Merge pull request #51351 from cmluciano/cml/addegressrule

Automatic merge from submit-queue (batch tested with PRs 51984, 51351, 51873, 51795, 51634)

Add EgressRule to NetworkPolicy

**What this PR does / why we need it**:
Add EgressRule to NetworkPolicy

**Which issue this PR fixes**: fixes #50453

**Special notes for your reviewer**:
- Please take a look at the comments for the various types. I tried to mimic some of the language used in the Ingress comments, but I may have mangled some sentences.
- Let me know if I should add some test cases for validation. I have 2-3, and did not think it was necessary to replicate each case already covered in ingress.

**Release note**:
```
Add egress policies to NetworkPolicy
```

api/openapi-spec/swagger.json

@@ -68587,6 +68587,25 @@
      }
     ]
    },
+   "io.k8s.api.extensions.v1beta1.NetworkPolicyEgressRule": {
+    "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+    "properties": {
+     "ports": {
+      "description": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.NetworkPolicyPort"
+      }
+     },
+     "to": {
+      "description": "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.NetworkPolicyPeer"
+      }
+     }
+    }
+   },
    "io.k8s.api.extensions.v1beta1.NetworkPolicyIngressRule": {
     "description": "This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.",
     "properties": {
@@ -68673,6 +68692,13 @@
      "podSelector"
     ],
     "properties": {
+     "egress": {
+      "description": "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.extensions.v1beta1.NetworkPolicyEgressRule"
+      }
+     },
      "ingress": {
       "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default).",
       "type": "array",
@@ -68683,6 +68709,13 @@
      "podSelector": {
       "description": "Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods.  In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
       "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
+     },
+     "policyTypes": {
+      "description": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
+      "type": "array",
+      "items": {
+       "type": "string"
+      }
      }
     }
    },
@@ -69201,6 +69234,25 @@
      }
     ]
    },
+   "io.k8s.api.networking.v1.NetworkPolicyEgressRule": {
+    "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+    "properties": {
+     "ports": {
+      "description": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPort"
+      }
+     },
+     "to": {
+      "description": "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyPeer"
+      }
+     }
+    }
+   },
    "io.k8s.api.networking.v1.NetworkPolicyIngressRule": {
     "description": "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.",
     "properties": {
@@ -69290,6 +69342,13 @@
      "podSelector"
     ],
     "properties": {
+     "egress": {
+      "description": "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
+      "type": "array",
+      "items": {
+       "$ref": "#/definitions/io.k8s.api.networking.v1.NetworkPolicyEgressRule"
+      }
+     },
      "ingress": {
       "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)",
       "type": "array",
@@ -69300,6 +69359,13 @@
      "podSelector": {
       "description": "Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
       "$ref": "#/definitions/io.k8s.apimachinery.pkg.apis.meta.v1.LabelSelector"
+     },
+     "policyTypes": {
+      "description": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
+      "type": "array",
+      "items": {
+       "type": "string"
+      }
      }
     }
    },

api/swagger-spec/extensions_v1beta1.json

@@ -9811,6 +9811,20 @@
        "$ref": "v1beta1.NetworkPolicyIngressRule"
       },
       "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)."
+     },
+     "egress": {
+      "type": "array",
+      "items": {
+       "$ref": "v1beta1.NetworkPolicyEgressRule"
+      },
+      "description": "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8"
+     },
+     "policyTypes": {
+      "type": "array",
+      "items": {
+       "$ref": "v1beta1.PolicyType"
+      },
+      "description": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8"
      }
     }
    },
@@ -9888,6 +9902,30 @@
      }
     }
    },
+   "v1beta1.NetworkPolicyEgressRule": {
+    "id": "v1beta1.NetworkPolicyEgressRule",
+    "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+    "properties": {
+     "ports": {
+      "type": "array",
+      "items": {
+       "$ref": "v1beta1.NetworkPolicyPort"
+      },
+      "description": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list."
+     },
+     "to": {
+      "type": "array",
+      "items": {
+       "$ref": "v1beta1.NetworkPolicyPeer"
+      },
+      "description": "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list."
+     }
+    }
+   },
+   "v1beta1.PolicyType": {
+    "id": "v1beta1.PolicyType",
+    "properties": {}
+   },
    "v1beta1.PodSecurityPolicyList": {
     "id": "v1beta1.PodSecurityPolicyList",
     "description": "Pod Security Policy List is a list of PodSecurityPolicy objects.",

api/swagger-spec/networking.k8s.io_v1.json

@@ -1313,6 +1313,20 @@
        "$ref": "v1.NetworkPolicyIngressRule"
       },
       "description": "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)"
+     },
+     "egress": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.NetworkPolicyEgressRule"
+      },
+      "description": "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8"
+     },
+     "policyTypes": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.PolicyType"
+      },
+      "description": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8"
      }
     }
    },
@@ -1434,6 +1448,30 @@
      }
     }
    },
+   "v1.NetworkPolicyEgressRule": {
+    "id": "v1.NetworkPolicyEgressRule",
+    "description": "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+    "properties": {
+     "ports": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.NetworkPolicyPort"
+      },
+      "description": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list."
+     },
+     "to": {
+      "type": "array",
+      "items": {
+       "$ref": "v1.NetworkPolicyPeer"
+      },
+      "description": "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list."
+     }
+    }
+   },
+   "v1.PolicyType": {
+    "id": "v1.PolicyType",
+    "properties": {}
+   },
    "v1.WatchEvent": {
     "id": "v1.WatchEvent",
     "required": [

docs/api-reference/extensions/v1beta1/definitions.html

@@ -5581,6 +5581,20 @@ Examples:<br>
 <td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_networkpolicyingressrule">v1beta1.NetworkPolicyIngressRule</a> array</p></td>
 <td class="tableblock halign-left valign-top"></td>
 </tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">egress</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_networkpolicyegressrule">v1beta1.NetworkPolicyEgressRule</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">policyTypes</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include "Egress" (since such a policy would not include an Egress section and would otherwise default to just [ "Ingress" ]). This field is beta-level in 1.8</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_policytype">v1beta1.PolicyType</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
 </tbody>
 </table>
 
@@ -6845,6 +6859,47 @@ Both these may change in the future. Incoming requests are matched against the h
 </tbody>
 </table>
 
+</div>
+<div class="sect2">
+<h3 id="_v1beta1_networkpolicyegressrule">v1beta1.NetworkPolicyEgressRule</h3>
+<div class="paragraph">
+<p>NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec&#8217;s podSelector. The traffic must match both ports and to. This type is beta-level in 1.8</p>
+</div>
+<table class="tableblock frame-all grid-all" style="width:100%; ">
+<colgroup>
+<col style="width:20%;">
+<col style="width:20%;">
+<col style="width:20%;">
+<col style="width:20%;">
+<col style="width:20%;"> 
+</colgroup>
+<thead>
+<tr>
+<th class="tableblock halign-left valign-top">Name</th>
+<th class="tableblock halign-left valign-top">Description</th>
+<th class="tableblock halign-left valign-top">Required</th>
+<th class="tableblock halign-left valign-top">Schema</th>
+<th class="tableblock halign-left valign-top">Default</th>
+</tr>
+</thead>
+<tbody>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">ports</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_networkpolicyport">v1beta1.NetworkPolicyPort</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
+<tr>
+<td class="tableblock halign-left valign-top"><p class="tableblock">to</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock">false</p></td>
+<td class="tableblock halign-left valign-top"><p class="tableblock"><a href="#_v1beta1_networkpolicypeer">v1beta1.NetworkPolicyPeer</a> array</p></td>
+<td class="tableblock halign-left valign-top"></td>
+</tr>
+</tbody>
+</table>
+
 </div>
 <div class="sect2">
 <h3 id="_v1_hostpathvolumesource">v1.HostPathVolumeSource</h3>
@@ -8222,6 +8277,10 @@ Both these may change in the future. Incoming requests are matched against the h
 </tbody>
 </table>
 
