Standard metadata of the object.

Specification of the desired behavior of ClusterNetworkPolicy.

Most recently observed status of the NetworkPolicy.

Standard metadata of the object.

Specification of the desired behavior of NetworkPolicy.

Most recently observed status of the NetworkPolicy.

Standard metadata of the object.

Specification of the desired behavior of Tier.

Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier’s Priority and the ClusterNetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies.

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

CIDR is a string representing the IP Block Valid examples are “192.168.1.¹⁄₂₄”.

IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.

Select Pods from NetworkPolicy’s Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector.

Select ExternalEntities from NetworkPolicy’s Namespace as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Group is the name of the ClusterGroup which can be set as an AppliedTo or within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector.

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.

EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.

Tier specifies the tier to which this NetworkPolicy belongs to. The NetworkPolicy order will be determined based on the combination of the Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy’s status.

The generation observed by Antrea.

The number of nodes that have realized the NetworkPolicy.

The total number of nodes that should realize the NetworkPolicy.

Action specifies the action to be applied on the rule.

Set of port and protocol allowed/denied by the rule. If this field is unset or empty, this rule matches all ports.

Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.

Rule is matched if traffic is intended for workloads selected by this field. If this field is empty or missing, this rule matches all destinations.

Name describes the intention of this rule. Name should be unique within the policy.

EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.

Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo.

Priority specfies the order of the Tier relative to other Tiers.

Description is an optional field to add more information regarding the purpose of this Tier.

The traffic stats of the Antrea ClusterNetworkPolicy.

The traffic stats of the Antrea NetworkPolicy.

The traffic stats of the K8s NetworkPolicy.

Packets is the packets count hit by the NetworkPolicy.

Bytes is the bytes count hit by the NetworkPolicy.

Sessions is the sessions count hit by the NetworkPolicy.

One of the AgentConditionType listed above

Mark certain type status, one of True, False, Unknown

The timestamp when AntreaAgentInfo is created/updated, ideally heartbeat interval is 60s

Brief reason

Antrea binary version

The Pod that Antrea Agent is running in

The Node that Antrea Agent is running in

Node subnets

OVS Information

Antrea Agent NetworkPolicy information

The number of Pods which the agent is in charge of

Agent condition contains types like AgentHealthy

Antrea binary version

The Pod that Antrea Controller is running in

The Node that Antrea Controller is running in

Antrea Controller Service

Antrea Controller NetworkPolicy information

Number of agents which are connected to this controller

Controller condition contains types like ControllerHealthy

One of the ControllerConditionType listed above, controllerHealthy

Mark certain type status, one of True, False, Unknown

The timestamp when AntreaControllerInfo is created/updated, ideally heartbeat interval is 60s

Brief reason

The TrafficStats of K8s NetworkPolicies collected from the Node.

The TrafficStats of Antrea ClusterNetworkPolicies collected from the Node.

The TrafficStats of Antrea NetworkPolicies collected from the Node.

Pods is a list of Pods selected by this group.

GroupMembers is list of resources selected by this group. This eventually will replace Pods

IP is the IP address of the Endpoint.

Ports is the list NamedPort of the Endpoint.

The name of this ExternalEntity.

The namespace of this ExternalEntity.

Pod maintains the reference to the Pod.

ExternalEntity maintains the reference to the ExternalEntity.

Endpoints maintains a list of EndPoints associated with this groupMember.

Pod maintains the reference to the Pod.

IP maintains the IPAddress associated with the Pod.

Ports maintain the named port mapping of this Pod.

CIDR is an IPNet represents the IP Block.

Except is a slice of IPNets that should not be included within an IP Block. Except values will be rejected if they are outside the CIDR range.

Port represents the Port number.

Name represents the associated name with this Port number.

Protocol for port. Must be UDP, TCP, or SCTP.

Rules is a list of rules to be applied to the selected Pods.

AppliedToGroups is a list of names of AppliedToGroups to which this policy applies.

Priority represents the relative priority of this Network Policy as compared to other Network Policies. Priority will be unset (nil) for K8s NetworkPolicy.

TierPriority represents the priority of the Tier associated with this Network Policy. The TierPriority will remain nil for K8s NetworkPolicy.

Reference to the original NetworkPolicy that the internal NetworkPolicy is created for.

A list of names of AddressGroups.

A list of IPBlock.

Type of the NetworkPolicy.

Namespace of the NetworkPolicy. It’s empty for Antrea ClusterNetworkPolicy.

Name of the NetworkPolicy.

UID of the NetworkPolicy.

The direction of this rule. If it’s set to In, From must be set and To must not be set. If it’s set to Out, To must be set and From must not be set.

From represents sources which should be able to access the pods selected by the policy.

To represents destinations which should be able to be accessed by the pods selected by the policy.

Services is a list of services which should be matched.

Priority defines the priority of the Rule as compared to other rules in the NetworkPolicy.

Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty action “nil” defaults to Allow action, which would be the case for rules created for K8s Network Policy.

EnableLogging indicates whether or not to generate logs when rules are matched. Default to false.

The reference of the NetworkPolicy.

The stats of the NetworkPolicy.

The name of this pod.

The namespace of this pod.

