networking.gdc.goog/v1
Package v1 contains API Schema definitions for the networking v1 API group.
AuthorizationPolicyRef
Represents a reference to the generated authorization policy.
Appears in: - OrganizationNetworkPolicyStatus
Field | Description |
---|---|
name string |
The name of the referent. |
namespace string |
The namespace of the referent. |
BGPPeerInterface
Represents a reference to a BGP peer.
Appears in: - VPNBGPPeerSpec
Field | Description |
---|---|
name string |
The name of the BGP peer. |
ip string |
The IP address of the BGP peer. |
asn integer |
The Autonomous System Number. |
ClusterNodeSelector
Represents the information used to locate a node or nodes inside of a specified cluster. Either cluster or node or both must be specified.
Appears in: - FlowLogFilter
Field | Description |
---|---|
cluster string |
The name of the cluster. If a value is not provided, all clusters will be searched for the desired node or nodes. |
node string |
A wildcard pattern used to search by the node name. For example, k8s* or *.domain.com . |
FlowLog
Defines a list of flow log filters used for finding relevant flows. Flow events matching any of the provided filter rules are logged.
Appears in: - FlowLogList
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
FlowLog |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec FlowLogSpec |
The desired configuration for a flow log. |
status FlowLogStatus |
The observed state of a flow log. |
FlowLogFilter
Defines a collection of filter criteria that is applied at the same time. Each flow log filter contains several optional matching fields. The matching logic for each filter follows these rules:
First, when a matching field is optional and not specified, it implies no filtering is applied on this field of a flow. For example, if no sources are provided, it means all sources are matched.
Next, when multiple fields are specified in one filter, all fields must match the target flow. For example, if a source value of srcNS/pod1
and a destination value of dstNS/pod2
are specified at the same time, it matches the flow from pod srcNS/pod1
to destination dstNS/pod2
.
Finally, when a field is a list, specifying it multiple times means matching any of the values.
Appears in: - FlowLogSpec
Field | Description |
---|---|
source NetworkEndpointFilter |
A filter that filters flow events by a list of source rules. |
destination NetworkEndpointFilter |
A filter that filters flow events by a list of destination rules. |
endpoint NetworkEndpointFilter |
The endpoint filters flow events if the event source or destination matches any given endpoint in this list. If endpoint is set, source and destination must not be specified. When specified, each endpoint corresponds to two filters: one with source set to this endpoint and all other filter fields kept the same; Another with destination set to this endpoint and all other filter fields kept the same. |
l4Protocols Protocol array |
A filter that filters flow events by L4 protocols defined in [v1.Protocol]. Each protocol must be specified at most once. |
verdicts PolicyVerdict array |
A filter that filters flow events by verdict classification. |
clusterNodeSelectors ClusterNodeSelector array |
A list of clusters and nodes used to match flows. |
FlowLogList
Defines a list of flow log resources.
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
FlowLogList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items FlowLog array |
A list of flow log entries. |
FlowLogSpec
Represents the flow log filters that are applied. When multiple filters are present, the flow is logged if at least one filter matches the flow event.
Appears in: - FlowLog
Field | Description |
---|---|
enable boolean |
Specifies if this flow log is enabled. When disabled, the backend flow filters are disabled, and no corresponding logs are collected. Defaults to true if not specified. |
filters FlowLogFilter array |
A list of filters used for matching flow events. Flow events matching any of the provided filter rules are logged. |
lifetime Lifetime |
The amount of time this flow log rules is applied for. After the time is reached, the flow logging rule is disabled. If empty, this flow logging rule is enabled indefinitely. |
logDetailLevel LogDetailLevel |
The fields that are logged for matching flow events. If empty, defaults to logging all fields. |
FlowLogStatus
Defines the observed state of flow logs.
Appears in: - FlowLog
Field | Description |
---|---|
conditions Condition array |
The current status of flow logs. Known condition types are: Reconciled : The flow log is reconciled and provisioned successfully; and Logging : the flow log is currently reconciled and active. |
clusters PropagationStatus array |
The propagation status of this flow log in each cluster where the resource is propagated. The Propagated condition is set to true in the Conditions if this resource is synced to the cluster, and its ObservedGeneration is set to the generation of the propagated resource in the target cluster. If this resource is successfully pruned from a cluster, the corresponding PropagationStatus must be removed from the list. |
startTime Time |
The time the flow log becomes active. This field is set by reconciler when it first interacts with the object, or when the FlowLogSpec resource is changed. |
endTime Time |
The time the flow log becomes inactive. This field is set by reconciler as such:
|
GatewayInterfaceRef
Represents a reference to an interface on a VPNGateway or PeerGateway resource.
