkPolicy.

uid
k8s.io/apimachinery/pkg/types.UID

UID of the NetworkPolicy.

NetworkPolicyRule

(Appears on: NetworkPolicy)

NetworkPolicyRule describes a particular set of traffic that is allowed.

FieldDescription
direction
Direction

The direction of this rule. If it’s set to In, From must be set and To must not be set. If it’s set to Out, To must be set and From must not be set.

from
NetworkPolicyPeer

From represents sources which should be able to access the GroupMembers selected by the policy.

to
NetworkPolicyPeer

To represents destinations which should be able to be accessed by the GroupMembers selected by the policy.

services
[]Service

Services is a list of services which should be matched.

priority
int32

Priority defines the priority of the Rule as compared to other rules in the NetworkPolicy.

action
RuleAction

Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty action “nil” defaults to Allow action, which would be the case for rules created for K8s Network Policy.

enableLogging
bool

EnableLogging indicates whether or not to generate logs when rules are matched. Default to false.

appliedToGroups
[]string

AppliedToGroups is a list of names of AppliedToGroups to which this rule applies. Cannot be set in conjunction with NetworkPolicy.AppliedToGroups of the NetworkPolicy that this Rule is referred to.

name
string

Name describes the intention of this rule. Name should be unique within the policy.

l7Protocols
[]L7Protocol

L7Protocols is a list of application layer protocols which should be matched.

logLabel
string

LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs.

NetworkPolicyStats

(Appears on: NodeStatsSummary)

NetworkPolicyStats contains the information and traffic stats of a NetworkPolicy.

FieldDescription
networkPolicy
NetworkPolicyReference

The reference of the NetworkPolicy.

trafficStats
TrafficStats

The stats of the NetworkPolicy.

ruleTrafficStats
[]RuleTrafficStats

The stats of the NetworkPolicy rules. It’s empty for K8s NetworkPolicies as they don’t have rule name to identify a rule.

NetworkPolicyStatus

NetworkPolicyStatus is the status of a NetworkPolicy.

FieldDescription
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
nodes
[]NetworkPolicyNodeStatus

Nodes contains statuses produced on a list of Nodes.

NetworkPolicyType (string alias)

(Appears on: NetworkPolicyReference)

NodeReference

(Appears on: GroupMember)

NodeReference represents a Node Reference.

FieldDescription
name
string

The name of this Node.

PaginationGetOptions

FieldDescription
page
int64
limit
int64

PodReference

(Appears on: GroupMember, MulticastGroupInfo)

PodReference represents a Pod Reference.

FieldDescription
name
string

The name of this Pod.

namespace
string

The Namespace of this Pod.

Protocol (string alias)

(Appears on: NamedPort, Service)

Protocol defines network protocols supported for things like container ports.

Service

(Appears on: NetworkPolicyRule)

Service describes a port to allow traffic on.

FieldDescription
protocol
Protocol
(Optional)

The protocol (TCP, UDP, SCTP, or ICMP) which traffic must match. If not specified, this field defaults to TCP.

port
k8s.io/apimachinery/pkg/util/intstr.IntOrString
(Optional)

Port and EndPort can only be specified, when the Protocol is TCP, UDP, or SCTP. Port defines the port name or number on the given protocol. If not specified and the Protocol is TCP, UDP, or SCTP, this matches all port numbers.

endPort
int32
(Optional)

EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.

icmpType
int32
(Optional)

ICMPType and ICMPCode can only be specified, when the Protocol is ICMP. If they both are not specified and the Protocol is ICMP, this matches all ICMP traffic.

icmpCode
int32
igmpType
int32
(Optional)

IGMPType and GroupAddress can only be specified when the Protocol is IGMP.

groupAddress
string
srcPort
int32
(Optional)

SrcPort and SrcEndPort can only be specified, when the Protocol is TCP, UDP, or SCTP. It restricts the source port of the traffic.

srcEndPort
int32

ServiceReference

(Appears on: GroupMember, NetworkPolicyPeer)

ServiceReference represents reference to a v1.Service.

FieldDescription
name
string

The name of this Service.

namespace
string

The Namespace of this Service.

SupportBundleCollectionNodeStatus

(Appears on: SupportBundleCollectionStatus)

SupportBundleCollectionNodeStatus is the status of a SupportBundleCollection on a Node.

FieldDescription
nodeName
string

The name of the Node that produces the status.

nodeNamespace
string

The namespace of the Node that produces the status. It is set only when NodeType is ExternalNode.

nodeType
string

The type of the Node that produces the status. The values include Node and ExternalNode.

completed
bool

The phase in which a SupportBundleCollection is on the Node.

error
string

SupportBundleCollectionStatus

SupportBundleCollectionStatus is the status of a SupportBundleCollection.

FieldDescription
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
nodes
[]SupportBundleCollectionNodeStatus

Nodes contains statuses produced on a list of Nodes.

TLSProtocol

(Appears on: L7Protocol)

TLSProtocol matches TLS handshake packets with specific SNI. If the field is not provided, this matches all TLS handshake packets.

FieldDescription
sni
string

SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message.


crd.antrea.io/v1alpha1

Resource Types:

ClusterNetworkPolicy

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha1
kind
string
ClusterNetworkPolicy
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ClusterNetworkPolicySpec

Specification of the desired behavior of ClusterNetworkPolicy.



tier
string

Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier’s Priority and the ClusterNetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

status
NetworkPolicyStatus

Most recently observed status of the NetworkPolicy.

ExternalNode

ExternalNode refers to a virtual machine or a bare-metal server which is not a K8s node, but has Antrea agent running on it.

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha1
kind
string
ExternalNode
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ExternalNodeSpec


interfaces
[]NetworkInterface

Only one network interface is supported now. Other interfaces except interfaces[0] will be ignored if there are more than one interfaces.

NetworkPolicy

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha1
kind
string
NetworkPolicy
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
NetworkPolicySpec

Specification of the desired behavior of NetworkPolicy.



tier
string

Tier specifies the tier to which this NetworkPolicy belongs to. The NetworkPolicy order will be determined based on the combination of the Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

status
NetworkPolicyStatus

Most recently observed status of the NetworkPolicy.

SupportBundleCollection

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha1
kind
string
SupportBundleCollection
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
SupportBundleCollectionSpec

Specification of the desired behavior of SupportBundleCollection.



nodes
BundleNodes
externalNodes
BundleExternalNodes
expirationMinutes
int32

ExpirationMinutes is the requested duration of validity of the SupportBundleCollection. A SupportBundleCollection will be marked as Failed if it does not finish before expiration. Default is 60.

sinceTime
string

SinceTime specifies a relative time before the current time from which to collect logs A valid value is like: 1d, 2h, 30m.

fileServer
BundleFileServer
authentication
BundleServerAuthConfiguration
status
SupportBundleCollectionStatus

Most recently observed status of the SupportBundleCollection.

Tier

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha1
kind
string
Tier
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TierSpec

Specification of the desired behavior of Tier.



priority
int32

Priority specfies the order of the Tier relative to other Tiers.

description
string

Description is an optional field to add more information regarding the purpose of this Tier.

Traceflow

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha1
kind
string
Traceflow
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TraceflowSpec


source
Source
destination
Destination
packet
Packet
liveTraffic
bool

LiveTraffic indicates the Traceflow is to trace the live traffic rather than an injected packet, when set to true. The first packet of the first connection that matches the packet spec will be traced.

droppedOnly
bool

DroppedOnly indicates only the dropped packet should be captured in a live-traffic Traceflow.

timeout
uint16

Timeout specifies the timeout of the Traceflow in seconds. Defaults to 20 seconds if not set.

status
TraceflowStatus

AppliedTo

(Appears on: ClusterNetworkPolicySpec, NetworkPolicySpec, Rule)

AppliedTo describes the grouping selector of workloads in AppliedTo field.

FieldDescription
podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods from NetworkPolicy’s Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from NetworkPolicy’s Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

group
string
(Optional)

Group is the name of the ClusterGroup which can be set as an AppliedTo in place of a stand-alone selector. A Group cannot be set with any other selector.

serviceAccount
NamespacedName
(Optional)

Select all Pods with the ServiceAccount matched by this field, as workloads in AppliedTo fields. Cannot be set with any other selector.

service
NamespacedName
(Optional)

Select a certain Service which matches the NamespacedName. A Service can only be set in either policy level AppliedTo field in a policy that only has ingress rules or rule level AppliedTo field in an ingress rule. Only a NodePort Service can be referred by this field. Cannot be set with any other selector.

BundleExternalNodes

(Appears on: SupportBundleCollectionSpec)

FieldDescription
namespace
string
nodeNames
[]string
(Optional)

List the names of certain ExternalNodes which are expected to collect and upload bundle files.

nodeSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select certain ExternalNodes which match the label selector.

BundleFileServer

(Appears on: SupportBundleCollectionSpec)

BundleFileServer specifies the bundle file server information.

