Documentation

GroupMembers is list of resources selected by this group.

GroupMembers is list of resources selected by this group.

AssociatedGroups is a list of GroupReferences that is associated with the Pod/ExternalEntity being queried.

AssociatedGroups is a list of GroupReferences that is associated with the IP address being queried.

Rules is a list of rules to be applied to the selected GroupMembers.

AppliedToGroups is a list of names of AppliedToGroups to which this policy applies. Cannot be set in conjunction with any NetworkPolicyRule.AppliedToGroups in Rules.

Priority represents the relative priority of this Network Policy as compared to other Network Policies. Priority will be unset (nil) for K8s NetworkPolicy.

TierPriority represents the priority of the Tier associated with this Network Policy. The TierPriority will remain nil for K8s NetworkPolicy.

Reference to the original NetworkPolicy that the internal NetworkPolicy is created for.

The TrafficStats of K8s NetworkPolicies collected from the Node.

The TrafficStats of Antrea ClusterNetworkPolicies collected from the Node.

The TrafficStats of Antrea NetworkPolicies collected from the Node.

Multicast group information collected from the Node.

The name of this ExternalEntity.

The Namespace of this ExternalEntity.

Pod maintains the reference to the Pod.

ExternalEntity maintains the reference to the ExternalEntity.

IP is the IP address of the Endpoints associated with the GroupMember.

Ports is the list NamedPort of the GroupMember.

Node maintains the reference to the Node.

Service is the reference to the Service. It can only be used in an AppliedTo Group and only a NodePort type Service can be referred by this field.

Namespace of the Group. Empty for ClusterGroup.

Name of the Group.

UID of the Group.

Host represents the hostname present in the URI or the HTTP Host header to match. It does not contain the port associated with the host.

Method represents the HTTP method to match. It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.

Path represents the URI path to match (Ex. “/index.html”, “/admin”).

CIDR is an IPNet represents the IP Block.

Except is a slice of IPNets that should not be included within an IP Block. Except values will be rejected if they are outside the CIDR range.

Group is the IP of the multicast group.

Pods is the list of Pods that have joined the multicast group.

Port represents the Port number.

Name represents the associated name with this Port number.

Protocol for port. Must be UDP, TCP, or SCTP.

The reference of the effective NetworkPolicy.

The content of the effective rule.

The name of the Node that produces the status.

The generation realized by the Node.

The flag to mark the NetworkPolicy realization is failed on the Node or not.

The error message to describe why the NetworkPolicy realization is failed on the Node.

A list of names of AddressGroups.

A list of IPBlock.

A list of exact FQDN names or FQDN wildcard expressions. This field can only be possibly set for NetworkPolicyPeer of egress rules.

A list of ServiceReference. This field can only be possibly set for NetworkPolicyPeer of egress rules.

A list of labelIdentities selected as ingress peers for stretched policy. This field can only be possibly set for NetworkPolicyPeer of ingress rules.

Type of the NetworkPolicy.

Namespace of the NetworkPolicy. It’s empty for Antrea ClusterNetworkPolicy.

Name of the NetworkPolicy.

UID of the NetworkPolicy.

The direction of this rule. If it’s set to In, From must be set and To must not be set. If it’s set to Out, To must be set and From must not be set.

From represents sources which should be able to access the GroupMembers selected by the policy.

To represents destinations which should be able to be accessed by the GroupMembers selected by the policy.

Services is a list of services which should be matched.

Priority defines the priority of the Rule as compared to other rules in the NetworkPolicy.

Action specifies the action to be applied on the rule. i.e. Allow/Drop. An empty action “nil” defaults to Allow action, which would be the case for rules created for K8s Network Policy.

EnableLogging indicates whether or not to generate logs when rules are matched. Default to false.

AppliedToGroups is a list of names of AppliedToGroups to which this rule applies. Cannot be set in conjunction with NetworkPolicy.AppliedToGroups of the NetworkPolicy that this Rule is referred to.

