NetworkPolicy [networking.k8s.io/v1]

Description

NetworkPolicy describes what network traffic is allowed for a set of Pods

Type

object

Specification

PropertyTypeDescription

.apiVersion

string

APIVersion defines the versioned schema of this representation of an object. Servers should convert recognized schemas to the latest internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources

.kind

string

Kind is a string value representing the REST resource this object represents. Servers may infer this from the endpoint the client submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds

.metadata

ObjectMeta meta/v1

Standard object’s metadata. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#metadata

.spec

object

NetworkPolicySpec provides the specification of a NetworkPolicy

.spec

Description

NetworkPolicySpec provides the specification of a NetworkPolicy

Type

object

Required

  • podSelector
PropertyTypeDescription

egress

array

List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8

egress[]

object

NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and to. This type is beta-level in 1.8

ingress

array

List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod’s local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)

ingress[]

object

NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and from.

podSelector

LabelSelector meta/v1

Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.

policyTypes

array (string)

List of rule types that the NetworkPolicy relates to. Valid options are “Ingress”, “Egress”, or “Ingress,Egress”. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ “Egress” ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include “Egress” (since such a policy would not include an Egress section and would otherwise default to just [ “Ingress” ]). This field is beta-level in 1.8

.spec.egress

Description

List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8

Type

array

.spec.egress[]

Description

NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and to. This type is beta-level in 1.8

Type

object

PropertyTypeDescription

ports

array

List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

ports[]

object

NetworkPolicyPort describes a port to allow traffic on

to

array

List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.

to[]

object

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

.spec.egress[].ports

Description

List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

Type

array

.spec.egress[].ports[]

Description

NetworkPolicyPort describes a port to allow traffic on

Type

object

PropertyTypeDescription

port

IntOrString util/intstr

The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.

protocol

string

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

.spec.egress[].to

Description

List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.

Type

array

.spec.egress[].to[]

Description

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

Type

object

PropertyTypeDescription

ipBlock

object

IPBlock describes a particular CIDR (Ex. “192.168.1.1/24”,”2001:db9::/64”) that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The except entry describes CIDRs that should not be included within this rule.

namespaceSelector

LabelSelector meta/v1

Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.

podSelector

LabelSelector meta/v1

This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy’s own Namespace.

.spec.egress[].to[].ipBlock

Description

IPBlock describes a particular CIDR (Ex. “192.168.1.1/24”,”2001:db9::/64”) that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The except entry describes CIDRs that should not be included within this rule.

Type

object

Required

  • cidr
PropertyTypeDescription

cidr

string

CIDR is a string representing the IP Block Valid examples are “192.168.1.1/24” or “2001:db9::/64”

except

array (string)

Except is a slice of CIDRs that should not be included within an IP Block Valid examples are “192.168.1.1/24” or “2001:db9::/64” Except values will be rejected if they are outside the CIDR range

.spec.ingress

Description

List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod’s local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)

Type

array

.spec.ingress[]

Description

NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The traffic must match both ports and from.

Type

object

PropertyTypeDescription

from

array

List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.

from[]

object

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

ports

array

List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

ports[]

object

NetworkPolicyPort describes a port to allow traffic on

.spec.ingress[].from

Description

List of sources which should be able to access the pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources (traffic not restricted by source). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list.

Type

array

.spec.ingress[].from[]

Description

NetworkPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed

Type

object

PropertyTypeDescription

ipBlock

object

IPBlock describes a particular CIDR (Ex. “192.168.1.1/24”,”2001:db9::/64”) that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The except entry describes CIDRs that should not be included within this rule.

namespaceSelector

LabelSelector meta/v1

Selects Namespaces using cluster-scoped labels. This field follows standard label selector semantics; if present but empty, it selects all namespaces.

If PodSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects all Pods in the Namespaces selected by NamespaceSelector.

podSelector

LabelSelector meta/v1

This is a label selector which selects Pods. This field follows standard label selector semantics; if present but empty, it selects all pods.