+</div>
+<div class="sect2">
+<h3 id="_v1beta1_policytype">v1beta1.PolicyType</h3>
+
 </div>
 <div class="sect2">
 <h3 id="_v1_azuredatadiskcachingmode">v1.AzureDataDiskCachingMode</h3>

hack/.golint_failures

@@ -121,7 +121,6 @@ pkg/apis/imagepolicy
 pkg/apis/imagepolicy/v1alpha1
 pkg/apis/meta/v1
 pkg/apis/networking
-pkg/apis/networking/v1
 pkg/apis/policy
 pkg/apis/policy/v1alpha1
 pkg/apis/policy/v1beta1

pkg/api/defaulting_test.go

@@ -109,6 +109,8 @@ func TestDefaulting(t *testing.T) {
 		{Group: "apps", Version: "v1beta2", Kind: "ReplicaSetList"}:                                                  {},
 		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSet"}:                                                {},
 		{Group: "extensions", Version: "v1beta1", Kind: "ReplicaSetList"}:                                            {},
+		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicy"}:                                             {},
+		{Group: "extensions", Version: "v1beta1", Kind: "NetworkPolicyList"}:                                         {},
 		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBinding"}:                        {},
 		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "ClusterRoleBindingList"}:                    {},
 		{Group: "rbac.authorization.k8s.io", Version: "v1alpha1", Kind: "RoleBinding"}:                               {},

pkg/apis/extensions/v1beta1/conversion.go

@@ -62,6 +62,8 @@ func addConversionFuncs(scheme *runtime.Scheme) error {
 		Convert_extensions_PodSecurityPolicySpec_To_v1beta1_PodSecurityPolicySpec,
 		Convert_v1beta1_IPBlock_To_networking_IPBlock,
 		Convert_networking_IPBlock_To_v1beta1_IPBlock,
+		Convert_networking_NetworkPolicyEgressRule_To_v1beta1_NetworkPolicyEgressRule,
+		Convert_v1beta1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule,
 	)
 	if err != nil {
 		return err
@@ -283,6 +285,21 @@ func Convert_v1beta1_NetworkPolicySpec_To_networking_NetworkPolicySpec(in *exten
 			return err
 		}
 	}
+	out.Egress = make([]networking.NetworkPolicyEgressRule, len(in.Egress))
+	for i := range in.Egress {
+		if err := Convert_v1beta1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule(&in.Egress[i], &out.Egress[i], s); err != nil {
+			return err
+		}
+	}
+	if in.PolicyTypes != nil {
+		in, out := &in.PolicyTypes, &out.PolicyTypes
+		*out = make([]networking.PolicyType, len(*in))
+		for i := range *in {
+			if err := s.Convert(&(*in)[i], &(*out)[i], 0); err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }
 
@@ -296,6 +313,21 @@ func Convert_networking_NetworkPolicySpec_To_v1beta1_NetworkPolicySpec(in *netwo
 			return err
 		}
 	}
+	out.Egress = make([]extensionsv1beta1.NetworkPolicyEgressRule, len(in.Egress))
+	for i := range in.Egress {
+		if err := Convert_networking_NetworkPolicyEgressRule_To_v1beta1_NetworkPolicyEgressRule(&in.Egress[i], &out.Egress[i], s); err != nil {
+			return err
+		}
+	}
+	if in.PolicyTypes != nil {
+		in, out := &in.PolicyTypes, &out.PolicyTypes
+		*out = make([]extensionsv1beta1.PolicyType, len(*in))
+		for i := range *in {
+			if err := s.Convert(&(*in)[i], &(*out)[i], 0); err != nil {
+				return err
+			}
+		}
+	}
 	return nil
 }
 
@@ -331,6 +363,38 @@ func Convert_networking_NetworkPolicyIngressRule_To_v1beta1_NetworkPolicyIngress
 	return nil
 }
 
+func Convert_v1beta1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule(in *extensionsv1beta1.NetworkPolicyEgressRule, out *networking.NetworkPolicyEgressRule, s conversion.Scope) error {
+	out.Ports = make([]networking.NetworkPolicyPort, len(in.Ports))
+	for i := range in.Ports {
+		if err := Convert_v1beta1_NetworkPolicyPort_To_networking_NetworkPolicyPort(&in.Ports[i], &out.Ports[i], s); err != nil {
+			return err
+		}
+	}
+	out.To = make([]networking.NetworkPolicyPeer, len(in.To))
+	for i := range in.To {
+		if err := Convert_v1beta1_NetworkPolicyPeer_To_networking_NetworkPolicyPeer(&in.To[i], &out.To[i], s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
+func Convert_networking_NetworkPolicyEgressRule_To_v1beta1_NetworkPolicyEgressRule(in *networking.NetworkPolicyEgressRule, out *extensionsv1beta1.NetworkPolicyEgressRule, s conversion.Scope) error {
+	out.Ports = make([]extensionsv1beta1.NetworkPolicyPort, len(in.Ports))
+	for i := range in.Ports {
+		if err := Convert_networking_NetworkPolicyPort_To_v1beta1_NetworkPolicyPort(&in.Ports[i], &out.Ports[i], s); err != nil {
+			return err
+		}
+	}
+	out.To = make([]extensionsv1beta1.NetworkPolicyPeer, len(in.To))
+	for i := range in.To {
+		if err := Convert_networking_NetworkPolicyPeer_To_v1beta1_NetworkPolicyPeer(&in.To[i], &out.To[i], s); err != nil {
+			return err
+		}
+	}
+	return nil
+}
+
 func Convert_v1beta1_NetworkPolicyPeer_To_networking_NetworkPolicyPeer(in *extensionsv1beta1.NetworkPolicyPeer, out *networking.NetworkPolicyPeer, s conversion.Scope) error {
 	if in.PodSelector != nil {
 		out.PodSelector = new(metav1.LabelSelector)

pkg/apis/extensions/v1beta1/defaults.go

@@ -133,4 +133,12 @@ func SetDefaults_NetworkPolicy(obj *extensionsv1beta1.NetworkPolicy) {
 			}
 		}
 	}
+
+	if len(obj.Spec.PolicyTypes) == 0 {
+		// Any policy that does not specify policyTypes implies at least "Ingress".
+		obj.Spec.PolicyTypes = []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress}
+		if len(obj.Spec.Egress) != 0 {
+			obj.Spec.PolicyTypes = append(obj.Spec.PolicyTypes, extensionsv1beta1.PolicyTypeEgress)
+		}
+	}
 }

pkg/apis/extensions/v1beta1/defaults_test.go

@@ -509,6 +509,210 @@ func TestDefaultRequestIsNotSetForReplicaSet(t *testing.T) {
 	}
 }
 