Name describes the intention of this rule. Name should be unique within the policy.

L7Protocols is a list of application layer protocols which should be matched.

LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs.

The reference of the NetworkPolicy.

The stats of the NetworkPolicy.

The stats of the NetworkPolicy rules. It’s empty for K8s NetworkPolicies as they don’t have rule name to identify a rule.

Nodes contains statuses produced on a list of Nodes.

The name of this Node.

The name of this Pod.

The Namespace of this Pod.

The protocol (TCP, UDP, SCTP, or ICMP) which traffic must match. If not specified, this field defaults to TCP.

Port and EndPort can only be specified, when the Protocol is TCP, UDP, or SCTP. Port defines the port name or number on the given protocol. If not specified and the Protocol is TCP, UDP, or SCTP, this matches all port numbers.

EndPort defines the end of the port range, being the end included within the range. It can only be specified when a numerical port is specified.

ICMPType and ICMPCode can only be specified, when the Protocol is ICMP. If they both are not specified and the Protocol is ICMP, this matches all ICMP traffic.

IGMPType and GroupAddress can only be specified when the Protocol is IGMP.

SrcPort and SrcEndPort can only be specified, when the Protocol is TCP, UDP, or SCTP. It restricts the source port of the traffic.

The name of this Service.

The Namespace of this Service.

The name of the Node that produces the status.

The namespace of the Node that produces the status. It is set only when NodeType is ExternalNode.

The type of the Node that produces the status. The values include Node and ExternalNode.

The phase in which a SupportBundleCollection is on the Node.

Nodes contains statuses produced on a list of Nodes.

SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message.

Standard metadata of the object.

Standard metadata of the object.

Specification of the desired behavior of SupportBundleCollection.

Most recently observed status of the SupportBundleCollection.

Service specifies how to advertise Service IPs.

Pod specifies how to advertise Pod IPs. Currently, if this is set, NodeIPAM Pod CIDR instead of specific Pods IPs will be advertised since pod selector is not added yet.

Egress specifies how to advertise Egress IPs. Currently, if this is set, all Egress IPs will be advertised since Egress selector is not added yet.

The IP address on which the BGP peer listens.

The port number on which the BGP peer listens. The default value is 179, the well-known port of BGP protocol.

The AS number of the BGP peer.

The Time To Live (TTL) value used in BGP packets sent to the BGP peer. The range of the value is from 1 to 255, and the default value is 1.

GracefulRestartTimeSeconds specifies how long the BGP peer would wait for the BGP session to re-establish after a restart before deleting stale routes. The range of the value is from 1 to 3600, and the default value is 120.

NodeSelector selects Nodes to which the BGPPolicy is applied. If multiple BGPPolicies select a Node, only one will be effective and enforced; others serve as alternatives.

LocalASN is the AS number used by the BGP process. The available private AS number range is 64512-65535.

ListenPort is the port on which the BGP process listens, and the default value is 179.

Advertisements configures IPs or CIDRs to be advertised to BGP peers.

BGPPeers is the list of BGP peers.

List the names of certain ExternalNodes which are expected to collect and upload bundle files.

Select certain ExternalNodes which match the label selector.

The URL of the bundle file server. It is set with format: scheme://host[:port][/path], e.g, https://api.example.com:8443/v1/supportbundles/. If scheme is not set, https is used by default.

List the names of certain Nodes which are expected to collect and upload bundle files.

Select certain Nodes which match the label selector.

AuthSecret is a Secret reference which stores the authentication value.

Only one network interface is supported now. Other interfaces except interfaces[0] will be ignored if there are more than one interfaces.

Host represents the hostname present in the URI or the HTTP Host header to match. It does not contain the port associated with the host.

Method represents the HTTP method to match. It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.

Path represents the URI path to match (Ex. “/index.html”, “/admin”).

CIDR is a string representing the IP Block Valid examples are “192.168.1.¹⁄₂₄”.