Appears in: - VPNTunnelSpec
Field | Description |
---|---|
name string |
The name of the gateway. |
namespace string |
The namespace of the gateway. |
interface string |
The name of the interface. |
Lifetime
Defines the lifetime of a flow log. A value for expiration
or duration
must be specified, but not both.
Appears in: - FlowLogSpec
Field | Description |
---|---|
expiration Time |
The time when this filter rule expires and becomes inactive. Expiration must be a time in the future. It includes the time required to propagate resources down to child clusters so the value should account for an additional buffer of around one minute to ensure that all clusters can begin logging and capture the necessary traffic. |
duration Duration |
The amount of time the flow log will be active for, starting from when it is reconciled. It includes the time required to propagate resources down to child clusters so the value should account for an additional buffer of around one minute to ensure that all clusters can begin logging and capture the necessary traffic. |
LogDetailLevel
Underlying type: string
A list of predefined combinations of fields that are logged when filtered flow events are captured.
Appears in: - FlowLogSpec
ManagedServiceSubject
Defines a managed service target.
Appears in: - OrganizationNetworkPolicySubject
Field | Description |
---|---|
matchTypes string array |
The organization managed service types that the policy applies to. |
NamespacePodSelector
Represents the information used to locate pods inside of the specified namespace. Specify a value for namespace
, pod
, or namespace
and pod
.
Appears in: - NetworkEndpointFilter
Field | Description |
---|---|
namespace string |
The flow events that match the namespace name. For example, kube-system . |
pod string |
The flow events that match the given pod name prefix. For example, xwing , coredns- . |
NetworkEndpointFilter
Represents a filter that selects a set of network endpoints based on the filter conditions specified.
Appears in: - FlowLogFilter
Field | Description |
---|---|
ipBlocks string array |
A filter that selects flow events that match the IP address or IP address range. Each of the IP addresses can be specified as an exact match, like 1.1.1.1 or 1200:0000:AB00:1234:0000:2552:7777:1313 , or as a CIDR range like 1.1.1.0/24 or 1200:0000:AB00:1234:0000:2552:7777:1313/120 . If not specified, any IP address is matched. |
labels LabelSelector array |
A filter that selects flow events that match the label selector. Selectors support the full Kubernetes label selector syntax. |
namespacePodSelectors NamespacePodSelector array |
A list of namespaces and pods used to match flows. |
ports IntOrString array |
A filter that selects flows by their L4 ports. If this field is not provided, this matches all port numbers. An example value for a single port is 80 . If present, only traffic on the specified protocol and port is matched. |
OrganizationNetworkPolicy
Defines the Schema for the OrganizationNetworkPolicy
API.
Appears in: - OrganizationNetworkPolicyList
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
OrganizationNetworkPolicy |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec OrganizationNetworkPolicySpec |
The desired configuration for OrganizationNetworkPolicy . |
status OrganizationNetworkPolicyStatus |
The observed state for OrganizationNetworkPolicy . |
OrganizationNetworkPolicyIngressRule
Defines a single ingress rule for a OrganizationNetworkPolicy
resource.
Appears in: - OrganizationNetworkPolicySpec
Field | Description |
---|---|
from OrganizationNetworkPolicyPeer array |
A list of sources which are able to access the subject of the policy. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources, the traffic is not restricted by source. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. A maximum of one item must be specified. |
OrganizationNetworkPolicyList
Defines a list of OrganizationNetworkPolicy
resources.
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
OrganizationNetworkPolicyList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items OrganizationNetworkPolicy array |
OrganizationNetworkPolicyPeer
Defines a peer to allow traffic from.