+func TestSetDefaultNetworkPolicy(t *testing.T) {
+	tests := []struct {
+		original *extensionsv1beta1.NetworkPolicy
+		expected *extensionsv1beta1.NetworkPolicy
+	}{
+		{ // Empty NetworkPolicy should be set to PolicyTypes Ingress
+			original: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+				},
+			},
+			expected: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress},
+				},
+			},
+		},
+		{ // Empty Ingress NetworkPolicy should be set to PolicyTypes Ingress
+			original: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress: []extensionsv1beta1.NetworkPolicyIngressRule{},
+				},
+			},
+			expected: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress:     []extensionsv1beta1.NetworkPolicyIngressRule{},
+					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress},
+				},
+			},
+		},
+		{ // Defined Ingress and Egress should be set to Ingress,Egress
+			original: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress: []extensionsv1beta1.NetworkPolicyIngressRule{
+						{
+							From: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									PodSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{
+						{
+							To: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress: []extensionsv1beta1.NetworkPolicyIngressRule{
+						{
+							From: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									PodSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{
+						{
+							To: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress, extensionsv1beta1.PolicyTypeEgress},
+				},
+			},
+		},
+		{ // Egress only with unset PolicyTypes should be set to Ingress, Egress
+			original: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{
+						{
+							To: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{
+						{
+							To: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeIngress, extensionsv1beta1.PolicyTypeEgress},
+				},
+			},
+		},
+		{ // Egress only with PolicyTypes set to Egress should be set to only Egress
+			original: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{
+						{
+							To: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"Egress": "only"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeEgress},
+				},
+			},
+			expected: &extensionsv1beta1.NetworkPolicy{
+				Spec: extensionsv1beta1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []extensionsv1beta1.NetworkPolicyEgressRule{
+						{
+							To: []extensionsv1beta1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"Egress": "only"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []extensionsv1beta1.PolicyType{extensionsv1beta1.PolicyTypeEgress},
+				},
+			},
+		},
+	}
+
+	for i, test := range tests {
+		original := test.original
+		expected := test.expected
+		obj2 := roundTrip(t, runtime.Object(original))
+		got, ok := obj2.(*extensionsv1beta1.NetworkPolicy)
+		if !ok {
+			t.Errorf("(%d) unexpected object: %v", i, got)
+			t.FailNow()
+		}
+		if !apiequality.Semantic.DeepEqual(got.Spec, expected.Spec) {
+			t.Errorf("(%d) got different than expected\ngot:\n\t%+v\nexpected:\n\t%+v", i, got.Spec, expected.Spec)
+		}
+	}
+}
+
 func roundTrip(t *testing.T, obj runtime.Object) runtime.Object {
 	data, err := runtime.Encode(api.Codecs.LegacyCodec(SchemeGroupVersion), obj)
 	if err != nil {

pkg/apis/networking/fuzzer/fuzzer.go

@@ -36,5 +36,13 @@ var Funcs = func(codecs runtimeserializer.CodecFactory) []interface{} {
 				}
 			}
 		},
+		func(np *networking.NetworkPolicy, c fuzz.Continue) {
+			c.FuzzNoCustom(np) // fuzz self without calling this function again
+			// TODO: Implement a fuzzer to generate valid keys, values and operators for
+			// selector requirements.
+			if len(np.Spec.PolicyTypes) == 0 {
+				np.Spec.PolicyTypes = []networking.PolicyType{networking.PolicyTypeIngress}
+			}
+		},
 	}
 }

pkg/apis/networking/types.go

@@ -36,6 +36,17 @@ type NetworkPolicy struct {
 	Spec NetworkPolicySpec
 }
 
+// Policy Type string describes the NetworkPolicy type
+// This type is beta-level in 1.8
+type PolicyType string
+
+const (
+	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
+	PolicyTypeIngress PolicyType = "Ingress"
+	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
+	PolicyTypeEgress PolicyType = "Egress"
+)
+
 // NetworkPolicySpec provides the specification of a NetworkPolicy
 type NetworkPolicySpec struct {
 	// Selects the pods to which this NetworkPolicy object applies. The array of
@@ -55,6 +66,29 @@ type NetworkPolicySpec struct {
 	// solely to ensure that the pods it selects are isolated by default)
 	// +optional
 	Ingress []NetworkPolicyIngressRule
+
+	// List of egress rules to be applied to the selected pods. Outgoing traffic is
+	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	// +optional
+	Egress []NetworkPolicyEgressRule
+
+	// List of rule types that the NetworkPolicy relates to.
+	// Valid options are Ingress, Egress, or Ingress,Egress.
+	// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+	// policies that contain an Egress section are assumed to affect Egress, and all policies
+	// (whether or not they contain an Ingress section) are assumed to affect Ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an Egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	// +optional
+	PolicyTypes []PolicyType
 }
 
 // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
@@ -77,6 +111,27 @@ type NetworkPolicyIngressRule struct {
 	From []NetworkPolicyPeer
 }
 
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+type NetworkPolicyEgressRule struct {
+	// List of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []NetworkPolicyPort
+
+	// List of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	To []NetworkPolicyPeer
+}
+
 // NetworkPolicyPort describes a port to allow traffic on
 type NetworkPolicyPort struct {
 	// The protocol (TCP or UDP) which traffic must match. If not specified, this

pkg/apis/networking/v1/BUILD

@@ -3,6 +3,7 @@ package(default_visibility = ["//visibility:public"])
 load(
     "@io_bazel_rules_go//go:def.bzl",
     "go_library",
+    "go_test",
 )
 
 go_library(
@@ -39,3 +40,18 @@ filegroup(
     srcs = [":package-srcs"],
     tags = ["automanaged"],
 )
+
+go_test(
+    name = "go_default_xtest",
+    srcs = ["defaults_test.go"],
+    deps = [
+        ":go_default_library",
+        "//pkg/api:go_default_library",
+        "//pkg/api/install:go_default_library",
+        "//pkg/apis/networking/install:go_default_library",
+        "//vendor/k8s.io/api/networking/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/api/equality:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/runtime:go_default_library",
+    ],
+)

pkg/apis/networking/v1/defaults.go

@@ -33,3 +33,13 @@ func SetDefaults_NetworkPolicyPort(obj *networkingv1.NetworkPolicyPort) {
 		obj.Protocol = &proto
 	}
 }
+
+func SetDefaults_NetworkPolicy(obj *networkingv1.NetworkPolicy) {
+	if len(obj.Spec.PolicyTypes) == 0 {
+		// Any policy that does not specify policyTypes implies at least "Ingress".
+		obj.Spec.PolicyTypes = []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}
+		if len(obj.Spec.Egress) != 0 {
+			obj.Spec.PolicyTypes = append(obj.Spec.PolicyTypes, networkingv1.PolicyTypeEgress)
+		}
+	}
+}