PingInterval specifies the interval in seconds between ping requests. Ping interval should be greater than or equal to 1s.

IPTypes specifies the types of Service IPs from the selected Services to be advertised. Currently, all Services will be selected since Service selector is not added yet.

Type of StatefulSet condition.

Status of the condition, one of True, False, Unknown.

Last time the condition transitioned from one status to another.

The reason for the condition’s last transition.

A human-readable message indicating details about the transition.

ExpirationMinutes is the requested duration of validity of the SupportBundleCollection. A SupportBundleCollection will be marked as Failed if it does not finish before expiration. Default is 60.

SinceTime specifies a relative time before the current time from which to collect logs A valid value is like: 1d, 2h, 30m.

The number of Nodes and ExternalNodes that have completed the SupportBundleCollection.

The total number of Nodes and ExternalNodes that should process the SupportBundleCollection.

Represents the latest available observations of a SupportBundleCollection current state.

SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message.

Standard metadata of the object.

Desired state of the external entity.

Standard metadata of the object.

Specification of the IPPool.

Most recently observed status of the pool.

Standard metadata of the object.

Specification of the desired behavior of TrafficControl.

Select Pods matched by this selector. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector; otherwise, Pods are matched from all Namespaces.

Select all Pods from Namespaces matched by this selector. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector.

Groups is the set of ClusterGroup names.

The remote IP of the tunnel.

ERSPAN session ID.

ERSPAN version.

ERSPAN Index.

ERSPAN v2 mirrored traffic’s direction.

ERSPAN hardware ID.

IP associated with this endpoint.

Name identifies this endpoint. Could be the network interface name in case of VMs.

Endpoints is a list of external endpoints associated with this entity.

Ports maintain the list of named ports.

ExternalNode is the opaque identifier of the agent/controller responsible for additional processing or handling of this external entity.

The remote IP of the tunnel.

GRE key.

IP Address this entry is tracking

Allocation state - either Allocated or Preallocated

Owner this IP Address is allocated to

IP Version for this IP pool - either 4 or 6

List IP ranges, along with subnet definition.

Total number of IPs.

Number of allocated IPs.

The CIDR of this range, e.g. 10.10.10.0/24.

The start IP of the range, e.g. 10.10.20.5, inclusive.

The end IP of the range, e.g. 10.10.20.20, inclusive.

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

The port on the given protocol.

Name associated with the Port.

The name of the network device.

The name of the OVS internal port.

Network interface name. Used when the IP is allocated for a secondary network interface of the Pod.

(Members of IPRange are embedded into this type.)

(Members of SubnetInfo are embedded into this type.)

Gateway IP for this subnet, eg. 10.10.1.1

Prefix length for the subnet, eg. 24

VLAN ID for this subnet. Default is 0. Valid value is 0~4094.

OVSInternal represents an OVS internal port.

Device represents a network device.

GENEVE represents a GENEVE tunnel.

VXLAN represents a VXLAN tunnel.

GRE represents a GRE tunnel.

ERSPAN represents a ERSPAN tunnel.

AppliedTo selects Pods to which the traffic control configuration will be applied.

The direction of traffic that should be matched. It can be Ingress, Egress, or Both.

The action that should be taken for the traffic. It can be Redirect or Mirror.

The port to which the traffic should be redirected or mirrored.

The port from which the traffic will be sent back to OVS. It should only be set for Redirect action.

The remote IP of the tunnel.

The ID of the tunnel.

The transport layer destination port of the tunnel. If not specified, the assigned IANA port will be used, i.e., 4789 for VXLAN, 6081 for GENEVE.

Antrea binary version

The Pod that Antrea Agent is running in

The Node that Antrea Agent is running in

Node subnets

OVS Information

Antrea Agent NetworkPolicy information

The number of Pods which the agent is in charge of

Agent condition contains types like AgentHealthy

The port of Antrea Agent API Server

APICABundle is a PEM encoded CA bundle which can be used to validate the Antrea Agent API server’s certificate.