Appears in: - OrganizationNetworkPolicyIngressRule
Field | Description |
---|---|
ipBlock IPBlock |
A policy on a particular iPBlock . If empty, it allows all traffic (0.0.0.0/0). |
OrganizationNetworkPolicySpec
Defines the desired state of a OrganizationNetworkPolicy
resource. The array of ingress rules for this policy applies to the specified target. When multiple rules are present, or when multiple policies are present, the rules for each are combined additively. Traffic is allowed if it matches at least one rule.
Appears in: - OrganizationNetworkPolicy
Field | Description |
---|---|
subject OrganizationNetworkPolicySubject |
The managed services of the organization network policies. |
ingress OrganizationNetworkPolicyIngressRule array |
The ingress rule for the traffic. If ingress is empty or missing, it does not allow any traffic. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from field. |
OrganizationNetworkPolicyStatus
Defines the observed state of OrganizationNetworkPolicy
resource.
Appears in: - OrganizationNetworkPolicy
Field | Description |
---|---|
conditions Condition array |
If ready is true , it means that the OrganizationNetworkPolicy resource is successfully propagated to the org admin cluster. If ready is false , it means that the OrganizationNetworkPolicy has failed to propagate. |
generatedauthorizationpolicies AuthorizationPolicyRef array |
The list of authorization policies that are generated from the OrganizationNetworkPolicy resource. |
OrganizationNetworkPolicySubject
Represents the organization service targets. Choose exactly one of the properties for the target.
Appears in: - OrganizationNetworkPolicySpec
Field | Description |
---|---|
subjectType OrganizationNetworkPolicySubjectType |
The type of entities the policy rules apply to. If not set, then it defaults to ManagedService . |
services ManagedServiceSubject |
The service to select. Supports the organization multi-tenant service, including UIConsole and APIServer . |
OrganizationNetworkPolicySubjectType
Underlying type: string
Defines the target type of the policies.
Appears in: - OrganizationNetworkPolicySubject
PeerGateway
PeerGateway represents a remote VPN endpoint. An interface on a PeerGateway should be used by a single VPNTunnel to establish an encrypted tunnel to the remote site.
Appears in: - PeerGatewayList
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
PeerGateway |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec PeerGatewaySpec |
|
status PeerGatewayStatus |
PeerGatewayInterface
Represents a Gateway interface on which a tunnel is established.
Appears in: - PeerGatewaySpec
Field | Description |
---|---|
name string |
The name of the interface. |
ip string |
The IPv4 address of the interface. |
PeerGatewayList
PeerGatewayList contains a list of PeerGateway.
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
PeerGatewayList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items PeerGateway array |
Items is a list of PeerGateway entries. |
PeerGatewaySpec
PeerGatewaySpec defines the desired state of PeerGateway.
Appears in: - PeerGateway
Field | Description |
---|---|
interfaces PeerGatewayInterface array |
The list of interfaces on the Peer Gateway which will be used for VPN connections. Each interface should be used by one VPNTunnel. |
PeerGatewayStatus
PeerGatewayStatus defines the observed state of PeerGateway.
Appears in: - PeerGateway
Field | Description |
---|---|
conditions Condition array |
Indicates the current status of PeerGateway. Known condition types are: - "Ready": The Peer Gateway is reconciled and used by a VPNTunnel. - "TunnelsEstablished": Each interface on the Peer Gateway is used by a VPNTunnel. |
PolicyManagedServiceSubject
Defines a managed service target.
Appears in: - ProjectNetworkPolicySubject
Field | Description |
---|---|
matchTypes string array |
The managed service types that the policy applies to. Exactly one item must be specified. |
PolicyProjects
Represents a collection of projects that is used to match a set of projects.
Appears in: - ProjectNetworkPolicyPeer
Field | Description |
---|---|
matchNames string array |
The selected projects which are chosen within the organization based on their name. The project namespace is derived from the project network policy's namespace. If this field is empty or missing, this rule matches all projects. A maximum of one item must be specified. |
PolicySubjectType
Underlying type: string
Defines the target type of the network policies.
Appears in: - ProjectNetworkPolicySubject
PolicyType
Underlying type: string
Defines the direction of traffic on which the policy rules are applied.
Appears in: - ProjectNetworkPolicySpec
PolicyVerdict
Underlying type: string
Defines a list of verdict classifying flows.
Appears in: - FlowLogFilter
ProjectNetworkPolicy
Contains the Schema for the ProjectNetworkPolicy
API.