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

The port name or number on the given protocol. If not specified, this matches all port numbers.

The TrafficStats of K8s NetworkPolicies collected from the Node.

The TrafficStats of Antrea ClusterNetworkPolicies collected from the Node.

The TrafficStats of Antrea NetworkPolicies collected from the Node.

GroupMembers is list of resources selected by this group.

The name of this ExternalEntity.

The Namespace of this ExternalEntity.

AssociatedGroups is a list of GroupReferences that is associated with the Pod/ExternalEntity being queried.

Pod maintains the reference to the Pod.

ExternalEntity maintains the reference to the ExternalEntity.

IP is the IP address of the Endpoints associated with the GroupMember.

Ports is the list NamedPort of the GroupMember.

Namespace of the Group. Empty for ClusterGroup.

Name of the Group.

UID of the Group.

CIDR is an IPNet represents the IP Block.

Except is a slice of IPNets that should not be included within an IP Block. Except values will be rejected if they are outside the CIDR range.

Port represents the Port number.

Name represents the associated name with this Port number.

Protocol for port. Must be UDP, TCP, or SCTP.

Rules is a list of rules to be applied to the selected GroupMembers.

AppliedToGroups is a list of names of AppliedToGroups to which this policy applies. Cannot be set in conjunction with any NetworkPolicyRule.AppliedToGroups in Rules.

Priority represents the relative priority of this Network Policy as compared to other Network Policies. Priority will be unset (nil) for K8s NetworkPolicy.

TierPriority represents the priority of the Tier associated with this Network Policy. The TierPriority will remain nil for K8s NetworkPolicy.

Reference to the original NetworkPolicy that the internal NetworkPolicy is created for.

The name of the Node that produces the status.

The generation realized by the Node.

A list of names of AddressGroups.

A list of IPBlock.

Type of the NetworkPolicy.

Namespace of the NetworkPolicy. It’s empty for Antrea ClusterNetworkPolicy.

Name of the NetworkPolicy.

UID of the NetworkPolicy.

The direction of this rule. If it’s set to In, From must be set and To must not be set. If it’s set to Out, To must be set and From must not be set.

From represents sources which should be able to access the GroupMembers selected by the policy.

To represents destinations which should be able to be accessed by the GroupMembers selected by the policy.

Services is a list of services which should be matched.

Priority defines the priority of the Rule as compared to other rules in the NetworkPolicy.

Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty action “nil” defaults to Allow action, which would be the case for rules created for K8s Network Policy.

EnableLogging indicates whether or not to generate logs when rules are matched. Default to false.

AppliedToGroups is a list of names of AppliedToGroups to which this rule applies. Cannot be set in conjunction with NetworkPolicy.AppliedToGroups of the NetworkPolicy that this Rule is referred to.

The reference of the NetworkPolicy.

The stats of the NetworkPolicy.

Nodes contains statuses produced on a list of Nodes.

The name of this Pod.

The Namespace of this Pod.

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

The port name or number on the given protocol. If not specified, this matches all port numbers.

EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.

The name of this Service.

The Namespace of this Service.

Standard metadata of the object.

Desired state of the group.

Most recently observed status of the group.

Standard metadata of the object.

Desired state of the external entity.

IP associated with this endpoint.

Name identifies this endpoint. Could be the network interface name in case of VMs.

Endpoints is a list of external endpoints associated with this entity.

Ports maintain the list of named ports.

ExternalNode is the opaque identifier of the agent/controller responsible for additional processing or handling of this external entity.

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

The port on the given protocol.

Name associated with the Port.

Name of the Service

Namespace of the Service

Namespace is the destination namespace.

Pod is the destination pod, exclusive with destination service.

Service is the destination service, exclusive with destination pod.

IP is the destination IPv4 or IPv6 address.

ID is the ICMPEchoRequestHeader ID.

Sequence is the ICMPEchoRequestHeader sequence.

SrcIP is the source IP.

Protocol is the IP protocol.

TTL is the IP TTL.

Flags is the flags for IP.

SrcIP is the source IPv6.

NextHeader is the IPv6 protocol.

HopLimit is the IPv6 Hop Limit.

Node is the node of the observation.

Role of the node like sender, receiver, etc.

Timestamp is the timestamp of the observations on the node.

Observations includes all observations from sender nodes, receiver ones, etc.

Component is the observation component.

ComponentInfo is the extension of Component field.

Action is the action to the observation.

Pod is the combination of Pod name and Pod Namespace.

DstMAC is the destination MAC.

NetworkPolicy is the combination of Namespace and NetworkPolicyName.

TTL is the observation TTL.

TranslatedSrcIP is the translated source IP.

TranslatedDstIP is the translated destination IP.

TunnelDstIP is the tunnel destination IP.

TODO: change type IPHeader to *IPHeader and correct all internal references

Namespace is the source namespace.

Pod is the source pod.

SrcPort is the source port.

DstPort is the destination port.

Flags are flags in the header.

Phase is the Traceflow phase.

Reason is a message indicating the reason of the traceflow’s current phase.

DataplaneTag is a tag to identify a traceflow session across Nodes.

Results is the collection of all observations on different nodes.

SrcPort is the source port.

DstPort is the destination port.