The port range used by NodePortLocal

Antrea binary version

The Pod that Antrea Controller is running in

The Node that Antrea Controller is running in

Antrea Controller Service

Antrea Controller NetworkPolicy information

Number of agents which are connected to this controller

Controller condition contains types like ControllerHealthy

The port of antrea controller API Server

Standard metadata of the object.

Desired state of the group.

Most recently observed status of the group.

Standard metadata of the object.

Specification of the desired behavior of ClusterNetworkPolicy.

Most recently observed status of the NetworkPolicy.

Standard metadata of the object.

Specification of the desired behavior of Egress.

EgressStatus represents the current status of an Egress.

Standard metadata of the object.

Specification of the ExternalIPPool.

The current status of the ExternalIPPool.

Standard metadata of the object.

Desired state of the group.

Most recently observed status of the group.

Standard metadata of the object.

Specification of the IPPool.

Most recently observed status of the pool.

Standard metadata of the object.

Specification of the desired behavior of NetworkPolicy.

Most recently observed status of the NetworkPolicy.

Standard metadata of the object.

Specification of the desired behavior of Tier.

One of the AgentConditionType listed above

Mark certain type status, one of True, False, Unknown

The timestamp when AntreaAgentInfo is created/updated, ideally heartbeat interval is 60s

Brief reason

Human readable message indicating details

Select Pods from NetworkPolicy’s Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.

Select ExternalEntities from NetworkPolicy’s Namespace as workloads in AppliedTo fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Group is the name of the ClusterGroup which can be set as an AppliedTo in place of a stand-alone selector. A Group cannot be set with any other selector.

Select all Pods with the ServiceAccount matched by this field, as workloads in AppliedTo fields. Cannot be set with any other selector.

Select a certain Service which matches the NamespacedName. A Service can only be set in either policy level AppliedTo field in a policy that only has ingress rules or rule level AppliedTo field in an ingress rule. Only a NodePort Service can be referred by this field. Cannot be set with any other selector.

Select Nodes in cluster as workloads in AppliedTo fields. Cannot be set with any other selector.

Rate specifies the maximum traffic rate. e.g. 300k, 10M

Burst specifies the maximum burst size when traffic exceeds the rate. e.g. 300k, 10M

Tier specifies the tier to which this ClusterNetworkPolicy belongs to. The ClusterNetworkPolicy order will be determined based on the combination of the Tier’s Priority and the ClusterNetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

Priority specfies the order of the ClusterNetworkPolicy relative to other AntreaClusterNetworkPolicies.

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

One of the ControllerConditionType listed above, controllerHealthy

Mark certain type status, one of True, False, Unknown

The timestamp when AntreaControllerInfo is created/updated, ideally heartbeat interval is 60s

Brief reason

Human readable message indicating details

Namespace is the destination namespace.

Pod is the destination pod, exclusive with destination service.

Service is the destination service, exclusive with destination pod.

IP is the destination IPv4 or IPv6 address.

AppliedTo selects Pods to which the Egress will be applied.

EgressIP specifies the SNAT IP address for the selected workloads. If ExternalIPPool is empty, it must be specified manually. If ExternalIPPool is non-empty, it can be empty and will be assigned by Antrea automatically. If both ExternalIPPool and EgressIP are non-empty, the IP must be in the pool.

EgressIPs specifies multiple SNAT IP addresses for the selected workloads. Cannot be set with EgressIP.

ExternalIPPool specifies the IP Pool that the EgressIP should be allocated from. If it is empty, the specified EgressIP must be assigned to a Node manually. If it is non-empty, the EgressIP will be assigned to a Node specified by the pool automatically and will failover to a different Node when the Node becomes unreachable.

ExternalIPPools specifies multiple unique IP Pools that the EgressIPs should be allocated from. Entries with the same index in EgressIPs and ExternalIPPools are correlated. Cannot be set with ExternalIPPool.