Appears in: - ProjectNetworkPolicyList
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ProjectNetworkPolicy |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec ProjectNetworkPolicySpec |
The desired configuration for ProjectNetworkPolicy resource. |
status ProjectNetworkPolicyStatus |
The observed state for ProjectNetworkPolicy resource. |
ProjectNetworkPolicyEgressRule
Defines a single egress rule for a ProjectNetworkPolicy
resource.
Appears in: - ProjectNetworkPolicySpec
Field | Description |
---|---|
ports ProjectNetworkPolicyPort array |
A list of the destination ports showing outgoing traffic. Each item in this list is combined using a logical OR operation. If this field is empty or missing, this rule matches all ports, traffic is not restricted by port. If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. |
to ProjectNetworkPolicyPeer array |
A list of destinations for outgoing traffic of the subject for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations , traffic is not restricted by destination. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list. A maximum of one item must be specified. |
ProjectNetworkPolicyIngressRule
Defines a single ingress rule for a ProjectNetworkPolicy
resource.
Appears in: - ProjectNetworkPolicySpec
Field | Description |
---|---|
ports ProjectNetworkPolicyPort array |
A list of ports for incoming traffic. Each item in this list is combined using a logical OR operation. If this field is empty or missing, this rule matches all ports, traffic is not restricted by port. If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list. |
from ProjectNetworkPolicyPeer array |
A list of sources which are able to access the subject of the policy. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all sources , traffic is not restricted by source. If this field contains at least one item, this rule allows traffic only if the traffic matches at least one item in the from list. A maximum of one item must be specified. |
ProjectNetworkPolicyList
Defines a list of ProjectNetworkPolicy
resources.
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
ProjectNetworkPolicyList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items ProjectNetworkPolicy array |
ProjectNetworkPolicyPeer
Represents a peer to allow traffic from. Exactly one of the subfields must be specified.
Appears in: - ProjectNetworkPolicyEgressRule - ProjectNetworkPolicyIngressRule
Field | Description |
---|---|
projects PolicyProjects |
The projects to apply the network policy to. |
ipBlock IPBlock |
A policy on a particular iPBlock . If empty, then all external IPs, excluding Kubernetes nodes and workloads in the organization, are selected. |
ProjectNetworkPolicyPort
Represents a port to allow traffic on. If all subfields are empty, all TCP traffic is selected.
Appears in: - ProjectNetworkPolicyEgressRule - ProjectNetworkPolicyIngressRule
Field | Description |
---|---|
protocol Protocol |
The protocol which traffic must match. The options are TCP, UDP, or SCTP. If unspecified, this field defaults to TCP. |
port IntOrString |
The port on the given protocol. This can either be a numerical or named port on a pod. If this field is not provided, this matches all port names and numbers. If present, only traffic on the specified protocol and port is matched. |
ProjectNetworkPolicySpec
Defines the desired state of ProjectNetworkPolicy
resource. The array of ingress or egress rules for this policy applies to the specified subject or target. When multiple rules are present, or when multiple policies are present, the rules for each are combined additively. In other words, traffic is allowed if it matches at least one rule.
Appears in: - ProjectNetworkPolicy
Field | Description |
---|---|
subject ProjectNetworkPolicySubject |
The target of the project network policies. If unspecified, all pods excluding the managed services in the project are selected. |
policyType PolicyType |
The direction of traffic on which the policy rules are applied. This must be set to one of ingress and egress . If not set, then it defaults to ingress . |
ingress ProjectNetworkPolicyIngressRule array |
A list of ingress rules for this policy. If this field is empty, the ProjectNetworkPolicy resource does not allow any traffic and serves solely to ensure that the subjects it selects are isolated by default. |
egress ProjectNetworkPolicyEgressRule array |
A the list of egress rules for this policy. If this field is empty, the ProjectNetworkPolicy resource does not allow any traffic and serves solely to ensure that subjects it selects are isolated by default. |
ProjectNetworkPolicyStatus
Defines the observed state of a ProjectNetworkPolicy
resource.
