IPRuleSet
Scope: Cluster
Version: v1alpha1
This resource describes a set of rules (ip rule) that will be created on nodes with the appropriate labels.
- objectspec
Required value
- objectspec.nodeSelector
Required value
A set of labels that define the nodes on which these rules must be applied.
- array of objectsspec.rules
Required value
The desired set of rules (`ip rule’).
- objectspec.rules.actions
Required value
A set of actions that must be performed with a packet that has the attributes described in the `selectors’ section.
- objectspec.rules.actions.lookup
Required value
Define the routing table in which the gateway address will be searched.
- integerspec.rules.actions.lookup.ipRoutingTableID
ID of the routing table on the node
Allowed values:
1 <= X <= 4294967295 - stringspec.rules.actions.lookup.routingTableName
The name of kubernetes resource RoutingTable in which the routing table ID will be searched.
- integerspec.rules.priority
Required value
The priority of the rule (the order of application depends on it).
When choosing a number, it is worth considering several nuances:
- All rules are sorted by node’s linux network subsystem in order of priority (from lesser to greater) until a match is found.
- If the packet falls under some rule, and the corresponding action has been successfully performed, then the search for rules termitated.
- The default rule for searching the
mainrouting table is32766. In this case, if you specify a higher value, the rule will never be processed.
Allowed values:
0 <= X <= 4294967295 - objectspec.rules.selectors
Required value
A set of package attributes.
If the package has the attributes described in the
selectorssection, then actions from theactionssection will be applied to it.- objectspec.rules.selectors.dportRange
The range of destination ports.
If there is only one port, then you can either fill in only the
startfield, or specify the same value in thestartandendfields.- integerspec.rules.selectors.dportRange.end
The end of the range.
Allowed values:
0 <= X <= 65535 - integerspec.rules.selectors.dportRange.start
Required value
The beginning of the range.
Allowed values:
0 <= X <= 65535
- array of stringsspec.rules.selectors.from
An array of subnets of the source.
- stringElement of the array
The subnet of the source.
- stringspec.rules.selectors.fwMark
The traffic label exists only inside the linux network subsystem on the node.
Pattern:
^0[xX][0-9a-fA-F]{1,8}(/0[xX][0-9a-fA-F]{1,8})?$ - stringspec.rules.selectors.iif
The name of the incoming interface for the packet.
- integerspec.rules.selectors.ipProto
The number of the L4 protocol that is encapsulated in the IP in packet. The numbers of the most popular protocols are:
ICMP— 1TCP— 6UDP— 17 All available values can be found [at the link] (https://www.iana.org/assignments/protocol-numbers/protocol-numbers .xhtml), or in the /etc/protocols file on the node.
- booleanspec.rules.selectors.not
If this flag is specified, the rule will be inverted, that is, all packets that do not have the specified attributes will fall under it.
Default:
false - stringspec.rules.selectors.oif
The name of the outgoing interface for the packet.
- objectspec.rules.selectors.sportRange
The range of source ports.
If there is only one port, then you can either fill in only the
startfield, or specify the same value in thestartandendfields.- integerspec.rules.selectors.sportRange.end
The end of the range.
Allowed values:
0 <= X <= 65535 - integerspec.rules.selectors.sportRange.start
Required value
The beginning of the range.
Allowed values:
0 <= X <= 65535
- array of stringsspec.rules.selectors.to
An array of subnets of the destination.
- stringElement of the array
The subnet of the destination.
- stringspec.rules.selectors.tos
QOS traffic label (TOS/diffserv/dscp) transmitted over the network in the IP headers of the packet. Available values stored in the file /etc/iproute2/rt_dsfield.
Pattern:
^0[xX][0-9a-fA-F]{1,2}$ - objectspec.rules.selectors.uidRange
The range of UIDs (UserID) of applications that transmitting traffic.
If there is only one UID, then you can either fill in only the
startfield, or specify the same value in thestartandendfields.- integerspec.rules.selectors.uidRange.end
The end of the range.
Allowed values:
0 <= X <= 4294967295 - integerspec.rules.selectors.uidRange.start
Required value
The beginning of the range.
Allowed values:
0 <= X <= 4294967295
RoutingTable
Scope: Cluster
Version: v1alpha1
A resource describing the desired routing table and the routes it contains.
- objectspec
Required value
- integerspec.ipRoutingTableID
ID of the desired routing table.
If the value is not explicitly specified, it will be generated automatically.
Once a resource is created, you can only change the routing table ID by recreating the resource.
Allowed values:
1 <= X <= 4294967295 - objectspec.nodeSelector
Required value
A set of labels that determine the nodes on which the desired routes should be created.
- array of objectsspec.routes
Required value
- stringspec.routes.destination
Required value
Destination network.
- stringspec.routes.gateway
Required value
Nexthop.