Bandwidth specifies the rate limit of north-south egress traffic of this Egress.

The name of the Node that holds the Egress IP.

EgressIP indicates the effective Egress IP for the selected workloads. It could be empty if the Egress IP in spec is not assigned to any Node. It’s also useful when there are more than one Egress IP specified in spec.

The IP ranges of this IP pool, e.g. 10.10.0.0/24, 10.10.10.2-10.10.10.20, 10.10.10.30-10.10.10.30.

The Subnet info of this IP pool. If set, all IP ranges in the IP pool should share the same subnet attributes. Currently, it’s only used when an IP is allocated from the pool for Egress, and is ignored otherwise.

The Nodes that the external IPs can be assigned to. If empty, it means all Nodes.

Select Pods matching the labels set in the PodSelector in AppliedTo/To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Select all Pods from Namespaces matched by this selector, as workloads in AppliedTo/To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector.

IPBlocks describe the IPAddresses/IPBlocks that are matched in to/from. IPBlocks cannot be set as part of the AppliedTo field. Cannot be set with any other selector or ServiceReference.

Select backend Pods of the referred Service. Cannot be set with any other selector or ipBlock.

Select ExternalEntities from all Namespaces as workloads in AppliedTo/To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Select other ClusterGroups by name. The ClusterGroups must already exist and must not contain ChildGroups themselves. Cannot be set with any selector/IPBlock/ServiceReference.

Host represents the hostname present in the URI or the HTTP Host header to match. It does not contain the port associated with the host.

Method represents the HTTP method to match. It could be GET, POST, PUT, HEAD, DELETE, TRACE, OPTIONS, CONNECT and PATCH.

Path represents the URI path to match (Ex. “/index.html”, “/admin”).

ID is the ICMPEchoRequestHeader ID.

Sequence is the ICMPEchoRequestHeader sequence.

IP Address this entry is tracking

Allocation state - either Allocated or Preallocated

Owner this IP Address is allocated to

CIDR is a string representing the IP Block Valid examples are “192.168.1.¹⁄₂₄”.

Protocol is the IP protocol.

TTL is the IP TTL.

Flags is the flags for IP.

The IP ranges of this IP pool, e.g. 10.10.0.0/24, 10.10.10.2-10.10.10.20, 10.10.10.30-10.10.10.30.

The Subnet info of this IP pool. All the IP ranges in the IP pool should share the same subnet attributes.

Total number of IPs.

Number of allocated IPs.

The CIDR of this range, e.g. 10.10.10.0/24.

The start IP of the range, e.g. 10.10.20.5, inclusive.

The end IP of the range, e.g. 10.10.20.20, inclusive.

NextHeader is the IPv6 protocol.

HopLimit is the IPv6 Hop Limit.

Type of StatefulSet condition.

Status of the condition, one of True, False, Unknown.

Last time the condition transitioned from one status to another.

The reason for the condition’s last transition.

A human-readable message indicating details about the transition.

IPBlock describes the IPAddresses/IPBlocks that is matched in to/from. IPBlock cannot be set as part of the AppliedTo field. Cannot be set with any other selector.

Select Pods from NetworkPolicy’s Namespace as workloads in To/From fields. If set with NamespaceSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Select all Pods from Namespaces matched by this selector, as workloads in To/From fields. If set with PodSelector, Pods are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. Cannot be set with Namespaces.

Select Pod/ExternalEntity from Namespaces matched by specific criteria. Current supported criteria is match: Self, which selects from the same Namespace of the appliedTo workloads. Cannot be set with any other selector except PodSelector or ExternalEntitySelector. This field can only be set when NetworkPolicyPeer is created for ClusterNetworkPolicy ingress/egress rules. Cannot be set with NamespaceSelector.

Select ExternalEntities from NetworkPolicy’s Namespace as workloads in To/From fields. If set with NamespaceSelector, ExternalEntities are matched from Namespaces matched by the NamespaceSelector. Cannot be set with any other selector except NamespaceSelector.

