{ "properties": { "apiVersion": { "description": "APIVersion defines the versioned schema of this representation of an object.\nServers should convert recognized schemas to the latest internal value, and\nmay reject unrecognized values.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources", "type": "string" }, "kind": { "description": "Kind is a string value representing the REST resource this object represents.\nServers may infer this from the endpoint the client submits requests to.\nCannot be updated.\nIn CamelCase.\nMore info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds", "type": "string" }, "metadata": { "type": "object" }, "spec": { "description": "HostEndpointSpec contains the specification for a HostEndpoint resource.", "properties": { "expectedIPs": { "description": "The expected IP addresses (IPv4 and IPv6) of the endpoint.\nIf \"InterfaceName\" is not present, Calico will look for an interface matching any\nof the IPs in the list and apply policy to that.\nNote:\n\tWhen using the selector match criteria in an ingress or egress security Policy\n\tor Profile, Calico converts the selector into a set of IP addresses. For host\n\tendpoints, the ExpectedIPs field is used for that purpose. (If only the interface\n\tname is specified, Calico does not learn the IPs of the interface for use in match\n\tcriteria.)", "items": { "type": "string" }, "type": "array" }, "interfaceName": { "description": "Either \"*\", or the name of a specific Linux interface to apply policy to; or empty. \"*\"\nindicates that this HostEndpoint governs all traffic to, from or through the default\nnetwork namespace of the host named by the \"Node\" field; entering and leaving that\nnamespace via any interface, including those from/to non-host-networked local workloads.\n\nIf InterfaceName is not \"*\", this HostEndpoint only governs traffic that enters or leaves\nthe host through the specific interface named by InterfaceName, or - when InterfaceName\nis empty - through the specific interface that has one of the IPs in ExpectedIPs.\nTherefore, when InterfaceName is empty, at least one expected IP must be specified. Only\nexternal interfaces (such as \"eth0\") are supported here; it isn't possible for a\nHostEndpoint to protect traffic through a specific local workload interface.\n\nNote: Only some kinds of policy are implemented for \"*\" HostEndpoints; initially just\npre-DNAT policy. Please check Calico documentation for the latest position.", "type": "string" }, "node": { "description": "The node name identifying the Calico node instance.", "type": "string" }, "ports": { "description": "Ports contains the endpoint's named ports, which may be referenced in security policy rules.", "items": { "properties": { "name": { "type": "string" }, "port": { "type": "integer" }, "protocol": { "anyOf": [ { "type": "integer" }, { "type": "string" } ], "pattern": "^.*", "x-kubernetes-int-or-string": true } }, "required": [ "name", "port", "protocol" ], "type": "object", "additionalProperties": false }, "type": "array" }, "profiles": { "description": "A list of identifiers of security Profile objects that apply to this endpoint. Each\nprofile is applied in the order that they appear in this list. Profile rules are applied\nafter the selector-based security policy.", "items": { "type": "string" }, "type": "array" } }, "type": "object", "additionalProperties": false } }, "type": "object" }