FieldDescription
url
string

The URL of the bundle file server. It is set with format: scheme://host[:port][/path], e.g, https://api.example.com:8443/v1/supportbundles/. If scheme is not set, https is used by default.

BundleNodes

(Appears on: SupportBundleCollectionSpec)

FieldDescription
nodeNames
[]string
(Optional)

List the names of certain Nodes which are expected to collect and upload bundle files.

nodeSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select certain Nodes which match the label selector.

BundleServerAuthConfiguration

(Appears on: SupportBundleCollectionSpec)

BundleServerAuthConfiguration defines the authentication parameters that Antrea uses to access the BundleFileServer.

FieldDescription
authType
BundleServerAuthType
authSecret
Kubernetes core/v1.SecretReference

AuthSecret is a Secret reference which stores the authentication value.

BundleServerAuthType (string alias)

(Appears on: BundleServerAuthConfiguration)

BundleServerAuthType defines the authentication type to access the BundleFileServer.

ClusterNetworkPolicySpec

(Appears on: ClusterNetworkPolicy)

ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy.

FieldDescription
tier
string

Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier’s Priority and the ClusterNetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

Destination

(Appears on: TraceflowSpec)

Destination describes the destination spec of the traceflow.

FieldDescription
namespace
string

Namespace is the destination namespace.

pod
string

Pod is the destination pod, exclusive with destination service.

service
string

Service is the destination service, exclusive with destination pod.

ip
string

IP is the destination IPv4 or IPv6 address.

ExternalNodeSpec

(Appears on: ExternalNode)

ExternalNodeSpec defines the desired state for ExternalNode.

FieldDescription
interfaces
[]NetworkInterface

Only one network interface is supported now. Other interfaces except interfaces[0] will be ignored if there are more than one interfaces.

HTTPProtocol

(Appears on: L7Protocol)

HTTPProtocol matches HTTP requests with specific host, method, and path. All fields could be used alone or together. If all fields are not provided, it matches all HTTP requests.

FieldDescription
host
string

Host represents the hostname present in the URI or the HTTP Host header to match. It does not contain the port associated with the host.

method
string

Method represents the HTTP method to match. It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.

path
string

Path represents the URI path to match (Ex. “/index.html”, “/admin”).

ICMPEchoRequestHeader

(Appears on: TransportHeader)

ICMPEchoRequestHeader describes spec of an ICMP echo request header.

FieldDescription
id
int32

ID is the ICMPEchoRequestHeader ID.

sequence
int32

Sequence is the ICMPEchoRequestHeader sequence.

ICMPProtocol

(Appears on: NetworkPolicyProtocol)

ICMPProtocol matches ICMP traffic with specific ICMPType and/or ICMPCode. All fields could be used alone or together. If all fields are not provided, this matches all ICMP traffic.

FieldDescription
icmpType
int32
icmpCode
int32

IGMPProtocol

(Appears on: NetworkPolicyProtocol)

IGMPProtocol matches IGMP traffic with IGMPType and GroupAddress. IGMPType must be filled with: IGMPQuery int32 = 0x11 IGMPReportV1 int32 = 0x12 IGMPReportV2 int32 = 0x16 IGMPReportV3 int32 = 0x22 If groupAddress is empty, all groupAddresses will be matched.

FieldDescription
igmpType
int32
groupAddress
string

IPBlock

(Appears on: NetworkPolicyPeer, GroupSpec, GroupSpec)

IPBlock describes a particular CIDR (Ex. “192.168.1.1⁄24”) that is allowed or denied to/from the workloads matched by a Spec.AppliedTo.

FieldDescription
cidr
string

CIDR is a string representing the IP Block Valid examples are “192.168.1.124”.

IPHeader

(Appears on: Packet)

IPHeader describes spec of an IPv4 header.

FieldDescription
srcIP
string

SrcIP is the source IP.

protocol
int32

Protocol is the IP protocol.

ttl
int32

TTL is the IP TTL.

flags
int32

Flags is the flags for IP.

IPv6Header

(Appears on: Packet)

IPv6Header describes spec of an IPv6 header.

FieldDescription
srcIP
string

SrcIP is the source IPv6.

nextHeader
int32

NextHeader is the IPv6 protocol.

hopLimit
int32

HopLimit is the IPv6 Hop Limit.

L7Protocol

(Appears on: Rule)

FieldDescription
http
HTTPProtocol
tls
TLSProtocol

NamespaceMatchType (string alias)

(Appears on: PeerNamespaces)

NamespaceMatchType describes Namespace matching strategy.

NamespacedName

(Appears on: AppliedTo, NetworkPolicyPeer, GroupSpec, GroupSpec)

NamespacedName refers to a Namespace scoped resource. All fields must be used together.

FieldDescription
name
string
namespace
string

NetworkInterface

(Appears on: ExternalNodeSpec)

FieldDescription
name
string
ips
[]string

NetworkPolicyCondition

(Appears on: NetworkPolicyStatus)

NetworkPolicyCondition describes the state of a NetworkPolicy at a certain point.

FieldDescription
type
NetworkPolicyConditionType

Type of StatefulSet condition.

status
Kubernetes meta/v1.ConditionStatus

Status of the condition, one of True, False, Unknown.

lastTransitionTime
Kubernetes meta/v1.Time
(Optional)

Last time the condition transitioned from one status to another.

reason
string
(Optional)

The reason for the condition’s last transition.

message
string
(Optional)

A human-readable message indicating details about the transition.

NetworkPolicyConditionType (string alias)

(Appears on: NetworkPolicyCondition)

NetworkPolicyConditionType describes the condition types of NetworkPolicies.

NetworkPolicyPeer

(Appears on: Rule)

NetworkPolicyPeer describes the grouping selector of workloads.

FieldDescription
ipBlock
IPBlock
(Optional)

IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.

podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods from NetworkPolicy’s Namespace as workloads in To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.

namespaces
PeerNamespaces
(Optional)

Select Pod/ExternalEntity from Namespaces matched by specific criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from NetworkPolicy’s Namespace as workloads in To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

group
string

Group is the name of the ClusterGroup which can be set within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector.

fqdn
string

Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. “google.com”, “db-svc.default.svc.cluster.local” Wildcard expressions, i.e. “*wayfair.com”.

serviceAccount
NamespacedName
(Optional)

Select all Pods with the ServiceAccount matched by this field, as workloads in To/From fields. Cannot be set with any other selector.

nodeSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select certain Nodes which match the label selector. A NodeSelector cannot be set in AppliedTo field or set with any other selector.

scope
PeerScope
(Optional)

Define scope of the Pod/NamespaceSelector(s) of this peer. Can only be used in ingress NetworkPolicyPeers. Defaults to “Cluster”.

NetworkPolicyPhase (string alias)

(Appears on: NetworkPolicyStatus)

NetworkPolicyPhase defines the phase in which a NetworkPolicy is.

NetworkPolicyPort

(Appears on: Rule)

NetworkPolicyPort describes the port and protocol to match in a rule.

FieldDescription
protocol
Kubernetes core/v1.Protocol
(Optional)

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

port
k8s.io/apimachinery/pkg/util/intstr.IntOrString
(Optional)

The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.

endPort
int32
(Optional)

EndPort defines the end of the port range, inclusive. It can only be specified when a numerical port is specified.

sourcePort
int32
(Optional)

The source port on the given protocol. This can only be a numerical port. If this field is not provided, rule matches all source ports.

sourceEndPort
int32
(Optional)

SourceEndPort defines the end of the source port range, inclusive. It can only be specified when sourcePort is specified.

NetworkPolicyProtocol

(Appears on: Rule)

NetworkPolicyProtocol defines additional protocols that are not supported by ports. All fields should be used as a standalone field.

FieldDescription
icmp
ICMPProtocol
igmp
IGMPProtocol

NetworkPolicySpec

(Appears on: NetworkPolicy)

NetworkPolicySpec defines the desired state for NetworkPolicy.

FieldDescription
tier
string

Tier specifies the tier to which this NetworkPolicy belongs to. The NetworkPolicy order will be determined based on the combination of the Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

NetworkPolicyStatus

(Appears on: ClusterNetworkPolicy, NetworkPolicy)

NetworkPolicyStatus represents information about the status of a NetworkPolicy.

FieldDescription
phase
NetworkPolicyPhase

The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy’s status.

observedGeneration
int64

The generation observed by Antrea.

currentNodesRealized
int32

The number of nodes that have realized the NetworkPolicy.

desiredNodesRealized
int32

The total number of nodes that should realize the NetworkPolicy.

conditions
[]NetworkPolicyCondition

Represents the latest available observations of a NetworkPolicy current state.

NodeResult

(Appears on: TraceflowStatus)

FieldDescription
node
string

Node is the node of the observation.

role
string

Role of the node like sender, receiver, etc.

timestamp
int64

Timestamp is the timestamp of the observations on the node.

observations
[]Observation

Observations includes all observations from sender nodes, receiver ones, etc.