Group is the name of the ClusterGroup which can be set within an Ingress or Egress rule in place of a stand-alone selector. A Group cannot be set with any other selector.

Restrict egress access to the Fully Qualified Domain Names prescribed by name or by wildcard match patterns. This field can only be set for NetworkPolicyPeer of egress rules. Supported formats are: Exact FQDNs such as “google.com”. Wildcard expressions such as “*wayfair.com”.

Select all Pods with the ServiceAccount matched by this field, as workloads in To/From fields. Cannot be set with any other selector.

Select certain Nodes which match the label selector. A NodeSelector cannot be set with any other selector.

Define scope of the Pod/NamespaceSelector(s) of this peer. Can only be used in ingress NetworkPolicyPeers. Defaults to “Cluster”.

The protocol (TCP, UDP, or SCTP) which traffic must match. If not specified, this field defaults to TCP.

The port on the given protocol. This can be either a numerical or named port on a Pod. If this field is not provided, this matches all port names and numbers.

EndPort defines the end of the port range, inclusive. It can only be specified when a numerical port is specified.

The source port on the given protocol. This can only be a numerical port. If this field is not provided, rule matches all source ports.

SourceEndPort defines the end of the source port range, inclusive. It can only be specified when sourcePort is specified.

Tier specifies the tier to which this NetworkPolicy belongs to. The NetworkPolicy order will be determined based on the combination of the Tier’s Priority and the NetworkPolicy’s own Priority. If not specified, this policy will be created in the Application Tier right above the K8s NetworkPolicy which resides at the bottom.

Priority specfies the order of the NetworkPolicy relative to other NetworkPolicies.

Select workloads on which the rules will be applied to. Cannot be set in conjunction with AppliedTo in each rule.

Set of ingress rules evaluated based on the order in which they are set. Currently Ingress rule supports setting the From field but not the To field within a Rule.

Set of egress rules evaluated based on the order in which they are set. Currently Egress rule supports setting the To field but not the From field within a Rule.

The phase of a NetworkPolicy is a simple, high-level summary of the NetworkPolicy’s status.

The generation observed by Antrea.

The number of nodes that have realized the NetworkPolicy.

The total number of nodes that should realize the NetworkPolicy.

Represents the latest available observations of a NetworkPolicy current state.

Node is the node of the observation.

Role of the node like sender, receiver, etc.

Timestamp is the timestamp of the observations on the node.

Observations includes all observations from sender nodes, receiver ones, etc.

Key: flow table name, Value: flow number

Component is the observation component.

ComponentInfo is the extension of Component field.

Action is the action to the observation.

Pod is the combination of Pod name and Pod Namespace.

DstMAC is the destination MAC.

NetworkPolicy is the combination of Namespace and NetworkPolicyName.

NetworkPolicyRule is the name of an ingress or an egress rule in NetworkPolicy.

Egress is the name of the Egress.

TTL is the observation TTL.

TranslatedSrcIP is the translated source IP.

TranslatedDstIP is the translated destination IP.

TunnelDstIP is the tunnel destination IP.

EgressNode is the name of the Egress Node.

SrcPodIP is the IP of source Pod.

Length is the IP packet length (includes the IPv4 or IPv6 header length).

Selects from the same Namespace of the appliedTo workloads.

Selects Namespaces that share the same values for the given set of label keys with the appliedTo Namespace. Namespaces must have all the label keys.

Network interface name. Used when the IP is allocated for a secondary network interface of the Pod.

Action specifies the action to be applied on the rule.

Set of ports and protocols matched by the rule. If this field and Protocols are unset or empty, this rule matches all ports.

Set of protocols matched by the rule. If this field and Ports are unset or empty, this rule matches all protocols supported.