If NamespaceSelector is also set, then the NetworkPolicyPeer as a whole selects the Pods matching PodSelector in the Namespaces selected by NamespaceSelector. Otherwise it selects the Pods matching PodSelector in the policy’s own Namespace.

.spec.ingress[].from[].ipBlock

Description

IPBlock describes a particular CIDR (Ex. “192.168.1.1/24”,”2001:db9::/64”) that is allowed to the pods matched by a NetworkPolicySpec’s podSelector. The except entry describes CIDRs that should not be included within this rule.

Type

object

Required

  • cidr
PropertyTypeDescription

cidr

string

CIDR is a string representing the IP Block Valid examples are “192.168.1.1/24” or “2001:db9::/64”

except

array (string)

Except is a slice of CIDRs that should not be included within an IP Block Valid examples are “192.168.1.1/24” or “2001:db9::/64” Except values will be rejected if they are outside the CIDR range

.spec.ingress[].ports

Description

List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.

Type

array

.spec.ingress[].ports[]

Description

NetworkPolicyPort describes a port to allow traffic on

Type

object

PropertyTypeDescription

port

IntOrString util/intstr

The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers.

protocol

string

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

API endpoints

The following API endpoints are available:

  • /apis/networking.k8s.io/v1/networkpolicies

    • GET: list or watch objects of kind NetworkPolicy
  • /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

    • DELETE: delete collection of NetworkPolicy

    • GET: list or watch objects of kind NetworkPolicy

    • POST: create a NetworkPolicy

  • /apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

    • DELETE: delete a NetworkPolicy

    • GET: read the specified NetworkPolicy

    • PATCH: partially update the specified NetworkPolicy

    • PUT: replace the specified NetworkPolicy

/apis/networking.k8s.io/v1/networkpolicies

Table 1. Global guery parameters
ParameterTypeDescription

allowWatchBookmarks

boolean

allowWatchBookmarks requests watch events with type “BOOKMARK”. Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server’s discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.

continue

string

The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the “next key”.

This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.

fieldSelector

string

A selector to restrict the list of returned objects by their fields. Defaults to everything.

labelSelector

string

A selector to restrict the list of returned objects by their labels. Defaults to everything.

limit

integer

limit is a maximum number of responses to return for a list call. If more items exist, the server will set the continue field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.

The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.

pretty

string

If ‘true’, then the output is pretty printed.

resourceVersion

string

resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.

Defaults to unset

resourceVersionMatch

string

resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.

Defaults to unset

timeoutSeconds

integer

Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.

watch

boolean

Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.

HTTP method

GET

Description

list or watch objects of kind NetworkPolicy

Table 2. HTTP responses
HTTP codeReponse body

200 - OK

NetworkPolicyList networking.k8s.io/v1

401 - Unauthorized

Empty

/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies

Table 3. Global path parameters
ParameterTypeDescription

namespace

string

object name and auth scope, such as for teams and projects

Table 4. Global guery parameters
ParameterTypeDescription

pretty

string

If ‘true’, then the output is pretty printed.

HTTP method

DELETE

Description

delete collection of NetworkPolicy

Table 5. Query parameters
ParameterTypeDescription

continue

string

The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the “next key”.

This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldSelector

string

A selector to restrict the list of returned objects by their fields. Defaults to everything.

gracePeriodSeconds

integer

The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.

labelSelector

string

A selector to restrict the list of returned objects by their labels. Defaults to everything.

limit

integer

limit is a maximum number of responses to return for a list call. If more items exist, the server will set the continue field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.

The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.

orphanDependents

boolean

Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the “orphan” finalizer will be added to/removed from the object’s finalizers list. Either this field or PropagationPolicy may be set, but not both.

propagationPolicy

string

Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: ‘Orphan’ - orphan the dependents; ‘Background’ - allow the garbage collector to delete the dependents in the background; ‘Foreground’ - a cascading policy that deletes all dependents in the foreground.

resourceVersion

string

resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.