pkg/apis/networking/v1/defaults_test.go

@@ -0,0 +1,256 @@
+/*
+Copyright 2017 The Kubernetes Authors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1_test
+
+import (
+	"reflect"
+	"testing"
+
+	networkingv1 "k8s.io/api/networking/v1"
+
+	apiequality "k8s.io/apimachinery/pkg/api/equality"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/kubernetes/pkg/api"
+	_ "k8s.io/kubernetes/pkg/api/install"
+	_ "k8s.io/kubernetes/pkg/apis/networking/install"
+	. "k8s.io/kubernetes/pkg/apis/networking/v1"
+)
+
+func TestSetDefaultNetworkPolicy(t *testing.T) {
+	tests := []struct {
+		original *networkingv1.NetworkPolicy
+		expected *networkingv1.NetworkPolicy
+	}{
+		{ // Empty NetworkPolicy should be set to PolicyTypes Ingress
+			original: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+				},
+			},
+			expected: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
+				},
+			},
+		},
+		{ // Empty Ingress NetworkPolicy should be set to PolicyTypes Ingress
+			original: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress: []networkingv1.NetworkPolicyIngressRule{},
+				},
+			},
+			expected: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress:     []networkingv1.NetworkPolicyIngressRule{},
+					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress},
+				},
+			},
+		},
+		{ // Defined Ingress and Egress should be set to Ingress,Egress
+			original: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress: []networkingv1.NetworkPolicyIngressRule{
+						{
+							From: []networkingv1.NetworkPolicyPeer{
+								{
+									PodSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					Egress: []networkingv1.NetworkPolicyEgressRule{
+						{
+							To: []networkingv1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Ingress: []networkingv1.NetworkPolicyIngressRule{
+						{
+							From: []networkingv1.NetworkPolicyPeer{
+								{
+									PodSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					Egress: []networkingv1.NetworkPolicyEgressRule{
+						{
+							To: []networkingv1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+				},
+			},
+		},
+		{ // Egress only with unset PolicyTypes should be set to Ingress, Egress
+			original: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []networkingv1.NetworkPolicyEgressRule{
+						{
+							To: []networkingv1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			expected: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []networkingv1.NetworkPolicyEgressRule{
+						{
+							To: []networkingv1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"c": "d"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress, networkingv1.PolicyTypeEgress},
+				},
+			},
+		},
+		{ // Egress only with PolicyTypes set to Egress should be set to only Egress
+			original: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []networkingv1.NetworkPolicyEgressRule{
+						{
+							To: []networkingv1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"Egress": "only"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
+				},
+			},
+			expected: &networkingv1.NetworkPolicy{
+				Spec: networkingv1.NetworkPolicySpec{
+					PodSelector: metav1.LabelSelector{
+						MatchLabels: map[string]string{"a": "b"},
+					},
+					Egress: []networkingv1.NetworkPolicyEgressRule{
+						{
+							To: []networkingv1.NetworkPolicyPeer{
+								{
+									NamespaceSelector: &metav1.LabelSelector{
+										MatchLabels: map[string]string{"Egress": "only"},
+									},
+								},
+							},
+						},
+					},
+					PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress},
+				},
+			},
+		},
+	}
+
+	for i, test := range tests {
+		original := test.original
+		expected := test.expected
+		obj2 := roundTrip(t, runtime.Object(original))
+		got, ok := obj2.(*networkingv1.NetworkPolicy)
+		if !ok {
+			t.Errorf("(%d) unexpected object: %v", i, got)
+			t.FailNow()
+		}
+		if !apiequality.Semantic.DeepEqual(got.Spec, expected.Spec) {
+			t.Errorf("(%d) got different than expected\ngot:\n\t%+v\nexpected:\n\t%+v", i, got.Spec, expected.Spec)
+		}
+	}
+}
+
+func roundTrip(t *testing.T, obj runtime.Object) runtime.Object {
+	data, err := runtime.Encode(api.Codecs.LegacyCodec(SchemeGroupVersion), obj)
+	if err != nil {
+		t.Errorf("%v\n %#v", err, obj)
+		return nil
+	}
+	obj2, err := runtime.Decode(api.Codecs.UniversalDecoder(), data)
+	if err != nil {
+		t.Errorf("%v\nData: %s\nSource: %#v", err, string(data), obj)
+		return nil
+	}
+	obj3 := reflect.New(reflect.TypeOf(obj).Elem()).Interface().(runtime.Object)
+	err = api.Scheme.Convert(obj2, obj3, nil)
+	if err != nil {
+		t.Errorf("%v\nSource: %#v", err, obj2)
+		return nil
+	}
+	return obj3
+}

pkg/apis/networking/v1/zz_generated.conversion.go

@@ -44,6 +44,8 @@ func RegisterConversions(scheme *runtime.Scheme) error {
 		Convert_networking_IPBlock_To_v1_IPBlock,
 		Convert_v1_NetworkPolicy_To_networking_NetworkPolicy,
 		Convert_networking_NetworkPolicy_To_v1_NetworkPolicy,
+		Convert_v1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule,
+		Convert_networking_NetworkPolicyEgressRule_To_v1_NetworkPolicyEgressRule,
 		Convert_v1_NetworkPolicyIngressRule_To_networking_NetworkPolicyIngressRule,
 		Convert_networking_NetworkPolicyIngressRule_To_v1_NetworkPolicyIngressRule,
 		Convert_v1_NetworkPolicyList_To_networking_NetworkPolicyList,
@@ -105,6 +107,28 @@ func Convert_networking_NetworkPolicy_To_v1_NetworkPolicy(in *networking.Network
 	return autoConvert_networking_NetworkPolicy_To_v1_NetworkPolicy(in, out, s)
 }
 
+func autoConvert_v1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule(in *v1.NetworkPolicyEgressRule, out *networking.NetworkPolicyEgressRule, s conversion.Scope) error {
+	out.Ports = *(*[]networking.NetworkPolicyPort)(unsafe.Pointer(&in.Ports))
+	out.To = *(*[]networking.NetworkPolicyPeer)(unsafe.Pointer(&in.To))
+	return nil
+}
+
+// Convert_v1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule is an autogenerated conversion function.
+func Convert_v1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule(in *v1.NetworkPolicyEgressRule, out *networking.NetworkPolicyEgressRule, s conversion.Scope) error {
+	return autoConvert_v1_NetworkPolicyEgressRule_To_networking_NetworkPolicyEgressRule(in, out, s)
+}
+
+func autoConvert_networking_NetworkPolicyEgressRule_To_v1_NetworkPolicyEgressRule(in *networking.NetworkPolicyEgressRule, out *v1.NetworkPolicyEgressRule, s conversion.Scope) error {
+	out.Ports = *(*[]v1.NetworkPolicyPort)(unsafe.Pointer(&in.Ports))
+	out.To = *(*[]v1.NetworkPolicyPeer)(unsafe.Pointer(&in.To))
+	return nil
+}
+
+// Convert_networking_NetworkPolicyEgressRule_To_v1_NetworkPolicyEgressRule is an autogenerated conversion function.
+func Convert_networking_NetworkPolicyEgressRule_To_v1_NetworkPolicyEgressRule(in *networking.NetworkPolicyEgressRule, out *v1.NetworkPolicyEgressRule, s conversion.Scope) error {
+	return autoConvert_networking_NetworkPolicyEgressRule_To_v1_NetworkPolicyEgressRule(in, out, s)
+}
+
 func autoConvert_v1_NetworkPolicyIngressRule_To_networking_NetworkPolicyIngressRule(in *v1.NetworkPolicyIngressRule, out *networking.NetworkPolicyIngressRule, s conversion.Scope) error {
 	out.Ports = *(*[]networking.NetworkPolicyPort)(unsafe.Pointer(&in.Ports))
 	out.From = *(*[]networking.NetworkPolicyPeer)(unsafe.Pointer(&in.From))
@@ -198,6 +222,8 @@ func Convert_networking_NetworkPolicyPort_To_v1_NetworkPolicyPort(in *networking
 func autoConvert_v1_NetworkPolicySpec_To_networking_NetworkPolicySpec(in *v1.NetworkPolicySpec, out *networking.NetworkPolicySpec, s conversion.Scope) error {
 	out.PodSelector = in.PodSelector
 	out.Ingress = *(*[]networking.NetworkPolicyIngressRule)(unsafe.Pointer(&in.Ingress))
+	out.Egress = *(*[]networking.NetworkPolicyEgressRule)(unsafe.Pointer(&in.Egress))
+	out.PolicyTypes = *(*[]networking.PolicyType)(unsafe.Pointer(&in.PolicyTypes))
 	return nil
 }
 
@@ -209,6 +235,8 @@ func Convert_v1_NetworkPolicySpec_To_networking_NetworkPolicySpec(in *v1.Network
 func autoConvert_networking_NetworkPolicySpec_To_v1_NetworkPolicySpec(in *networking.NetworkPolicySpec, out *v1.NetworkPolicySpec, s conversion.Scope) error {
 	out.PodSelector = in.PodSelector
 	out.Ingress = *(*[]v1.NetworkPolicyIngressRule)(unsafe.Pointer(&in.Ingress))
+	out.Egress = *(*[]v1.NetworkPolicyEgressRule)(unsafe.Pointer(&in.Egress))
+	out.PolicyTypes = *(*[]v1.PolicyType)(unsafe.Pointer(&in.PolicyTypes))
 	return nil
 }
 