Set of layer 7 protocols matched by the rule. If this field is set, action can only be Allow. When this field is used in a rule, any traffic matching the other layer ³⁄₄ criteria of the rule (typically the 5-tuple) will be forwarded to an application-aware engine for protocol detection and rule enforcement, and the traffic will be allowed if the layer 7 criteria is also matched, otherwise it will be dropped. Therefore, any rules after a layer 7 rule will not be enforced for the traffic.

Rule is matched if traffic originates from workloads selected by this field. If this field is empty, this rule matches all sources.

Rule is matched if traffic is intended for workloads selected by this field. This field can’t be used with ToServices. If this field and ToServices are both empty or missing this rule matches all destinations.

Rule is matched if traffic is intended for a Service listed in this field. Currently, only ClusterIP types Services are supported in this field. When scope is set to ClusterSet, it matches traffic intended for a multi-cluster Service listed in this field. Service name and Namespace provided should match the original exported Service. This field can only be used when AntreaProxy is enabled. This field can’t be used with To or Ports. If this field and To are both empty or missing, this rule matches all destinations.

Name describes the intention of this rule. Name should be unique within the policy.

EnableLogging is used to indicate if agent should generate logs when rules are matched. Should be default to false.

LogLabel is a user-defined arbitrary string which will be printed in the NetworkPolicy logs.

Select workloads on which this rule will be applied to. Cannot be set in conjunction with NetworkPolicySpec/ClusterNetworkPolicySpec.AppliedTo.

Namespace is the source namespace.

Pod is the source pod.

IP is the source IPv4 or IPv6 address. IP as the source is supported only for live-traffic Traceflow.

Gateway IP for this subnet, e.g. 10.10.1.1.

Prefix length for the subnet, e.g. 24.

VLAN ID for this subnet. Default is 0. Valid value is 0~4094.

SrcPort is the source port.

DstPort is the destination port.

Flags are flags in the header.

SNI (Server Name Indication) indicates the server domain name in the TLS/SSL hello message.

Priority specfies the order of the Tier relative to other Tiers.

Description is an optional field to add more information regarding the purpose of this Tier.

LiveTraffic indicates the Traceflow is to trace the live traffic rather than an injected packet, when set to true. The first packet of the first connection that matches the packet spec will be traced.

DroppedOnly indicates only the dropped packet should be captured in a live-traffic Traceflow.

Timeout specifies the timeout of the Traceflow in seconds. Defaults to 20 seconds if not set.

Phase is the Traceflow phase.

Reason is a message indicating the reason of the traceflow’s current phase.

StartTime is the time at which the Traceflow as started by the Antrea Controller. Before K8s v1.20, null values (field not set) are not pruned, and a CR where a metav1.Time field is not set would fail OpenAPI validation (type string). The recommendation seems to be to use a pointer instead, and the field will be omitted when serializing. See https://github.com/kubernetes/kubernetes/issues/86811

DataplaneTag is a tag to identify a traceflow session across Nodes.

Results is the collection of all observations on different nodes.

CapturedPacket is the captured packet in live-traffic Traceflow.

SrcPort is the source port.

DstPort is the destination port.

The traffic stats of the Antrea ClusterNetworkPolicy.

The traffic stats of the Antrea ClusterNetworkPolicy, from rule perspective.

The traffic stats of the Antrea NetworkPolicy.

The traffic stats of the Antrea NetworkPolicy, from rule perspective.

Group is the IP of the multicast group.

Pods is the list of Pods that have joined the multicast group.

The traffic stats of the K8s NetworkPolicy.

The list of PeerNodeLatencyStats.

The Node’s name.

The list of target IP latency stats.

The name of this Pod.

The namespace of this Pod.

The target IP address.

The timestamp of the last sent packet.

The timestamp of the last received packet.

The last measured RTT for this target IP, in nanoseconds.

Packets is the packets count hit by the NetworkPolicy.

Bytes is the bytes count hit by the NetworkPolicy.

Sessions is the sessions count hit by the NetworkPolicy.