Defaults to unset

resourceVersionMatch

string

resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.

Defaults to unset

timeoutSeconds

integer

Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.

Table 6. Body parameters
ParameterTypeDescription

body

DeleteOptions meta/v1

Table 7. HTTP responses
HTTP codeReponse body

200 - OK

Status meta/v1

401 - Unauthorized

Empty

HTTP method

GET

Description

list or watch objects of kind NetworkPolicy

Table 8. Query parameters
ParameterTypeDescription

allowWatchBookmarks

boolean

allowWatchBookmarks requests watch events with type “BOOKMARK”. Servers that do not implement bookmarks may ignore this flag and bookmarks are sent at the server’s discretion. Clients should not assume bookmarks are returned at any specific interval, nor may they assume the server will send any BOOKMARK event during a session. If this is not a watch, this field is ignored. If the feature gate WatchBookmarks is not enabled in apiserver, this field is ignored.

continue

string

The continue option should be set when retrieving more results from the server. Since this value is server defined, clients may only use the continue value from a previous query result with identical query parameters (except for the value of continue) and the server may reject a continue value it does not recognize. If the specified continue value is no longer valid whether due to expiration (generally five to fifteen minutes) or a configuration change on the server, the server will respond with a 410 ResourceExpired error together with a continue token. If the client needs a consistent list, it must restart their list without the continue field. Otherwise, the client may send another list request with the token received with the 410 error, the server will respond with a list starting from the next key, but from the latest snapshot, which is inconsistent from the previous list results - objects that are created, modified, or deleted after the first list request will be included in the response, as long as their keys are after the “next key”.

This field is not supported when watch is true. Clients may start a watch from the last resourceVersion value returned by the server and not miss any modifications.

fieldSelector

string

A selector to restrict the list of returned objects by their fields. Defaults to everything.

labelSelector

string

A selector to restrict the list of returned objects by their labels. Defaults to everything.

limit

integer

limit is a maximum number of responses to return for a list call. If more items exist, the server will set the continue field on the list metadata to a value that can be used with the same initial query to retrieve the next set of results. Setting a limit may return fewer than the requested amount of items (up to zero items) in the event all requested objects are filtered out and clients should only use the presence of the continue field to determine whether more results are available. Servers may choose not to support the limit argument and will return all of the available results. If limit is specified and the continue field is empty, clients may assume that no more results are available. This field is not supported if watch is true.

The server guarantees that the objects returned when using continue will be identical to issuing a single list call without a limit - that is, no objects created, modified, or deleted after the first request is issued will be included in any subsequent continued requests. This is sometimes referred to as a consistent snapshot, and ensures that a client that is using limit to receive smaller chunks of a very large result can ensure they see all possible objects. If objects are updated during a chunked list the version of the object that was present at the time the first list result was calculated is returned.

resourceVersion

string

resourceVersion sets a constraint on what resource versions a request may be served from. See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.

Defaults to unset

resourceVersionMatch

string

resourceVersionMatch determines how resourceVersion is applied to list calls. It is highly recommended that resourceVersionMatch be set for list calls where resourceVersion is set See https://kubernetes.io/docs/reference/using-api/api-concepts/#resource-versions for details.

Defaults to unset

timeoutSeconds

integer

Timeout for the list/watch call. This limits the duration of the call, regardless of any activity or inactivity.

watch

boolean

Watch for changes to the described resources and return them as a stream of add, update, and remove notifications. Specify resourceVersion.

Table 9. HTTP responses
HTTP codeReponse body

200 - OK

NetworkPolicyList networking.k8s.io/v1

401 - Unauthorized

Empty

HTTP method

POST

Description

create a NetworkPolicy

Table 10. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldManager

string

fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.