Observation

(Appears on: NodeResult)

Observation describes those from sender nodes or receiver nodes.

FieldDescription
component
TraceflowComponent

Component is the observation component.

componentInfo
string

ComponentInfo is the extension of Component field.

action
TraceflowAction

Action is the action to the observation.

pod
string

Pod is the combination of Pod name and Pod Namespace.

dstMAC
string

DstMAC is the destination MAC.

networkPolicy
string

NetworkPolicy is the combination of Namespace and NetworkPolicyName.

egress
string

Egress is the name of the Egress.

ttl
int32

TTL is the observation TTL.

translatedSrcIP
string

TranslatedSrcIP is the translated source IP.

translatedDstIP
string

TranslatedDstIP is the translated destination IP.

tunnelDstIP
string

TunnelDstIP is the tunnel destination IP.

egressIP
string

Packet

(Appears on: TraceflowSpec, TraceflowStatus)

Packet includes header info.

FieldDescription
srcIP
string
dstIP
string
length
uint16

Length is the IP packet length (includes the IPv4 or IPv6 header length).

ipHeader
IPHeader

TODO: change type IPHeader to *IPHeader and correct all internal references

ipv6Header
IPv6Header
transportHeader
TransportHeader

PeerNamespaces

(Appears on: NetworkPolicyPeer)

FieldDescription
match
NamespaceMatchType

PeerScope (string alias)

(Appears on: NetworkPolicyPeer, PeerService)

PeerService

(Appears on: Rule)

PeerService refers to a Service, which can be a in-cluster Service or imported multi-cluster service.

FieldDescription
name
string
namespace
string
scope
PeerScope

Rule

(Appears on: ClusterNetworkPolicySpec, NetworkPolicySpec)

Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol.

FieldDescription
action
RuleAction

Action specifies the action to be applied on the rule.

ports
[]NetworkPolicyPort
(Optional)

Set of ports and protocols matched by the rule. If this field and Protocols are unset or empty, this rule matches all ports.

protocols
[]NetworkPolicyProtocol
(Optional)

Set of protocols matched by the rule. If this field and Ports are unset or empty, this rule matches all protocols supported.

l7Protocols
[]L7Protocol

Set of layer 7 protocols matched by the rule. If this field is set, action can only be Allow. When this field is used in a rule, any traffic matching the other layer 34 criteria of the rule (typically the 5-tuple) will be forwarded to an application-aware engine for protocol detection and rule enforcement, and the traffic will be allowed if the layer 7 criteria is also matched, otherwise it will be dropped. Therefore, any rules after a layer 7 rule will not be enforced for the traffic.

from
[]NetworkPolicyPeer
(Optional)

Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.

to
[]NetworkPolicyPeer
(Optional)

Rule is matched if traffic is intended for workloads selected by this field. This field can’t be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations.

toServices
[]PeerService
(Optional)

Rule is matched if traffic is intended for a Service listed in this field. Currently, only ClusterIP types Services are supported in this field. When scope is set to ClusterSet, it matches traffic intended for a multi-cluster Service listed in this field. Service name and Namespace provided should match the original exported Service. This field can only be used when AntreaProxy is enabled. This field can’t be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations.

name
string
(Optional)

Name describes the intention of this rule. Name should be unique within the policy.

enableLogging
bool
(Optional)

EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.

logLabel
string
(Optional)

LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo.

RuleAction (string alias)

(Appears on: Rule)

RuleAction describes the action to be applied on traffic matching a rule.

Source

(Appears on: TraceflowSpec)

Source describes the source spec of the traceflow.

FieldDescription
namespace
string

Namespace is the source namespace.

pod
string

Pod is the source pod.

ip
string

IP is the source IPv4 or IPv6 address. IP as the source is supported only for live-traffic Traceflow.

SupportBundleCollectionCondition

(Appears on: SupportBundleCollectionStatus)

SupportBundleCollectionCondition describes the state of a SupportBundleCollection at a certain point.

FieldDescription
type
SupportBundleCollectionConditionType

Type of StatefulSet condition.

status
Kubernetes meta/v1.ConditionStatus

Status of the condition, one of True, False, Unknown.

lastTransitionTime
Kubernetes meta/v1.Time
(Optional)

Last time the condition transitioned from one status to another.

reason
string
(Optional)

The reason for the condition’s last transition.

message
string
(Optional)

A human-readable message indicating details about the transition.

SupportBundleCollectionConditionType (string alias)

(Appears on: SupportBundleCollectionCondition)

SupportBundleCollectionSpec

(Appears on: SupportBundleCollection)

FieldDescription
nodes
BundleNodes
externalNodes
BundleExternalNodes
expirationMinutes
int32

ExpirationMinutes is the requested duration of validity of the SupportBundleCollection. A SupportBundleCollection will be marked as Failed if it does not finish before expiration. Default is 60.

sinceTime
string

SinceTime specifies a relative time before the current time from which to collect logs A valid value is like: 1d, 2h, 30m.

fileServer
BundleFileServer
authentication
BundleServerAuthConfiguration

SupportBundleCollectionStatus

(Appears on: SupportBundleCollection)

FieldDescription
collectedNodes
int32

The number of Nodes and ExternalNodes that have completed the SupportBundleCollection.

desiredNodes
int32

The total number of Nodes and ExternalNodes that should process the SupportBundleCollection.

conditions
[]SupportBundleCollectionCondition

Represents the latest available observations of a SupportBundleCollection current state.

TCPHeader

(Appears on: TransportHeader)

TCPHeader describes spec of a TCP header.

FieldDescription
srcPort
int32

SrcPort is the source port.

dstPort
int32

DstPort is the destination port.

flags
int32

Flags are flags in the header.

TLSProtocol

(Appears on: L7Protocol)

TLSProtocol matches TLS handshake packets with specific SNI. If the field is not provided, this matches all TLS handshake packets.

FieldDescription
sni
string

SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message.

TierSpec

(Appears on: Tier)

TierSpec defines the desired state for Tier.

FieldDescription
priority
int32

Priority specfies the order of the Tier relative to other Tiers.

description
string

Description is an optional field to add more information regarding the purpose of this Tier.

TraceflowAction (string alias)

(Appears on: Observation)

TraceflowComponent (string alias)

(Appears on: Observation)

TraceflowPhase (string alias)

(Appears on: TraceflowStatus)

TraceflowSpec

(Appears on: Traceflow)

TraceflowSpec describes the spec of the traceflow.

FieldDescription
source
Source
destination
Destination
packet
Packet
liveTraffic
bool

LiveTraffic indicates the Traceflow is to trace the live traffic rather than an injected packet, when set to true. The first packet of the first connection that matches the packet spec will be traced.

droppedOnly
bool

DroppedOnly indicates only the dropped packet should be captured in a live-traffic Traceflow.

timeout
uint16

Timeout specifies the timeout of the Traceflow in seconds. Defaults to 20 seconds if not set.

TraceflowStatus

(Appears on: Traceflow)

TraceflowStatus describes current status of the traceflow.

FieldDescription
phase
TraceflowPhase

Phase is the Traceflow phase.

reason
string

Reason is a message indicating the reason of the traceflow’s current phase.

startTime
Kubernetes meta/v1.Time

StartTime is the time at which the Traceflow as started by the Antrea Controller. Before K8s v1.20, null values (field not set) are not pruned, and a CR where a metav1.Time field is not set would fail OpenAPI validation (type string). The recommendation seems to be to use a pointer instead, and the field will be omitted when serializing. See https://github.com/kubernetes/kubernetes/issues/86811

dataplaneTag
byte

DataplaneTag is a tag to identify a traceflow session across Nodes.

results
[]NodeResult

Results is the collection of all observations on different nodes.

capturedPacket
Packet

CapturedPacket is the captured packet in live-traffic Traceflow.

TransportHeader

(Appears on: Packet)

TransportHeader describes spec of a TransportHeader.

FieldDescription
icmp
ICMPEchoRequestHeader
udp
UDPHeader
tcp
TCPHeader

UDPHeader

(Appears on: TransportHeader)

UDPHeader describes spec of a UDP header.

FieldDescription
srcPort
int32

SrcPort is the source port.

dstPort
int32

DstPort is the destination port.


crd.antrea.io/v1alpha2

Resource Types:

ClusterGroup

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha2
kind
string
ClusterGroup
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GroupSpec

Desired state of the group.



podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlock
IPBlock
(Optional)

IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference. Cannot be set with IPBlocks.

ipBlocks
[]IPBlock
(Optional)

IPBlocks is a list of IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference. Cannot be set with IPBlock.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

status
GroupStatus

Most recently observed status of the group.

Egress

Egress defines which egress (SNAT) IP the traffic from the selected Pods to the external network should use.