pkg/apis/networking/v1/zz_generated.defaults.go

@@ -35,6 +35,7 @@ func RegisterDefaults(scheme *runtime.Scheme) error {
 }
 
 func SetObjectDefaults_NetworkPolicy(in *v1.NetworkPolicy) {
+	SetDefaults_NetworkPolicy(in)
 	for i := range in.Spec.Ingress {
 		a := &in.Spec.Ingress[i]
 		for j := range a.Ports {
@@ -42,6 +43,13 @@ func SetObjectDefaults_NetworkPolicy(in *v1.NetworkPolicy) {
 			SetDefaults_NetworkPolicyPort(b)
 		}
 	}
+	for i := range in.Spec.Egress {
+		a := &in.Spec.Egress[i]
+		for j := range a.Ports {
+			b := &a.Ports[j]
+			SetDefaults_NetworkPolicyPort(b)
+		}
+	}
 }
 
 func SetObjectDefaults_NetworkPolicyList(in *v1.NetworkPolicyList) {

pkg/apis/networking/validation/BUILD

@@ -27,6 +27,7 @@ go_library(
         "//pkg/apis/networking:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/apis/meta/v1/validation:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/intstr:go_default_library",
+        "//vendor/k8s.io/apimachinery/pkg/util/sets:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/validation:go_default_library",
         "//vendor/k8s.io/apimachinery/pkg/util/validation/field:go_default_library",
     ],

pkg/apis/networking/validation/validation.go

@@ -21,6 +21,7 @@ import (
 
 	unversionedvalidation "k8s.io/apimachinery/pkg/apis/meta/v1/validation"
 	"k8s.io/apimachinery/pkg/util/intstr"
+	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/apimachinery/pkg/util/validation"
 	"k8s.io/apimachinery/pkg/util/validation/field"
 	"k8s.io/kubernetes/pkg/api"
@@ -81,6 +82,62 @@ func ValidateNetworkPolicySpec(spec *networking.NetworkPolicySpec, fldPath *fiel
 			}
 		}
 	}
+	// Validate egress rules
+	for i, egress := range spec.Egress {
+		egressPath := fldPath.Child("egress").Index(i)
+		for i, port := range egress.Ports {
+			portPath := egressPath.Child("ports").Index(i)
+			if port.Protocol != nil && *port.Protocol != api.ProtocolTCP && *port.Protocol != api.ProtocolUDP {
+				allErrs = append(allErrs, field.NotSupported(portPath.Child("protocol"), *port.Protocol, []string{string(api.ProtocolTCP), string(api.ProtocolUDP)}))
+			}
+			if port.Port != nil {
+				if port.Port.Type == intstr.Int {
+					for _, msg := range validation.IsValidPortNum(int(port.Port.IntVal)) {
+						allErrs = append(allErrs, field.Invalid(portPath.Child("port"), port.Port.IntVal, msg))
+					}
+				} else {
+					for _, msg := range validation.IsValidPortName(port.Port.StrVal) {
+						allErrs = append(allErrs, field.Invalid(portPath.Child("port"), port.Port.StrVal, msg))
+					}
+				}
+			}
+		}
+		for i, to := range egress.To {
+			toPath := egressPath.Child("to").Index(i)
+			numTo := 0
+			if to.PodSelector != nil {
+				numTo++
+				allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(to.PodSelector, toPath.Child("podSelector"))...)
+			}
+			if to.NamespaceSelector != nil {
+				numTo++
+				allErrs = append(allErrs, unversionedvalidation.ValidateLabelSelector(to.NamespaceSelector, toPath.Child("namespaceSelector"))...)
+			}
+			if to.IPBlock != nil {
+				numTo++
+				allErrs = append(allErrs, ValidateIPBlock(to.IPBlock, toPath.Child("ipBlock"))...)
+			}
+			if numTo == 0 {
+				allErrs = append(allErrs, field.Required(toPath, "must specify a to type"))
+			} else if numTo > 1 {
+				allErrs = append(allErrs, field.Forbidden(toPath, "may not specify more than 1 to type"))
+			}
+		}
+	}
+	// Validate PolicyTypes
+	allowed := sets.NewString(string(networking.PolicyTypeIngress), string(networking.PolicyTypeEgress))
+	if len(spec.PolicyTypes) > len(allowed) {
+		allErrs = append(allErrs, field.Invalid(fldPath.Child("policyTypes"), &spec.PolicyTypes, "may not specify more than two policyTypes"))
+		return allErrs
+	}
+	for i, pType := range spec.PolicyTypes {
+		policyPath := fldPath.Child("policyTypes").Index(i)
+		for _, p := range spec.PolicyTypes {
+			if !allowed.Has(string(p)) {
+				allErrs = append(allErrs, field.NotSupported(policyPath, pType, []string{string(networking.PolicyTypeIngress), string(networking.PolicyTypeEgress)}))
+			}
+		}
+	}
 	return allErrs
 }
 

pkg/apis/networking/validation/validation_test.go

@@ -128,6 +128,17 @@ func TestValidateNetworkPolicy(t *testing.T) {
 				PodSelector: metav1.LabelSelector{
 					MatchLabels: map[string]string{"a": "b"},
 				},
+				Egress: []networking.NetworkPolicyEgressRule{
+					{
+						To: []networking.NetworkPolicyPeer{
+							{
+								NamespaceSelector: &metav1.LabelSelector{
+									MatchLabels: map[string]string{"c": "d"},
+								},
+							},
+						},
+					},
+				},
 				Ingress: []networking.NetworkPolicyIngressRule{
 					{
 						From: []networking.NetworkPolicyPeer{
@@ -142,6 +153,68 @@ func TestValidateNetworkPolicy(t *testing.T) {
 				},
 			},
 		},
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
+			Spec: networking.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{"a": "b"},
+				},
+				Ingress: []networking.NetworkPolicyIngressRule{
+					{
+						From: []networking.NetworkPolicyPeer{
+							{
+								IPBlock: &networking.IPBlock{
+									CIDR:   "192.168.0.0/16",
+									Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
+			Spec: networking.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{"a": "b"},
+				},
+				Egress: []networking.NetworkPolicyEgressRule{
+					{
+						To: []networking.NetworkPolicyPeer{
+							{
+								IPBlock: &networking.IPBlock{
+									CIDR:   "192.168.0.0/16",
+									Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
+								},
+							},
+						},
+					},
+				},
+				PolicyTypes: []networking.PolicyType{networking.PolicyTypeEgress},
+			},
+		},
+		{
+			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
+			Spec: networking.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{"a": "b"},
+				},
+				Egress: []networking.NetworkPolicyEgressRule{
+					{
+						To: []networking.NetworkPolicyPeer{
+							{
+								IPBlock: &networking.IPBlock{
+									CIDR:   "192.168.0.0/16",
+									Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
+								},
+							},
+						},
+					},
+				},
+				PolicyTypes: []networking.PolicyType{networking.PolicyTypeIngress, networking.PolicyTypeEgress},
+			},
+		},
 	}
 
 	// Success cases are expected to pass validation.
@@ -259,6 +332,23 @@ func TestValidateNetworkPolicy(t *testing.T) {
 				},
 			},
 		},
+		"invalid egress.to.podSelector": {
+			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
+			Spec: networking.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{},
+				Egress: []networking.NetworkPolicyEgressRule{
+					{
+						To: []networking.NetworkPolicyPeer{
+							{
+								PodSelector: &metav1.LabelSelector{
+									MatchLabels: invalidSelector,
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		"invalid ingress.from.namespaceSelector": {
 			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
 			Spec: networking.NetworkPolicySpec{
@@ -353,6 +443,48 @@ func TestValidateNetworkPolicy(t *testing.T) {
 				},
 			},
 		},
+		"invalid policyTypes": {
+			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
+			Spec: networking.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{"a": "b"},
+				},
+				Egress: []networking.NetworkPolicyEgressRule{
+					{
+						To: []networking.NetworkPolicyPeer{
+							{
+								IPBlock: &networking.IPBlock{
+									CIDR:   "192.168.0.0/16",
+									Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
+								},
+							},
+						},
+					},
+				},
+				PolicyTypes: []networking.PolicyType{"foo", "bar"},
+			},
+		},
+		"too many policyTypes": {
+			ObjectMeta: metav1.ObjectMeta{Name: "foo", Namespace: "bar"},
+			Spec: networking.NetworkPolicySpec{
+				PodSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{"a": "b"},
+				},
+				Egress: []networking.NetworkPolicyEgressRule{
+					{
+						To: []networking.NetworkPolicyPeer{
+							{
+								IPBlock: &networking.IPBlock{
+									CIDR:   "192.168.0.0/16",
+									Except: []string{"192.168.3.0/24", "192.168.4.0/24"},
+								},
+							},
+						},
+					},
+				},
+				PolicyTypes: []networking.PolicyType{"foo", "bar", "baz"},
+			},
+		},
 	}
 