Table 11. Body parameters
ParameterTypeDescription

body

NetworkPolicy networking.k8s.io/v1

Table 12. HTTP responses
HTTP codeReponse body

200 - OK

NetworkPolicy networking.k8s.io/v1

201 - Created

NetworkPolicy networking.k8s.io/v1

202 - Accepted

NetworkPolicy networking.k8s.io/v1

401 - Unauthorized

Empty

/apis/networking.k8s.io/v1/namespaces/{namespace}/networkpolicies/{name}

Table 13. Global path parameters
ParameterTypeDescription

name

string

name of the NetworkPolicy

namespace

string

object name and auth scope, such as for teams and projects

Table 14. Global guery parameters
ParameterTypeDescription

pretty

string

If ‘true’, then the output is pretty printed.

HTTP method

DELETE

Description

delete a NetworkPolicy

Table 15. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

gracePeriodSeconds

integer

The duration in seconds before the object should be deleted. Value must be non-negative integer. The value zero indicates delete immediately. If this value is nil, the default grace period for the specified type will be used. Defaults to a per object value if not specified. zero means delete immediately.

orphanDependents

boolean

Deprecated: please use the PropagationPolicy, this field will be deprecated in 1.7. Should the dependent objects be orphaned. If true/false, the “orphan” finalizer will be added to/removed from the object’s finalizers list. Either this field or PropagationPolicy may be set, but not both.

propagationPolicy

string

Whether and how garbage collection will be performed. Either this field or OrphanDependents may be set, but not both. The default policy is decided by the existing finalizer set in the metadata.finalizers and the resource-specific default policy. Acceptable values are: ‘Orphan’ - orphan the dependents; ‘Background’ - allow the garbage collector to delete the dependents in the background; ‘Foreground’ - a cascading policy that deletes all dependents in the foreground.

Table 16. Body parameters
ParameterTypeDescription

body

DeleteOptions meta/v1

Table 17. HTTP responses
HTTP codeReponse body

200 - OK

Status meta/v1

202 - Accepted

Status meta/v1

401 - Unauthorized

Empty

HTTP method

GET

Description

read the specified NetworkPolicy

Table 18. Query parameters
ParameterTypeDescription

exact

boolean

Should the export be exact. Exact export maintains cluster-specific fields like ‘Namespace’. Deprecated. Planned for removal in 1.18.

export

boolean

Should this value be exported. Export strips fields that a user can not specify. Deprecated. Planned for removal in 1.18.

Table 19. HTTP responses
HTTP codeReponse body

200 - OK

NetworkPolicy networking.k8s.io/v1

401 - Unauthorized

Empty

HTTP method

PATCH

Description

partially update the specified NetworkPolicy

Table 20. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldManager

string

fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint. This field is required for apply requests (application/apply-patch) but optional for non-apply patch types (JsonPatch, MergePatch, StrategicMergePatch).

force

boolean

Force is going to “force” Apply requests. It means user will re-acquire conflicting fields owned by other people. Force flag must be unset for non-apply patch requests.

Table 21. Body parameters
ParameterTypeDescription

body

Patch meta/v1

Table 22. HTTP responses
HTTP codeReponse body

200 - OK

NetworkPolicy networking.k8s.io/v1

401 - Unauthorized

Empty

HTTP method

PUT

Description

replace the specified NetworkPolicy

Table 23. Query parameters
ParameterTypeDescription

dryRun

string

When present, indicates that modifications should not be persisted. An invalid or unrecognized dryRun directive will result in an error response and no further processing of the request. Valid values are: - All: all dry run stages will be processed

fieldManager

string

fieldManager is a name associated with the actor or entity that is making these changes. The value must be less than or 128 characters long, and only contain printable characters, as defined by https://golang.org/pkg/unicode/#IsPrint.

Table 24. Body parameters
ParameterTypeDescription

body

NetworkPolicy networking.k8s.io/v1

Table 25. HTTP responses
HTTP codeReponse body

200 - OK

NetworkPolicy networking.k8s.io/v1

201 - Created

NetworkPolicy networking.k8s.io/v1

401 - Unauthorized

Empty