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha2
kind
string
Egress
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
EgressSpec

Specification of the desired behavior of Egress.



appliedTo
AppliedTo

AppliedTo selects Pods to which the Egress will be applied.

egressIP
string

EgressIP specifies the SNAT IP address for the selected workloads. If ExternalIPPool is empty, it must be specified manually. If ExternalIPPool is non-empty, it can be empty and will be assigned by Antrea automatically. If both ExternalIPPool and EgressIP are non-empty, the IP must be in the pool.

egressIPs
[]string

EgressIPs specifies multiple SNAT IP addresses for the selected workloads. Cannot be set with EgressIP.

externalIPPool
string

ExternalIPPool specifies the IP Pool that the EgressIP should be allocated from. If it is empty, the specified EgressIP must be assigned to a Node manually. If it is non-empty, the EgressIP will be assigned to a Node specified by the pool automatically and will failover to a different Node when the Node becomes unreachable.

externalIPPools
[]string

ExternalIPPools specifies multiple unique IP Pools that the EgressIPs should be allocated from. Entries with the same index in EgressIPs and ExternalIPPools are correlated. Cannot be set with ExternalIPPool.

status
EgressStatus

EgressStatus represents the current status of an Egress.

ExternalEntity

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha2
kind
string
ExternalEntity
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ExternalEntitySpec

Desired state of the external entity.



endpoints
[]Endpoint

Endpoints is a list of external endpoints associated with this entity.

ports
[]NamedPort

Ports maintain the list of named ports.

externalNode
string

ExternalNode is the opaque identifier of the agent/controller responsible for additional processing or handling of this external entity.

ExternalIPPool

ExternalIPPool defines one or multiple IP sets that can be used in the external network. For instance, the IPs can be allocated to the Egress resources as the Egress IPs.

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha2
kind
string
ExternalIPPool
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ExternalIPPoolSpec

Specification of the ExternalIPPool.



ipRanges
[]IPRange

The IP ranges of this IP pool, e.g. 10.10.0.0/24, 10.10.10.2-10.10.10.20, 10.10.10.30-10.10.10.30.

nodeSelector
Kubernetes meta/v1.LabelSelector

The Nodes that the external IPs can be assigned to. If empty, it means all Nodes.

status
ExternalIPPoolStatus

The current status of the ExternalIPPool.

IPPool

IPPool defines one or multiple IP sets that can be used for flexible IPAM feature. For instance, the IPs can be allocated to Pods according to IP pool specified in Deployment annotation.

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha2
kind
string
IPPool
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
IPPoolSpec

Specification of the IPPool.



ipVersion
IPVersion

IP Version for this IP pool - either 4 or 6

ipRanges
[]SubnetIPRange

List IP ranges, along with subnet definition.

status
IPPoolStatus

Most recently observed status of the pool.

TrafficControl

TrafficControl allows mirroring or redirecting the traffic Pods send or receive. It enables users to monitor and analyze Pod traffic, and to enforce custom network protections for Pods with fine-grained control over network traffic.

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha2
kind
string
TrafficControl
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TrafficControlSpec

Specification of the desired behavior of TrafficControl.



appliedTo
AppliedTo

AppliedTo selects Pods to which the traffic control configuration will be applied.

direction
Direction

The direction of traffic that should be matched. It can be Ingress, Egress, or Both.

action
TrafficControlAction

The action that should be taken for the traffic. It can be Redirect or Mirror.

targetPort
TrafficControlPort

The port to which the traffic should be redirected or mirrored.

returnPort
TrafficControlPort

The port from which the traffic will be sent back to OVS. It should only be set for Redirect action.

AppliedTo

(Appears on: EgressSpec, TrafficControlSpec)

AppliedTo selects the entities to which a policy is applied.

FieldDescription
podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matched by this selector. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector; otherwise, Pods are matched from all Namespaces.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector.

groups
[]string
(Optional)

Groups is the set of ClusterGroup names.

ClusterGroupReference (string alias)

(Appears on: GroupSpec)

ClusterGroupReference represent reference to a ClusterGroup.

Direction (string alias)

(Appears on: TrafficControlSpec)

ERSPANTunnel

(Appears on: TrafficControlPort)

ERSPANTunnel represents an ERSPAN tunnel. Antrea will create a port on the OVS bridge for the tunnel.

FieldDescription
remoteIP
string

The remote IP of the tunnel.

sessionID
int32

ERSPAN session ID.

version
int32

ERSPAN version.

index
int32

ERSPAN Index.

dir
int32

ERSPAN v2 mirrored traffic’s direction.

hardwareID
int32

ERSPAN hardware ID.

EgressSpec

(Appears on: Egress)

EgressSpec defines the desired state for Egress.

FieldDescription
appliedTo
AppliedTo

AppliedTo selects Pods to which the Egress will be applied.

egressIP
string

EgressIP specifies the SNAT IP address for the selected workloads. If ExternalIPPool is empty, it must be specified manually. If ExternalIPPool is non-empty, it can be empty and will be assigned by Antrea automatically. If both ExternalIPPool and EgressIP are non-empty, the IP must be in the pool.

egressIPs
[]string

EgressIPs specifies multiple SNAT IP addresses for the selected workloads. Cannot be set with EgressIP.

externalIPPool
string

ExternalIPPool specifies the IP Pool that the EgressIP should be allocated from. If it is empty, the specified EgressIP must be assigned to a Node manually. If it is non-empty, the EgressIP will be assigned to a Node specified by the pool automatically and will failover to a different Node when the Node becomes unreachable.

externalIPPools
[]string

ExternalIPPools specifies multiple unique IP Pools that the EgressIPs should be allocated from. Entries with the same index in EgressIPs and ExternalIPPools are correlated. Cannot be set with ExternalIPPool.

EgressStatus

(Appears on: Egress)

EgressStatus represents the current status of an Egress.

FieldDescription
egressNode
string

The name of the Node that holds the Egress IP.

egressIP
string

EgressIP indicates the effective Egress IP for the selected workloads. It could be empty if the Egress IP in spec is not assigned to any Node. It’s also useful when there are more than one Egress IP specified in spec.

Endpoint

(Appears on: ExternalEntitySpec)

Endpoint refers to an endpoint associated with the ExternalEntity.

FieldDescription
ip
string

IP associated with this endpoint.

name
string
(Optional)

Name identifies this endpoint. Could be the network interface name in case of VMs.

ExternalEntitySpec

(Appears on: ExternalEntity)

ExternalEntitySpec defines the desired state for ExternalEntity.

FieldDescription
endpoints
[]Endpoint

Endpoints is a list of external endpoints associated with this entity.

ports
[]NamedPort

Ports maintain the list of named ports.

externalNode
string

ExternalNode is the opaque identifier of the agent/controller responsible for additional processing or handling of this external entity.

ExternalIPPoolSpec

(Appears on: ExternalIPPool)

FieldDescription
ipRanges
[]IPRange

The IP ranges of this IP pool, e.g. 10.10.0.0/24, 10.10.10.2-10.10.10.20, 10.10.10.30-10.10.10.30.

nodeSelector
Kubernetes meta/v1.LabelSelector

The Nodes that the external IPs can be assigned to. If empty, it means all Nodes.

ExternalIPPoolStatus

(Appears on: ExternalIPPool)

FieldDescription
usage
IPPoolUsage

GRETunnel

(Appears on: TrafficControlPort)

GRETunnel represents a GRE tunnel. Antrea will create a port on the OVS bridge for the tunnel.

FieldDescription
remoteIP
string

The remote IP of the tunnel.

key
int32

GRE key.

GroupCondition

(Appears on: GroupStatus)

FieldDescription
type
GroupConditionType
status
Kubernetes core/v1.ConditionStatus
lastTransitionTime
Kubernetes meta/v1.Time

GroupConditionType (string alias)

(Appears on: GroupCondition)

GroupSpec

(Appears on: ClusterGroup)

FieldDescription
podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlock
IPBlock
(Optional)

IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference. Cannot be set with IPBlocks.

ipBlocks
[]IPBlock
(Optional)

IPBlocks is a list of IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference. Cannot be set with IPBlock.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

GroupStatus

(Appears on: ClusterGroup)

GroupStatus represents information about the status of a Group.

FieldDescription
conditions
[]GroupCondition

IPAddressOwner

(Appears on: IPAddressState)

FieldDescription
pod
PodOwner
statefulSet
StatefulSetOwner

IPAddressPhase (string alias)

(Appears on: IPAddressState)

IPAddressState

(Appears on: IPPoolStatus)

FieldDescription
ipAddress
string

IP Address this entry is tracking

phase
IPAddressPhase

Allocation state - either Allocated or Preallocated

owner
IPAddressOwner

Owner this IP Address is allocated to

IPPoolSpec

(Appears on: IPPool)

FieldDescription
ipVersion
IPVersion

IP Version for this IP pool - either 4 or 6

ipRanges
[]SubnetIPRange

List IP ranges, along with subnet definition.