 	// Error cases are not expected to pass validation.

pkg/apis/networking/zz_generated.deepcopy.go

@@ -47,6 +47,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 			in.(*NetworkPolicy).DeepCopyInto(out.(*NetworkPolicy))
 			return nil
 		}, InType: reflect.TypeOf(&NetworkPolicy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyEgressRule).DeepCopyInto(out.(*NetworkPolicyEgressRule))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyEgressRule{})},
 		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
 			in.(*NetworkPolicyIngressRule).DeepCopyInto(out.(*NetworkPolicyIngressRule))
 			return nil
@@ -119,6 +123,36 @@ func (in *NetworkPolicy) DeepCopyObject() runtime.Object {
 	}
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyEgressRule) DeepCopyInto(out *NetworkPolicyEgressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.To != nil {
+		in, out := &in.To, &out.To
+		*out = make([]NetworkPolicyPeer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEgressRule.
+func (in *NetworkPolicyEgressRule) DeepCopy() *NetworkPolicyEgressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyEgressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkPolicyIngressRule) DeepCopyInto(out *NetworkPolicyIngressRule) {
 	*out = *in
@@ -271,6 +305,18 @@ func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]NetworkPolicyEgressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyTypes != nil {
+		in, out := &in.PolicyTypes, &out.PolicyTypes
+		*out = make([]PolicyType, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 

staging/src/k8s.io/api/extensions/v1beta1/generated.pb.go

@@ -58,6 +58,7 @@ limitations under the License.
 		IngressStatus
 		IngressTLS
 		NetworkPolicy
+		NetworkPolicyEgressRule
 		NetworkPolicyIngressRule
 		NetworkPolicyList
 		NetworkPolicyPeer
@@ -254,125 +255,131 @@ func (m *NetworkPolicy) Reset()                    { *m = NetworkPolicy{} }
 func (*NetworkPolicy) ProtoMessage()               {}
 func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{32} }
 
+func (m *NetworkPolicyEgressRule) Reset()      { *m = NetworkPolicyEgressRule{} }
+func (*NetworkPolicyEgressRule) ProtoMessage() {}
+func (*NetworkPolicyEgressRule) Descriptor() ([]byte, []int) {
+	return fileDescriptorGenerated, []int{33}
+}
+
 func (m *NetworkPolicyIngressRule) Reset()      { *m = NetworkPolicyIngressRule{} }
 func (*NetworkPolicyIngressRule) ProtoMessage() {}
 func (*NetworkPolicyIngressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{33}
+	return fileDescriptorGenerated, []int{34}
 }
 
 func (m *NetworkPolicyList) Reset()                    { *m = NetworkPolicyList{} }
 func (*NetworkPolicyList) ProtoMessage()               {}
-func (*NetworkPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{34} }
+func (*NetworkPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{35} }
 
 func (m *NetworkPolicyPeer) Reset()                    { *m = NetworkPolicyPeer{} }
 func (*NetworkPolicyPeer) ProtoMessage()               {}
-func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{35} }
+func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{36} }
 
 func (m *NetworkPolicyPort) Reset()                    { *m = NetworkPolicyPort{} }
 func (*NetworkPolicyPort) ProtoMessage()               {}
-func (*NetworkPolicyPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{36} }
+func (*NetworkPolicyPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{37} }
 
 func (m *NetworkPolicySpec) Reset()                    { *m = NetworkPolicySpec{} }
 func (*NetworkPolicySpec) ProtoMessage()               {}
-func (*NetworkPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{37} }
+func (*NetworkPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{38} }
 
 func (m *PodSecurityPolicy) Reset()                    { *m = PodSecurityPolicy{} }
 func (*PodSecurityPolicy) ProtoMessage()               {}
-func (*PodSecurityPolicy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{38} }
+func (*PodSecurityPolicy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{39} }
 
 func (m *PodSecurityPolicyList) Reset()                    { *m = PodSecurityPolicyList{} }
 func (*PodSecurityPolicyList) ProtoMessage()               {}
-func (*PodSecurityPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{39} }
+func (*PodSecurityPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{40} }
 
 func (m *PodSecurityPolicySpec) Reset()                    { *m = PodSecurityPolicySpec{} }
 func (*PodSecurityPolicySpec) ProtoMessage()               {}
-func (*PodSecurityPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{40} }
+func (*PodSecurityPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{41} }
 
 func (m *ReplicaSet) Reset()                    { *m = ReplicaSet{} }
 func (*ReplicaSet) ProtoMessage()               {}
-func (*ReplicaSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{41} }
+func (*ReplicaSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{42} }
 
 func (m *ReplicaSetCondition) Reset()                    { *m = ReplicaSetCondition{} }
 func (*ReplicaSetCondition) ProtoMessage()               {}
-func (*ReplicaSetCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{42} }
+func (*ReplicaSetCondition) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{43} }
 
 func (m *ReplicaSetList) Reset()                    { *m = ReplicaSetList{} }
 func (*ReplicaSetList) ProtoMessage()               {}
-func (*ReplicaSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{43} }
+func (*ReplicaSetList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{44} }
 
 func (m *ReplicaSetSpec) Reset()                    { *m = ReplicaSetSpec{} }
 func (*ReplicaSetSpec) ProtoMessage()               {}
-func (*ReplicaSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{44} }
+func (*ReplicaSetSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{45} }
 
 func (m *ReplicaSetStatus) Reset()                    { *m = ReplicaSetStatus{} }
 func (*ReplicaSetStatus) ProtoMessage()               {}
-func (*ReplicaSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{45} }
+func (*ReplicaSetStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{46} }
 
 func (m *ReplicationControllerDummy) Reset()      { *m = ReplicationControllerDummy{} }
 func (*ReplicationControllerDummy) ProtoMessage() {}
 func (*ReplicationControllerDummy) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{46}
+	return fileDescriptorGenerated, []int{47}
 }
 
 func (m *RollbackConfig) Reset()                    { *m = RollbackConfig{} }
 func (*RollbackConfig) ProtoMessage()               {}
-func (*RollbackConfig) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{47} }
+func (*RollbackConfig) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{48} }
 
 func (m *RollingUpdateDaemonSet) Reset()                    { *m = RollingUpdateDaemonSet{} }
 func (*RollingUpdateDaemonSet) ProtoMessage()               {}
-func (*RollingUpdateDaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{48} }
+func (*RollingUpdateDaemonSet) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{49} }
 
 func (m *RollingUpdateDeployment) Reset()      { *m = RollingUpdateDeployment{} }
 func (*RollingUpdateDeployment) ProtoMessage() {}
 func (*RollingUpdateDeployment) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{49}
+	return fileDescriptorGenerated, []int{50}
 }
 
 func (m *RunAsUserStrategyOptions) Reset()      { *m = RunAsUserStrategyOptions{} }
 func (*RunAsUserStrategyOptions) ProtoMessage() {}
 func (*RunAsUserStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{50}
+	return fileDescriptorGenerated, []int{51}
 }
 
 func (m *SELinuxStrategyOptions) Reset()                    { *m = SELinuxStrategyOptions{} }
 func (*SELinuxStrategyOptions) ProtoMessage()               {}
-func (*SELinuxStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{51} }
+func (*SELinuxStrategyOptions) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{52} }
 