Appears in: - ProjectNetworkPolicy
Field | Description |
---|---|
conditions Condition array |
If ready is true , it means that all network policies are successfully propagated to all user clusters. if ready is false , it means that some, or all, network policies have failed to propagate. |
propagatedName string |
The name of the propagated network policy realized in all user clusters within the project. This field is expected to be set when the property of SubjectType="UserWorkload" . |
clusters ClusterStatus array |
The list of propagation status on the clusters. This field is expected to be set when the property of SubjectType="UserWorkload" . |
propagatedManagedServiceNamespaces string array |
The list of managed service namespaces that the policy is propagated to. This field is expected to be set when the property of SubjectType="ManagedService" . |
ProjectNetworkPolicySubject
Defines the target for project network policies.
Appears in: - ProjectNetworkPolicySpec
Field | Description |
---|---|
subjectType PolicySubjectType |
The type of entities the policy rules apply to. This must be set to one of userWorkload or managedService . If not set, then it defaults to userWorkload . If set to userWorkload , then all pods excluding the managed services in the project are selected. If set to managedService , then specified managed services are selected. |
managedServices PolicyManagedServiceSubject |
The managed services that the policy rules apply to. Must be specified only with SubjectType="ManagedService" . |
PropagationStatus
Defines the propagation status for a specific cluster.
Appears in: - FlowLogStatus
Field | Description |
---|---|
cluster string |
The cluster name where this resource is propagated. |
node string |
The node name where this resource is propagated. |
namespace string |
The namespace where this resource is propagated. |
name string |
The name of the propagated resource. |
conditions Condition array |
The current status of the programmed resources. |
Route
Represents a route advertised or received over the tunnel.
Appears in: - VPNBGPPeerStatus
Field | Description |
---|---|
prefix string |
The network prefix of the route. |
SessionState
Underlying type: string
The state of the BGP session, like Established or NotEstablished.
Appears in: - VPNBGPPeerStatus
TunnelState
Underlying type: string
The state of the Tunnel, like Established or Connecting.
Appears in: - VPNTunnelStatus
VPNBGPPeer
VPNBGPPeer represents a BGP session over a VPN tunnel. A VPNBGPPeer establishes a BGP session between a BGP peer in an Organization and BGP peer of a remote site across a single VPNTunnel. A VPNBGPPeer should be used by a VPNTunnel.
Appears in: - VPNBGPPeerList
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNBGPPeer |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec VPNBGPPeerSpec |
|
status VPNBGPPeerStatus |
VPNBGPPeerList
VPNBGPPeerList contains a list of VPNBGPPeer.
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNBGPPeerList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items VPNBGPPeer array |
Items is a list of VPNBGPPeer entries. |
VPNBGPPeerSpec
VPNBGPPeerSpec defines the desired state of VPNBGPPeer. The IP for both the Remote and Local BGP peer must be in the same "/30" block from the "169.254.0.0/16" range.
Appears in: - VPNBGPPeer
Field | Description |
---|---|
remote BGPPeerInterface |
Represents the remote BGP peer. |
local BGPPeerInterface |
Represents the local BGP peer. |
VPNBGPPeerStatus
VPNBGPPeerStatus defines the observed state of VPNBGPPeer. The Organization will create a BGP session with the remote site over the VPNTunnel that references this VPNBGPPeer. The local BGP peer will advertise all internal CIDR's of the Organization to the remote BGP peer. If the remote BGP peer advertises a CIDR that conflicts with the internal CIDR's of the Organization, the VPNBGPPeer "Ready" condition will be false.
Appears in: - VPNBGPPeer
Field | Description |
---|---|
state SessionState |
Represents the state of the BGP session between the local BGP peer and the remote BGP peer. |
advertised Route array |
Represents routes advertised to the remote site on the BGP session. |
received Route array |
Represents routes received from the remote site on the BGP session. |
conditions Condition array |
Indicates the current status of VPNBGPPeer. Known condition types are: - "Ready": The Peer Gateway is reconciled and used by a VPNTunnel. - "BGPSessionEstablished": Each interface on the Peer Gateway is used by a VPNTunnel. - "ReceivedRoutesReady": The routes received from the remote BGP peer do not interfere with routes in the internal CIDR of the Organization. |
VPNGateway
VPNGateway represents an Organization VPN endpoint. An interface on a VPNGateway should be used by a VPNTunnel to establish an encrypted tunnel to a remote site.