IPPoolStatus

(Appears on: IPPool)

FieldDescription
ipAddresses
[]IPAddressState
usage
IPPoolUsage

IPPoolUsage

(Appears on: ExternalIPPoolStatus, IPPoolStatus)

FieldDescription
total
int

Total number of IPs.

used
int

Number of allocated IPs.

IPRange

(Appears on: ExternalIPPoolSpec, SubnetIPRange)

IPRange is a set of contiguous IP addresses, represented by a CIDR or a pair of start and end IPs.

FieldDescription
cidr
string

The CIDR of this range, e.g. 10.10.10.0/24.

start
string

The start IP of the range, e.g. 10.10.20.5, inclusive.

end
string

The end IP of the range, e.g. 10.10.20.20, inclusive.

IPVersion (int alias)

(Appears on: IPPoolSpec)

NamedPort

(Appears on: ExternalEntitySpec)

NamedPort describes the port and protocol to match in a rule.

FieldDescription
protocol
Kubernetes core/v1.Protocol
(Optional)

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

port
int32
(Optional)

The port on the given protocol.

name
string
(Optional)

Name associated with the Port.

NetworkDevice

(Appears on: TrafficControlPort)

NetworkDevice represents a network device. It must exist on all Nodes. Antrea will attach it to the OVS bridge if it is not attached.

FieldDescription
name
string

The name of the network device.

OVSInternalPort

(Appears on: TrafficControlPort)

OVSInternalPort represents an OVS internal port. Antrea will create the port if it doesn’t exist.

FieldDescription
name
string

The name of the OVS internal port.

PodOwner

(Appears on: IPAddressOwner)

Pod owner

FieldDescription
name
string
namespace
string
containerID
string
ifName
string

Network interface name. Used when the IP is allocated for a secondary network interface of the Pod.

StatefulSetOwner

(Appears on: IPAddressOwner)

StatefulSet owner

FieldDescription
name
string
namespace
string
index
int

SubnetIPRange

(Appears on: IPPoolSpec)

SubnetIPRange is a set of contiguous IP addresses, represented by a CIDR or a pair of start and end IPs, along with subnet definition.

FieldDescription
IPRange
IPRange

(Members of IPRange are embedded into this type.)

SubnetInfo
SubnetInfo

(Members of SubnetInfo are embedded into this type.)

SubnetInfo

(Appears on: SubnetIPRange)

SubnetInfo specifies subnet attributes for IP Range

FieldDescription
gateway
string

Gateway IP for this subnet, eg. 10.10.1.1

prefixLength
int32

Prefix length for the subnet, eg. 24

vlan
uint16

VLAN ID for this subnet. Default is 0. Valid value is 0~4094.

TrafficControlAction (string alias)

(Appears on: TrafficControlSpec)

TrafficControlPort

(Appears on: TrafficControlSpec)

TrafficControlPort represents a port that can be used as the target of traffic mirroring or redirecting, and the return port of traffic redirecting.

FieldDescription
ovsInternal
OVSInternalPort

OVSInternal represents an OVS internal port.

device
NetworkDevice

Device represents a network device.

geneve
UDPTunnel

GENEVE represents a GENEVE tunnel.

vxlan
UDPTunnel

VXLAN represents a VXLAN tunnel.

gre
GRETunnel

GRE represents a GRE tunnel.

erspan
ERSPANTunnel

ERSPAN represents a ERSPAN tunnel.

TrafficControlSpec

(Appears on: TrafficControl)

FieldDescription
appliedTo
AppliedTo

AppliedTo selects Pods to which the traffic control configuration will be applied.

direction
Direction

The direction of traffic that should be matched. It can be Ingress, Egress, or Both.

action
TrafficControlAction

The action that should be taken for the traffic. It can be Redirect or Mirror.

targetPort
TrafficControlPort

The port to which the traffic should be redirected or mirrored.

returnPort
TrafficControlPort

The port from which the traffic will be sent back to OVS. It should only be set for Redirect action.

UDPTunnel

(Appears on: TrafficControlPort)

UDPTunnel represents a UDP based tunnel. Antrea will create a port on the OVS bridge for the tunnel.

FieldDescription
remoteIP
string

The remote IP of the tunnel.

vni
int32

The ID of the tunnel.

destinationPort
int32

The transport layer destination port of the tunnel. If not specified, the assigned IANA port will be used, i.e., 4789 for VXLAN, 6081 for GENEVE.

WebhookImpl

WebhookImpl implements webhook validator of a resource.


crd.antrea.io/v1alpha3

Resource Types:

ClusterGroup

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha3
kind
string
ClusterGroup
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GroupSpec

Desired state of the group.



podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlocks
[]IPBlock
(Optional)

IPBlocks describe the IPAddresses/IPBlocks that are matched in to/from. IPBlocks cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

status
GroupStatus

Most recently observed status of the group.

Group

Group can be used in AntreaNetworkPolicies. When used with AppliedTo, it cannot include NamespaceSelector, otherwise, Antrea will not realize the NetworkPolicy or rule, but will just update the NetworkPolicy Status as “Unrealizable”.

FieldDescription
apiVersion
string
crd.antrea.io/v1alpha3
kind
string
Group
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GroupSpec

Desired state of the group.



podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlocks
[]IPBlock
(Optional)

IPBlocks describe the IPAddresses/IPBlocks that are matched in to/from. IPBlocks cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

status
GroupStatus

Most recently observed status of the group.

ClusterGroupReference (string alias)

(Appears on: GroupSpec)

ClusterGroupReference represent reference to a ClusterGroup.

GroupCondition

(Appears on: GroupStatus)

FieldDescription
type
GroupConditionType
status
Kubernetes core/v1.ConditionStatus
lastTransitionTime
Kubernetes meta/v1.Time

GroupConditionType (string alias)

(Appears on: GroupCondition)

GroupSpec

(Appears on: ClusterGroup, Group)

FieldDescription
podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlocks
[]IPBlock
(Optional)

IPBlocks describe the IPAddresses/IPBlocks that are matched in to/from. IPBlocks cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

GroupStatus

(Appears on: ClusterGroup, Group)

GroupStatus represents information about the status of a Group.

FieldDescription
conditions
[]GroupCondition

crd.antrea.io/v1beta1

Resource Types:

AntreaAgentInfo

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
AntreaAgentInfo
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
version
string

Antrea binary version

podRef
Kubernetes core/v1.ObjectReference

The Pod that Antrea Agent is running in

nodeRef
Kubernetes core/v1.ObjectReference

The Node that Antrea Agent is running in

nodeSubnets
[]string

Node subnets

ovsInfo
OVSInfo

OVS Information

networkPolicyControllerInfo
NetworkPolicyControllerInfo

Antrea Agent NetworkPolicy information

localPodNum
int32

The number of Pods which the agent is in charge of

agentConditions
[]AgentCondition

Agent condition contains types like AgentHealthy

apiPort
int

The port of Antrea Agent API Server

apiCABundle
[]byte

APICABundle is a PEM encoded CA bundle which can be used to validate the Antrea Agent API server’s certificate.

nodePortLocalPortRange
string

The port range used by NodePortLocal

AntreaControllerInfo

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
AntreaControllerInfo
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
version
string

Antrea binary version

podRef
Kubernetes core/v1.ObjectReference

The Pod that Antrea Controller is running in

nodeRef
Kubernetes core/v1.ObjectReference

The Node that Antrea Controller is running in

serviceRef
Kubernetes core/v1.ObjectReference

Antrea Controller Service

networkPolicyControllerInfo
NetworkPolicyControllerInfo

Antrea Controller NetworkPolicy information

connectedAgentNum
int32

Number of agents which are connected to this controller

controllerConditions
[]ControllerCondition

Controller condition contains types like ControllerHealthy

apiPort
int

The port of antrea controller API Server

ClusterGroup

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
ClusterGroup
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GroupSpec

Desired state of the group.



podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlocks
[]IPBlock
(Optional)

IPBlocks describe the IPAddresses/IPBlocks that are matched in to/from. IPBlocks cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

status
GroupStatus

Most recently observed status of the group.

ClusterNetworkPolicy

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
ClusterNetworkPolicy
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ClusterNetworkPolicySpec

Specification of the desired behavior of ClusterNetworkPolicy.



tier
string

Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier’s Priority and the ClusterNetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

status
NetworkPolicyStatus

Most recently observed status of the NetworkPolicy.

Egress

Egress defines which egress (SNAT) IP the traffic from the selected Pods to the external network should use.