 func (m *Scale) Reset()                    { *m = Scale{} }
 func (*Scale) ProtoMessage()               {}
-func (*Scale) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{52} }
+func (*Scale) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{53} }
 
 func (m *ScaleSpec) Reset()                    { *m = ScaleSpec{} }
 func (*ScaleSpec) ProtoMessage()               {}
-func (*ScaleSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{53} }
+func (*ScaleSpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{54} }
 
 func (m *ScaleStatus) Reset()                    { *m = ScaleStatus{} }
 func (*ScaleStatus) ProtoMessage()               {}
-func (*ScaleStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{54} }
+func (*ScaleStatus) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{55} }
 
 func (m *SupplementalGroupsStrategyOptions) Reset()      { *m = SupplementalGroupsStrategyOptions{} }
 func (*SupplementalGroupsStrategyOptions) ProtoMessage() {}
 func (*SupplementalGroupsStrategyOptions) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{55}
+	return fileDescriptorGenerated, []int{56}
 }
 
 func (m *ThirdPartyResource) Reset()                    { *m = ThirdPartyResource{} }
 func (*ThirdPartyResource) ProtoMessage()               {}
-func (*ThirdPartyResource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{56} }
+func (*ThirdPartyResource) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{57} }
 
 func (m *ThirdPartyResourceData) Reset()                    { *m = ThirdPartyResourceData{} }
 func (*ThirdPartyResourceData) ProtoMessage()               {}
-func (*ThirdPartyResourceData) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{57} }
+func (*ThirdPartyResourceData) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{58} }
 
 func (m *ThirdPartyResourceDataList) Reset()      { *m = ThirdPartyResourceDataList{} }
 func (*ThirdPartyResourceDataList) ProtoMessage() {}
 func (*ThirdPartyResourceDataList) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{58}
+	return fileDescriptorGenerated, []int{59}
 }
 
 func (m *ThirdPartyResourceList) Reset()                    { *m = ThirdPartyResourceList{} }
 func (*ThirdPartyResourceList) ProtoMessage()               {}
-func (*ThirdPartyResourceList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{59} }
+func (*ThirdPartyResourceList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{60} }
 
 func init() {
 	proto.RegisterType((*APIVersion)(nil), "k8s.io.api.extensions.v1beta1.APIVersion")
@@ -408,6 +415,7 @@ func init() {
 	proto.RegisterType((*IngressStatus)(nil), "k8s.io.api.extensions.v1beta1.IngressStatus")
 	proto.RegisterType((*IngressTLS)(nil), "k8s.io.api.extensions.v1beta1.IngressTLS")
 	proto.RegisterType((*NetworkPolicy)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicy")
+	proto.RegisterType((*NetworkPolicyEgressRule)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyEgressRule")
 	proto.RegisterType((*NetworkPolicyIngressRule)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyIngressRule")
 	proto.RegisterType((*NetworkPolicyList)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyList")
 	proto.RegisterType((*NetworkPolicyPeer)(nil), "k8s.io.api.extensions.v1beta1.NetworkPolicyPeer")
@@ -1657,6 +1665,48 @@ func (m *NetworkPolicy) MarshalTo(dAtA []byte) (int, error) {
 	return i, nil
 }
 
+func (m *NetworkPolicyEgressRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyEgressRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.To) > 0 {
+		for _, msg := range m.To {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
 func (m *NetworkPolicyIngressRule) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -1854,6 +1904,33 @@ func (m *NetworkPolicySpec) MarshalTo(dAtA []byte) (int, error) {
 			i += n
 		}
 	}
+	if len(m.Egress) > 0 {
+		for _, msg := range m.Egress {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }
 