Appears in: - VPNGatewayList
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNGateway |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec VPNGatewaySpec |
|
status VPNGatewayStatus |
VPNGatewayInterface
Represents an interface on the Gateway. An IP will be allocated for each interface and added in the status.
Appears in: - VPNGatewaySpec
Field | Description |
---|---|
name string |
The name of the interface. |
VPNGatewayInterfaceStatus
Represents a Gateway interface on which a tunnel is established.
Appears in: - VPNGatewayStatus
Field | Description |
---|---|
name string |
The name of the interface. |
ip string |
The IPv4 address of the interface. |
VPNGatewayList
VPNGatewayList contains a list of VPNGateway.
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNGatewayList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items VPNGateway array |
Items is a list of VPNGateway entries. |
VPNGatewaySpec
VPNGatewaySpec defines the desired state of VPNGateway. Define the name of the interfaces which should be assigned external IPv4 addresses by the VPNGateway. Each IPv4 address that is assigned to the interface is automatically chosen from an external address pool.
Appears in: - VPNGateway
Field | Description |
---|---|
interfaces VPNGatewayInterface array |
The names of each interface. VPNGateway will assign an external IPv4 address to each interface in the list. |
VPNGatewayStatus
VPNGatewayStatus defines the observed state of VPNGateway.
Appears in: - VPNGateway
Field | Description |
---|---|
interfaces VPNGatewayInterfaceStatus array |
The list of interfaces on the VPNGateway. Each interface can be used by one VPNTunnel. |
conditions Condition array |
Indicates the current status of VPNGateway. Known condition types are: - "Ready": The VPNGateway is reconciled and used by a VPNTunnel. - "IPsAssigned": IPv4 addresses have been assigned to each interface on the VPNGateway. - "TunnelsAttached": Each interface on the VPNGateway is used by a VPNTunnel. |
VPNTunnel
VPNTunnel represents an encrypted IPSec tunnel between an Organization network and a remote network. It connects a VPNGateway interface to a PeerGateway interface, and uses VPNBGPPeer to exchange routing information over the tunnel.
Appears in: - VPNTunnelList
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNTunnel |
metadata ObjectMeta |
Refer to Kubernetes API documentation for fields of metadata . |
spec VPNTunnelSpec |
|
status VPNTunnelStatus |
VPNTunnelList
VPNTunnelList contains a list of VPNTunnel.
Field | Description |
---|---|
apiVersion string |
networking.gdc.goog/v1 |
kind string |
VPNTunnelList |
metadata ListMeta |
Refer to Kubernetes API documentation for fields of metadata . |
items VPNTunnel array |
Items is a list of VPNTunnel entries. |
VPNTunnelSpec
VPNTunnelSpec defines the desired state of VPNTunnel. The tunnel that is established supports the IKEv2 protocol with PSK-based authentication. Packets going through the tunnel are encrypted using IPSec Tunnel mode, where the outer IP header is constructed using a VPNGateway interface IP and a PeerGateway interface IP. A VPNTunnel references a VPNGateway interface, a PeerGateway interface, a VPNBGPPeer resource, and a secret which contains the preshared key for the authentication.
Appears in: - VPNTunnel
Field | Description |
---|---|
vpnInterface GatewayInterfaceRef |
The interface on the VPNGateway that is used for the tunnel. The IP from the interface is used as the source IP for packets sent to the remote site over the tunnel. |
peerInterface GatewayInterfaceRef |
The interface on the PeerGateway that is used for the tunnel. The IP from the interface is used as the destination IP for packets sent to the remote site over the tunnel. |
vpnBGPPeer ObjectReference |
A reference to a VPNBGPPeer which specifies the dynamic routing over the tunnel. |
ikeKey SecretReference |
The secret that contains the preshared key for initial authentication of the gateways. |
VPNTunnelStatus
VPNTunnelStatus defines the observed state of VPNTunnel.
Appears in: - VPNTunnel
Field | Description |
---|---|
state TunnelState |
The current status of the tunnel. |
conditions Condition array |
Indicates the current status of VPNTunnel. Known condition types are: - "Ready": The VPNTunnel is reconciled and is in an established state. - "TunnelEstablished": The tunnel is in an established state. |