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
Egress
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
EgressSpec

Specification of the desired behavior of Egress.



appliedTo
AppliedTo

AppliedTo selects Pods to which the Egress will be applied.

egressIP
string

EgressIP specifies the SNAT IP address for the selected workloads. If ExternalIPPool is empty, it must be specified manually. If ExternalIPPool is non-empty, it can be empty and will be assigned by Antrea automatically. If both ExternalIPPool and EgressIP are non-empty, the IP must be in the pool.

egressIPs
[]string

EgressIPs specifies multiple SNAT IP addresses for the selected workloads. Cannot be set with EgressIP.

externalIPPool
string

ExternalIPPool specifies the IP Pool that the EgressIP should be allocated from. If it is empty, the specified EgressIP must be assigned to a Node manually. If it is non-empty, the EgressIP will be assigned to a Node specified by the pool automatically and will failover to a different Node when the Node becomes unreachable.

externalIPPools
[]string

ExternalIPPools specifies multiple unique IP Pools that the EgressIPs should be allocated from. Entries with the same index in EgressIPs and ExternalIPPools are correlated. Cannot be set with ExternalIPPool.

status
EgressStatus

EgressStatus represents the current status of an Egress.

ExternalIPPool

ExternalIPPool defines one or multiple IP sets that can be used in the external network. For instance, the IPs can be allocated to the Egress resources as the Egress IPs.

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
ExternalIPPool
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
ExternalIPPoolSpec

Specification of the ExternalIPPool.



ipRanges
[]IPRange

The IP ranges of this IP pool, e.g. 10.10.0.0/24, 10.10.10.2-10.10.10.20, 10.10.10.30-10.10.10.30.

nodeSelector
Kubernetes meta/v1.LabelSelector

The Nodes that the external IPs can be assigned to. If empty, it means all Nodes.

status
ExternalIPPoolStatus

The current status of the ExternalIPPool.

Group

Group can be used in AntreaNetworkPolicies. When used with AppliedTo, it cannot include NamespaceSelector, otherwise, Antrea will not realize the NetworkPolicy or rule, but will just update the NetworkPolicy Status as “Unrealizable”.

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
Group
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
GroupSpec

Desired state of the group.



podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlocks
[]IPBlock
(Optional)

IPBlocks describe the IPAddresses/IPBlocks that are matched in to/from. IPBlocks cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

status
GroupStatus

Most recently observed status of the group.

NetworkPolicy

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
NetworkPolicy
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
NetworkPolicySpec

Specification of the desired behavior of NetworkPolicy.



tier
string

Tier specifies the tier to which this NetworkPolicy belongs to. The NetworkPolicy order will be determined based on the combination of the Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

status
NetworkPolicyStatus

Most recently observed status of the NetworkPolicy.

Tier

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
Tier
metadata
Kubernetes meta/v1.ObjectMeta

Standard metadata of the object.

Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TierSpec

Specification of the desired behavior of Tier.



priority
int32

Priority specfies the order of the Tier relative to other Tiers.

description
string

Description is an optional field to add more information regarding the purpose of this Tier.

Traceflow

FieldDescription
apiVersion
string
crd.antrea.io/v1beta1
kind
string
Traceflow
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
spec
TraceflowSpec


source
Source
destination
Destination
packet
Packet
liveTraffic
bool

LiveTraffic indicates the Traceflow is to trace the live traffic rather than an injected packet, when set to true. The first packet of the first connection that matches the packet spec will be traced.

droppedOnly
bool

DroppedOnly indicates only the dropped packet should be captured in a live-traffic Traceflow.

timeout
int32

Timeout specifies the timeout of the Traceflow in seconds. Defaults to 20 seconds if not set.

status
TraceflowStatus

AgentCondition

(Appears on: AntreaAgentInfo)

FieldDescription
type
AgentConditionType

One of the AgentConditionType listed above

status
Kubernetes core/v1.ConditionStatus

Mark certain type status, one of True, False, Unknown

lastHeartbeatTime
Kubernetes meta/v1.Time

The timestamp when AntreaAgentInfo is created/updated, ideally heartbeat interval is 60s

reason
string

Brief reason

message
string

Human readable message indicating details

AgentConditionType (string alias)

(Appears on: AgentCondition)

AppliedTo

(Appears on: ClusterNetworkPolicySpec, EgressSpec, NetworkPolicySpec, Rule)

AppliedTo describes the grouping selector of workloads in AppliedTo field.

FieldDescription
podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods from NetworkPolicy’s Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from NetworkPolicy’s Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

group
string
(Optional)

Group is the name of the ClusterGroup which can be set as an AppliedTo in place of a stand-alone selector. A Group cannot be set with any other selector.

serviceAccount
NamespacedName
(Optional)

Select all Pods with the ServiceAccount matched by this field, as workloads in AppliedTo fields. Cannot be set with any other selector.

service
NamespacedName
(Optional)

Select a certain Service which matches the NamespacedName. A Service can only be set in either policy level AppliedTo field in a policy that only has ingress rules or rule level AppliedTo field in an ingress rule. Only a NodePort Service can be referred by this field. Cannot be set with any other selector.

ClusterGroupReference (string alias)

(Appears on: GroupSpec)

ClusterGroupReference represent reference to a ClusterGroup.

ClusterNetworkPolicySpec

(Appears on: ClusterNetworkPolicy)

ClusterNetworkPolicySpec defines the desired state for ClusterNetworkPolicy.

FieldDescription
tier
string

Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier’s Priority and the ClusterNetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

ControllerCondition

(Appears on: AntreaControllerInfo)

FieldDescription
type
ControllerConditionType

One of the ControllerConditionType listed above, controllerHealthy

status
Kubernetes core/v1.ConditionStatus

Mark certain type status, one of True, False, Unknown

lastHeartbeatTime
Kubernetes meta/v1.Time

The timestamp when AntreaControllerInfo is created/updated, ideally heartbeat interval is 60s

reason
string

Brief reason

message
string

Human readable message indicating details

ControllerConditionType (string alias)

(Appears on: ControllerCondition)

Destination

(Appears on: TraceflowSpec)

Destination describes the destination spec of the traceflow.

FieldDescription
namespace
string

Namespace is the destination namespace.

pod
string

Pod is the destination pod, exclusive with destination service.

service
string

Service is the destination service, exclusive with destination pod.

ip
string

IP is the destination IPv4 or IPv6 address.

EgressSpec

(Appears on: Egress)

EgressSpec defines the desired state for Egress.

FieldDescription
appliedTo
AppliedTo

AppliedTo selects Pods to which the Egress will be applied.

egressIP
string

EgressIP specifies the SNAT IP address for the selected workloads. If ExternalIPPool is empty, it must be specified manually. If ExternalIPPool is non-empty, it can be empty and will be assigned by Antrea automatically. If both ExternalIPPool and EgressIP are non-empty, the IP must be in the pool.

egressIPs
[]string

EgressIPs specifies multiple SNAT IP addresses for the selected workloads. Cannot be set with EgressIP.

externalIPPool
string

ExternalIPPool specifies the IP Pool that the EgressIP should be allocated from. If it is empty, the specified EgressIP must be assigned to a Node manually. If it is non-empty, the EgressIP will be assigned to a Node specified by the pool automatically and will failover to a different Node when the Node becomes unreachable.

externalIPPools
[]string

ExternalIPPools specifies multiple unique IP Pools that the EgressIPs should be allocated from. Entries with the same index in EgressIPs and ExternalIPPools are correlated. Cannot be set with ExternalIPPool.

EgressStatus

(Appears on: Egress)

EgressStatus represents the current status of an Egress.

FieldDescription
egressNode
string

The name of the Node that holds the Egress IP.

egressIP
string

EgressIP indicates the effective Egress IP for the selected workloads. It could be empty if the Egress IP in spec is not assigned to any Node. It’s also useful when there are more than one Egress IP specified in spec.

ExternalIPPoolSpec

(Appears on: ExternalIPPool)

FieldDescription
ipRanges
[]IPRange

The IP ranges of this IP pool, e.g. 10.10.0.0/24, 10.10.10.2-10.10.10.20, 10.10.10.30-10.10.10.30.

nodeSelector
Kubernetes meta/v1.LabelSelector

The Nodes that the external IPs can be assigned to. If empty, it means all Nodes.

ExternalIPPoolStatus

(Appears on: ExternalIPPool)

FieldDescription
usage
IPPoolUsage

GroupCondition

(Appears on: GroupStatus)

FieldDescription
type
GroupConditionType
status
Kubernetes core/v1.ConditionStatus
lastTransitionTime
Kubernetes meta/v1.Time

GroupConditionType (string alias)

(Appears on: GroupCondition)

GroupSpec

(Appears on: ClusterGroup, Group)

FieldDescription
podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

ipBlocks
[]IPBlock
(Optional)

IPBlocks describe the IPAddresses/IPBlocks that are matched in to/from. IPBlocks cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

serviceReference
NamespacedName
(Optional)

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

childGroups
[]ClusterGroupReference
(Optional)

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

GroupStatus

(Appears on: ClusterGroup, Group)

GroupStatus represents information about the status of a Group.

FieldDescription
conditions
[]GroupCondition

HTTPProtocol

(Appears on: L7Protocol)

HTTPProtocol matches HTTP requests with specific host, method, and path. All fields could be used alone or together. If all fields are not provided, it matches all HTTP requests.

FieldDescription
host
string

Host represents the hostname present in the URI or the HTTP Host header to match. It does not contain the port associated with the host.

method
string

Method represents the HTTP method to match. It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.

path
string

Path represents the URI path to match (Ex. “/index.html”, “/admin”).

ICMPEchoRequestHeader

(Appears on: TransportHeader)

ICMPEchoRequestHeader describes spec of an ICMP echo request header.

FieldDescription
id
int32

ID is the ICMPEchoRequestHeader ID.

sequence
int32

Sequence is the ICMPEchoRequestHeader sequence.

ICMPProtocol

(Appears on: NetworkPolicyProtocol)

ICMPProtocol matches ICMP traffic with specific ICMPType and/or ICMPCode. All fields could be used alone or together. If all fields are not provided, this matches all ICMP traffic.

FieldDescription
icmpType
int32
icmpCode
int32

IGMPProtocol

(Appears on: NetworkPolicyProtocol)

IGMPProtocol matches IGMP traffic with IGMPType and GroupAddress. IGMPType must be filled with: IGMPQuery int32 = 0x11 IGMPReportV1 int32 = 0x12 IGMPReportV2 int32 = 0x16 IGMPReportV3 int32 = 0x22 If groupAddress is empty, all groupAddresses will be matched.

FieldDescription
igmpType
int32
groupAddress
string

IPBlock

(Appears on: GroupSpec, NetworkPolicyPeer)

IPBlock describes a particular CIDR (Ex. “192.168.1.1⁄24”) that is allowed or denied to/from the workloads matched by a Spec.AppliedTo.

FieldDescription
cidr
string

CIDR is a string representing the IP Block Valid examples are “192.168.1.124”.

IPHeader

(Appears on: Packet)

IPHeader describes spec of an IPv4 header.

FieldDescription
protocol
int32

Protocol is the IP protocol.

ttl
int32

TTL is the IP TTL.

flags
int32

Flags is the flags for IP.

IPPoolUsage

(Appears on: ExternalIPPoolStatus)

FieldDescription
total
int

Total number of IPs.

used
int

Number of allocated IPs.

IPRange

(Appears on: ExternalIPPoolSpec)

IPRange is a set of contiguous IP addresses, represented by a CIDR or a pair of start and end IPs.

FieldDescription
cidr
string

The CIDR of this range, e.g. 10.10.10.0/24.

start
string

The start IP of the range, e.g. 10.10.20.5, inclusive.

end
string

The end IP of the range, e.g. 10.10.20.20, inclusive.

IPv6Header

(Appears on: Packet)

IPv6Header describes spec of an IPv6 header.

FieldDescription
nextHeader
int32

NextHeader is the IPv6 protocol.

hopLimit
int32

HopLimit is the IPv6 Hop Limit.

L7Protocol

(Appears on: Rule)

FieldDescription
http
HTTPProtocol
tls
TLSProtocol

NamespaceMatchType (string alias)

(Appears on: PeerNamespaces)

NamespaceMatchType describes Namespace matching strategy.

NamespacedName

(Appears on: AppliedTo, GroupSpec, NetworkPolicyPeer)

NamespacedName refers to a Namespace scoped resource. All fields must be used together.

FieldDescription
name
string
namespace
string

NetworkPolicyCondition

(Appears on: NetworkPolicyStatus)

NetworkPolicyCondition describes the state of a NetworkPolicy at a certain point.

FieldDescription
type
NetworkPolicyConditionType

Type of StatefulSet condition.

status
Kubernetes meta/v1.ConditionStatus

Status of the condition, one of True, False, Unknown.

lastTransitionTime
Kubernetes meta/v1.Time
(Optional)

Last time the condition transitioned from one status to another.

reason
string
(Optional)

The reason for the condition’s last transition.

message
string
(Optional)

A human-readable message indicating details about the transition.

NetworkPolicyConditionType (string alias)

(Appears on: NetworkPolicyCondition)

NetworkPolicyConditionType describes the condition types of NetworkPolicies.

NetworkPolicyControllerInfo

(Appears on: AntreaAgentInfo, AntreaControllerInfo)

FieldDescription
networkPolicyNum
int32
addressGroupNum
int32
appliedToGroupNum
int32

NetworkPolicyPeer

(Appears on: Rule)

NetworkPolicyPeer describes the grouping selector of workloads.

FieldDescription
ipBlock
IPBlock
(Optional)

IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.

podSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select Pods from NetworkPolicy’s Namespace as workloads in To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

namespaceSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.

namespaces
PeerNamespaces
(Optional)

Select Pod/ExternalEntity from Namespaces matched by specific criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.

externalEntitySelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select ExternalEntities from NetworkPolicy’s Namespace as workloads in To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

group
string

Group is the name of the ClusterGroup which can be set within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector.

fqdn
string

Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs, i.e. “google.com”, “db-svc.default.svc.cluster.local” Wildcard expressions, i.e. “*wayfair.com”.

serviceAccount
NamespacedName
(Optional)

Select all Pods with the ServiceAccount matched by this field, as workloads in To/From fields. Cannot be set with any other selector.

nodeSelector
Kubernetes meta/v1.LabelSelector
(Optional)

Select certain Nodes which match the label selector. A NodeSelector cannot be set in AppliedTo field or set with any other selector.

scope
PeerScope
(Optional)

Define scope of the Pod/NamespaceSelector(s) of this peer. Can only be used in ingress NetworkPolicyPeers. Defaults to “Cluster”.

NetworkPolicyPhase (string alias)

(Appears on: NetworkPolicyStatus)

NetworkPolicyPhase defines the phase in which a NetworkPolicy is.

NetworkPolicyPort

(Appears on: Rule)

NetworkPolicyPort describes the port and protocol to match in a rule.

FieldDescription
protocol
Kubernetes core/v1.Protocol
(Optional)

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

port
k8s.io/apimachinery/pkg/util/intstr.IntOrString
(Optional)

The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.

endPort
int32
(Optional)

EndPort defines the end of the port range, inclusive. It can only be specified when a numerical port is specified.

sourcePort
int32
(Optional)

The source port on the given protocol. This can only be a numerical port. If this field is not provided, rule matches all source ports.

sourceEndPort
int32
(Optional)

SourceEndPort defines the end of the source port range, inclusive. It can only be specified when sourcePort is specified.

NetworkPolicyProtocol

(Appears on: Rule)

NetworkPolicyProtocol defines additional protocols that are not supported by ports. All fields should be used as a standalone field.

FieldDescription
icmp
ICMPProtocol
igmp
IGMPProtocol

NetworkPolicySpec

(Appears on: NetworkPolicy)

NetworkPolicySpec defines the desired state for NetworkPolicy.

FieldDescription
tier
string

Tier specifies the tier to which this NetworkPolicy belongs to. The NetworkPolicy order will be determined based on the combination of the Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

priority
float64

Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

ingress
[]Rule
(Optional)

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

egress
[]Rule
(Optional)

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

NetworkPolicyStatus

(Appears on: ClusterNetworkPolicy, NetworkPolicy)

NetworkPolicyStatus represents information about the status of a NetworkPolicy.

FieldDescription
phase
NetworkPolicyPhase

The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy’s status.

observedGeneration
int64

The generation observed by Antrea.

currentNodesRealized
int32

The number of nodes that have realized the NetworkPolicy.

desiredNodesRealized
int32

The total number of nodes that should realize the NetworkPolicy.

conditions
[]NetworkPolicyCondition

Represents the latest available observations of a NetworkPolicy current state.

NodeResult

(Appears on: TraceflowStatus)

FieldDescription
node
string

Node is the node of the observation.

role
string

Role of the node like sender, receiver, etc.

timestamp
int64

Timestamp is the timestamp of the observations on the node.

observations
[]Observation

Observations includes all observations from sender nodes, receiver ones, etc.

OVSInfo

(Appears on: AntreaAgentInfo)

FieldDescription
version
string
bridgeName
string
flowTable
map[string]int32

Key: flow table name, Value: flow number

Observation

(Appears on: NodeResult)

Observation describes those from sender nodes or receiver nodes.

FieldDescription
component
TraceflowComponent

Component is the observation component.

componentInfo
string

ComponentInfo is the extension of Component field.

action
TraceflowAction

Action is the action to the observation.

pod
string

Pod is the combination of Pod name and Pod Namespace.

dstMAC
string

DstMAC is the destination MAC.

networkPolicy
string

NetworkPolicy is the combination of Namespace and NetworkPolicyName.

egress
string

Egress is the name of the Egress.

ttl
int32

TTL is the observation TTL.

translatedSrcIP
string

TranslatedSrcIP is the translated source IP.

translatedDstIP
string

TranslatedDstIP is the translated destination IP.

tunnelDstIP
string

TunnelDstIP is the tunnel destination IP.

egressIP
string

Packet

(Appears on: TraceflowSpec, TraceflowStatus)

Packet includes header info.

FieldDescription
srcIP
string
dstIP
string
length
int32

Length is the IP packet length (includes the IPv4 or IPv6 header length).

ipHeader
IPHeader
ipv6Header
IPv6Header
transportHeader
TransportHeader

PeerNamespaces

(Appears on: NetworkPolicyPeer)

FieldDescription
match
NamespaceMatchType

PeerScope (string alias)

(Appears on: NetworkPolicyPeer, PeerService)

PeerService

(Appears on: Rule)

PeerService refers to a Service, which can be a in-cluster Service or imported multi-cluster service.

FieldDescription
name
string
namespace
string
scope
PeerScope

Rule

(Appears on: ClusterNetworkPolicySpec, NetworkPolicySpec)

Rule describes the traffic allowed to/from the workloads selected by Spec.AppliedTo. Based on the action specified in the rule, traffic is either allowed or denied which exactly match the specified ports and protocol.

FieldDescription
action
RuleAction

Action specifies the action to be applied on the rule.

ports
[]NetworkPolicyPort
(Optional)

Set of ports and protocols matched by the rule. If this field and Protocols are unset or empty, this rule matches all ports.

protocols
[]NetworkPolicyProtocol
(Optional)

Set of protocols matched by the rule. If this field and Ports are unset or empty, this rule matches all protocols supported.

l7Protocols
[]L7Protocol

Set of layer 7 protocols matched by the rule. If this field is set, action can only be Allow. When this field is used in a rule, any traffic matching the other layer 34 criteria of the rule (typically the 5-tuple) will be forwarded to an application-aware engine for protocol detection and rule enforcement, and the traffic will be allowed if the layer 7 criteria is also matched, otherwise it will be dropped. Therefore, any rules after a layer 7 rule will not be enforced for the traffic.

from
[]NetworkPolicyPeer
(Optional)

Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.

to
[]NetworkPolicyPeer
(Optional)

Rule is matched if traffic is intended for workloads selected by this field. This field can’t be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations.

toServices
[]PeerService
(Optional)

Rule is matched if traffic is intended for a Service listed in this field. Currently, only ClusterIP types Services are supported in this field. When scope is set to ClusterSet, it matches traffic intended for a multi-cluster Service listed in this field. Service name and Namespace provided should match the original exported Service. This field can only be used when AntreaProxy is enabled. This field can’t be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations.

name
string
(Optional)

Name describes the intention of this rule. Name should be unique within the policy.

enableLogging
bool
(Optional)

EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.

logLabel
string
(Optional)

LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs.

appliedTo
[]AppliedTo
(Optional)

Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo.

RuleAction (string alias)

(Appears on: NetworkPolicyRule, Rule)

RuleAction describes the action to be applied on traffic matching a rule.

Source

(Appears on: TraceflowSpec)

Source describes the source spec of the traceflow.

FieldDescription
namespace
string

Namespace is the source namespace.

pod
string

Pod is the source pod.

ip
string

IP is the source IPv4 or IPv6 address. IP as the source is supported only for live-traffic Traceflow.

TCPHeader

(Appears on: TransportHeader)

TCPHeader describes spec of a TCP header.

FieldDescription
srcPort
int32

SrcPort is the source port.

dstPort
int32

DstPort is the destination port.

flags
int32

Flags are flags in the header.

TLSProtocol

(Appears on: L7Protocol)

TLSProtocol matches TLS handshake packets with specific SNI. If the field is not provided, this matches all TLS handshake packets.

FieldDescription
sni
string

SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message.

TierSpec

(Appears on: Tier)

TierSpec defines the desired state for Tier.

FieldDescription
priority
int32

Priority specfies the order of the Tier relative to other Tiers.

description
string

Description is an optional field to add more information regarding the purpose of this Tier.

TraceflowAction (string alias)

(Appears on: Observation)

TraceflowComponent (string alias)

(Appears on: Observation)

TraceflowPhase (string alias)

(Appears on: TraceflowStatus)

TraceflowSpec

(Appears on: Traceflow)

TraceflowSpec describes the spec of the traceflow.

FieldDescription
source
Source
destination
Destination
packet
Packet
liveTraffic
bool

LiveTraffic indicates the Traceflow is to trace the live traffic rather than an injected packet, when set to true. The first packet of the first connection that matches the packet spec will be traced.

droppedOnly
bool

DroppedOnly indicates only the dropped packet should be captured in a live-traffic Traceflow.

timeout
int32

Timeout specifies the timeout of the Traceflow in seconds. Defaults to 20 seconds if not set.

TraceflowStatus

(Appears on: Traceflow)

TraceflowStatus describes current status of the traceflow.

FieldDescription
phase
TraceflowPhase

Phase is the Traceflow phase.

reason
string

Reason is a message indicating the reason of the traceflow’s current phase.

startTime
Kubernetes meta/v1.Time

StartTime is the time at which the Traceflow as started by the Antrea Controller. Before K8s v1.20, null values (field not set) are not pruned, and a CR where a metav1.Time field is not set would fail OpenAPI validation (type string). The recommendation seems to be to use a pointer instead, and the field will be omitted when serializing. See https://github.com/kubernetes/kubernetes/issues/86811

dataplaneTag
byte

DataplaneTag is a tag to identify a traceflow session across Nodes.

results
[]NodeResult

Results is the collection of all observations on different nodes.

capturedPacket
Packet

CapturedPacket is the captured packet in live-traffic Traceflow.

TransportHeader

(Appears on: Packet)

TransportHeader describes spec of a TransportHeader.

FieldDescription
icmp
ICMPEchoRequestHeader
udp
UDPHeader
tcp
TCPHeader

UDPHeader

(Appears on: TransportHeader)

UDPHeader describes spec of a UDP header.

FieldDescription
srcPort
int32

SrcPort is the source port.

dstPort
int32

DstPort is the destination port.


stats.antrea.io/v1alpha1

Package v1alpha1 is the v1alpha1 version of the Antrea Stats API.

Resource Types:

AntreaClusterNetworkPolicyStats

AntreaClusterNetworkPolicyStats is the statistics of a Antrea ClusterNetworkPolicy.

FieldDescription
apiVersion
string
stats.antrea.io/v1alpha1
kind
string
AntreaClusterNetworkPolicyStats
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
trafficStats
TrafficStats

The traffic stats of the Antrea ClusterNetworkPolicy.

ruleTrafficStats
[]RuleTrafficStats

The traffic stats of the Antrea ClusterNetworkPolicy, from rule perspective.

AntreaNetworkPolicyStats

AntreaNetworkPolicyStats is the statistics of a Antrea NetworkPolicy.

FieldDescription
apiVersion
string
stats.antrea.io/v1alpha1
kind
string
AntreaNetworkPolicyStats
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
trafficStats
TrafficStats

The traffic stats of the Antrea NetworkPolicy.

ruleTrafficStats
[]RuleTrafficStats

The traffic stats of the Antrea NetworkPolicy, from rule perspective.

MulticastGroup

MulticastGroup contains the mapping between multicast group and Pods.

FieldDescription
apiVersion
string
stats.antrea.io/v1alpha1
kind
string
MulticastGroup
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
group
string

Group is the IP of the multicast group.

pods
[]PodReference

Pods is the list of Pods that have joined the multicast group.

NetworkPolicyStats

NetworkPolicyStats is the statistics of a K8s NetworkPolicy.

FieldDescription
apiVersion
string
stats.antrea.io/v1alpha1
kind
string
NetworkPolicyStats
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
trafficStats
TrafficStats

The traffic stats of the K8s NetworkPolicy.

PodReference

(Appears on: MulticastGroup)

PodReference represents a Pod Reference.

FieldDescription
name
string

The name of this Pod.

namespace
string

The namespace of this Pod.

RuleTrafficStats

(Appears on: AntreaClusterNetworkPolicyStats, AntreaNetworkPolicyStats, NetworkPolicyStats)

RuleTrafficStats contains TrafficStats of single rule inside a NetworkPolicy.

FieldDescription
name
string
trafficStats
TrafficStats

TrafficStats

(Appears on: AntreaClusterNetworkPolicyStats, AntreaNetworkPolicyStats, NetworkPolicyStats, NetworkPolicyStats, RuleTrafficStats)

TrafficStats contains the traffic stats of a NetworkPolicy.

FieldDescription
packets
int64

Packets is the packets count hit by the NetworkPolicy.

bytes
int64

Bytes is the bytes count hit by the NetworkPolicy.

sessions
int64

Sessions is the sessions count hit by the NetworkPolicy.


system.antrea.io/v1beta1

Package v1beta1 contains the v1beta1 version of the Antrea “system” API group definitions.

Resource Types:

SupportBundle

FieldDescription
apiVersion
string
system.antrea.io/v1beta1
kind
string
SupportBundle
metadata
Kubernetes meta/v1.ObjectMeta
Refer to the Kubernetes API documentation for the fields of the metadata field.
status
BundleStatus
sum
string
since
string
size
uint32
-
string

BundleStatus (string alias)

(Appears on: SupportBundle)


Generated with gen-crd-api-reference-docs on git commit ea06f02.