@@ -3262,6 +3339,24 @@ func (m *NetworkPolicy) Size() (n int) {
 	return n
 }
 
+func (m *NetworkPolicyEgressRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.To) > 0 {
+		for _, e := range m.To {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
 func (m *NetworkPolicyIngressRule) Size() (n int) {
 	var l int
 	_ = l
@@ -3337,6 +3432,18 @@ func (m *NetworkPolicySpec) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if len(m.Egress) > 0 {
+		for _, e := range m.Egress {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -4079,6 +4186,17 @@ func (this *NetworkPolicy) String() string {
 	}, "")
 	return s
 }
+func (this *NetworkPolicyEgressRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyEgressRule{`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "NetworkPolicyPort", "NetworkPolicyPort", 1), `&`, ``, 1) + `,`,
+		`To:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.To), "NetworkPolicyPeer", "NetworkPolicyPeer", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func (this *NetworkPolicyIngressRule) String() string {
 	if this == nil {
 		return "nil"
@@ -4131,6 +4249,8 @@ func (this *NetworkPolicySpec) String() string {
 	s := strings.Join([]string{`&NetworkPolicySpec{`,
 		`PodSelector:` + strings.Replace(strings.Replace(this.PodSelector.String(), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1), `&`, ``, 1) + `,`,
 		`Ingress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ingress), "NetworkPolicyIngressRule", "NetworkPolicyIngressRule", 1), `&`, ``, 1) + `,`,
+		`Egress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Egress), "NetworkPolicyEgressRule", "NetworkPolicyEgressRule", 1), `&`, ``, 1) + `,`,
+		`PolicyTypes:` + fmt.Sprintf("%v", this.PolicyTypes) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -8625,6 +8745,118 @@ func (m *NetworkPolicy) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *NetworkPolicyEgressRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, NetworkPolicyPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field To", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.To = append(m.To, NetworkPolicyPeer{})
+			if err := m.To[len(m.To)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *NetworkPolicyIngressRule) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -9200,6 +9432,66 @@ func (m *NetworkPolicySpec) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Egress", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Egress = append(m.Egress, NetworkPolicyEgressRule{})
+			if err := m.Egress[len(m.Egress)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PolicyTypes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PolicyTypes = append(m.PolicyTypes, PolicyType(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -12362,228 +12654,233 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 3554 bytes of a gzipped FileDescriptorProto
+	// 3634 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xcd, 0x6f, 0x1c, 0x47,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xdc, 0x5b, 0xcd, 0x6f, 0x23, 0xc9,
-	0x76, 0x57, 0xcf, 0x07, 0x67, 0xf8, 0x28, 0x7e, 0x15, 0x65, 0x6a, 0x4c, 0x59, 0x1c, 0xba, 0x0d,
+	0x75, 0x9f, 0xe6, 0x87, 0x48, 0x3d, 0x8d, 0xbe, 0x4a, 0xb3, 0x12, 0xad, 0xdd, 0x11, 0xe5, 0x5e,
-	0x28, 0x92, 0x23, 0xcd, 0x58, 0xb4, 0x65, 0x2b, 0x16, 0xe2, 0x84, 0x43, 0xea, 0x83, 0x0e, 0x3f,
+	0x60, 0x32, 0xbb, 0xd9, 0x25, 0x77, 0xb4, 0x3b, 0xeb, 0xcd, 0x2e, 0x62, 0x47, 0x94, 0xe6, 0x43,
-	0x46, 0x35, 0x43, 0x3a, 0x11, 0xac, 0xc4, 0xcd, 0x99, 0xe2, 0xb0, 0xc5, 0x9e, 0xee, 0x76, 0x7f,
+	0x8e, 0x3e, 0xb8, 0x45, 0x4a, 0x4e, 0x16, 0x1e, 0x67, 0x5b, 0x64, 0x89, 0xea, 0x51, 0xb3, 0xbb,
-	0xd0, 0x9c, 0x4b, 0x90, 0x93, 0x81, 0x00, 0x09, 0x92, 0x1c, 0x1c, 0x38, 0x40, 0x0e, 0xf1, 0x25,
+	0xdd, 0x5d, 0x2d, 0x8b, 0x97, 0x20, 0x87, 0xc0, 0x40, 0x80, 0x04, 0x49, 0x0e, 0x0e, 0x1c, 0x20,
-	0xa7, 0x04, 0xf1, 0x2d, 0x39, 0x18, 0x01, 0x02, 0x38, 0x80, 0xb0, 0xf0, 0x2e, 0x7c, 0xda, 0xf5,
+	0x87, 0xf8, 0x92, 0x53, 0x82, 0xf8, 0x96, 0x1c, 0x0c, 0x03, 0x01, 0x1c, 0x60, 0x10, 0x38, 0x81,
-	0x89, 0x58, 0xd3, 0xc7, 0xfd, 0x07, 0x16, 0x3a, 0x2c, 0x16, 0x55, 0x5d, 0xfd, 0xdd, 0xcd, 0x99,
+	0x4f, 0x89, 0x4f, 0x42, 0x56, 0x3e, 0xe6, 0x1f, 0x08, 0xe6, 0x10, 0x04, 0x55, 0x5d, 0xfd, 0xdd,
-	0xa1, 0x25, 0x62, 0xb1, 0x37, 0x4e, 0xbd, 0xf7, 0x7e, 0xef, 0xd5, 0xab, 0xaa, 0xf7, 0x5e, 0xd5,
+	0x2d, 0x92, 0xda, 0x91, 0x10, 0xe4, 0xc6, 0xae, 0xf7, 0xde, 0xef, 0xbd, 0x7a, 0x55, 0xf5, 0xde,
-	0x6b, 0xc2, 0xbd, 0xfd, 0xdb, 0x66, 0x45, 0xd6, 0xaa, 0xfb, 0xf6, 0x0e, 0x31, 0x54, 0x62, 0x11,
+	0xab, 0x0f, 0xc2, 0xe3, 0x93, 0x8f, 0xec, 0x9a, 0x6a, 0xd4, 0x4f, 0x9c, 0x43, 0x62, 0xe9, 0x84,
-	0xb3, 0x7a, 0x40, 0xd4, 0xb6, 0x66, 0x54, 0x39, 0x41, 0xd2, 0xe5, 0x2a, 0x39, 0xb4, 0x88, 0x6a,
+	0x12, 0xbb, 0x7e, 0x4a, 0xf4, 0xae, 0x61, 0xd5, 0x05, 0x41, 0x31, 0xd5, 0x3a, 0x39, 0xa3, 0x44,
-	0xca, 0x9a, 0x6a, 0x56, 0x0f, 0x6e, 0xee, 0x10, 0x4b, 0xba, 0x59, 0xed, 0x10, 0x95, 0x18, 0x92,
+	0xb7, 0x55, 0x43, 0xb7, 0xeb, 0xa7, 0x0f, 0x0e, 0x09, 0x55, 0x1e, 0xd4, 0x7b, 0x44, 0x27, 0x96,
-	0x45, 0xda, 0x15, 0xdd, 0xd0, 0x2c, 0x0d, 0x5d, 0x76, 0xd8, 0x2b, 0x92, 0x2e, 0x57, 0x7c, 0xf6,
+	0x42, 0x49, 0xb7, 0x66, 0x5a, 0x06, 0x35, 0xd0, 0x5d, 0x97, 0xbd, 0xa6, 0x98, 0x6a, 0x2d, 0x60,
-	0x0a, 0x67, 0x9f, 0xbb, 0xd1, 0x91, 0xad, 0x3d, 0x7b, 0xa7, 0xd2, 0xd2, 0xba, 0xd5, 0x8e, 0xd6,
+	0xaf, 0x09, 0xf6, 0xe5, 0x77, 0x7b, 0x2a, 0x3d, 0x76, 0x0e, 0x6b, 0x1d, 0xa3, 0x5f, 0xef, 0x19,
-	0xd1, 0xaa, 0x4c, 0x6a, 0xc7, 0xde, 0x65, 0xbf, 0xd8, 0x0f, 0xf6, 0x97, 0x83, 0x36, 0x27, 0x06,
+	0x3d, 0xa3, 0xce, 0xa5, 0x0e, 0x9d, 0x23, 0xfe, 0xc5, 0x3f, 0xf8, 0x2f, 0x17, 0x6d, 0x59, 0x0e,
-	0x94, 0xb7, 0x34, 0x83, 0x54, 0x0f, 0x62, 0x1a, 0xe7, 0xae, 0x05, 0x78, 0x74, 0x4d, 0x91, 0x5b,
+	0x29, 0xef, 0x18, 0x16, 0xa9, 0x9f, 0x26, 0x34, 0x2e, 0xbf, 0x15, 0xe2, 0x31, 0x0d, 0x4d, 0xed,
-	0xbd, 0x34, 0xe3, 0xe6, 0xde, 0xf2, 0x59, 0xbb, 0x52, 0x6b, 0x4f, 0x56, 0x89, 0xd1, 0xab, 0xea,
+	0x0c, 0xb2, 0x8c, 0x5b, 0xfe, 0x20, 0x60, 0xed, 0x2b, 0x9d, 0x63, 0x55, 0x27, 0xd6, 0xa0, 0x6e,
-	0xfb, 0x1d, 0x26, 0x6b, 0x10, 0x53, 0xb3, 0x8d, 0x16, 0x19, 0x4a, 0xca, 0xac, 0x76, 0x89, 0x25,
+	0x9e, 0xf4, 0xb8, 0xac, 0x45, 0x6c, 0xc3, 0xb1, 0x3a, 0x64, 0x2c, 0x29, 0xbb, 0xde, 0x27, 0x54,
-	0x25, 0x99, 0x55, 0x4d, 0x93, 0x32, 0x6c, 0xd5, 0x92, 0xbb, 0x71, 0x35, 0x6f, 0xf7, 0x13, 0x30,
+	0x49, 0x33, 0xab, 0x9e, 0x25, 0x65, 0x39, 0x3a, 0x55, 0xfb, 0x49, 0x35, 0x1f, 0x0e, 0x13, 0xb0,
-	0x5b, 0x7b, 0xa4, 0x2b, 0xc5, 0xe4, 0xde, 0x4c, 0x93, 0xb3, 0x2d, 0x59, 0xa9, 0xca, 0xaa, 0x65,
+	0x3b, 0xc7, 0xa4, 0xaf, 0x24, 0xe4, 0xde, 0xcf, 0x92, 0x73, 0xa8, 0xaa, 0xd5, 0x55, 0x9d, 0xda,
-	0x5a, 0x46, 0x54, 0x48, 0xac, 0x00, 0x2c, 0xd5, 0x57, 0xb7, 0x89, 0x41, 0x97, 0x07, 0x2d, 0x40,
+	0xd4, 0x8a, 0x0b, 0xc9, 0x35, 0x80, 0xf5, 0xe6, 0xd6, 0x01, 0xb1, 0xd8, 0xf0, 0xa0, 0x55, 0x28,
-	0x4e, 0x95, 0xba, 0xa4, 0x24, 0x2c, 0x08, 0x57, 0x47, 0x6b, 0xe7, 0x9f, 0x1e, 0x95, 0xcf, 0x1d,
+	0xe8, 0x4a, 0x9f, 0x54, 0xa4, 0x55, 0xe9, 0xfe, 0x64, 0xe3, 0xf6, 0x8b, 0xf3, 0xea, 0xad, 0x8b,
-	0x1f, 0x95, 0x73, 0x1b, 0x52, 0x97, 0x60, 0x46, 0x11, 0xef, 0xc2, 0xe4, 0x92, 0xa2, 0x68, 0x9f,
+	0xf3, 0x6a, 0x61, 0x57, 0xe9, 0x13, 0xcc, 0x29, 0xf2, 0x23, 0x98, 0x5d, 0xd7, 0x34, 0xe3, 0x7b,
-	0x90, 0xf6, 0x03, 0xcd, 0xb4, 0xea, 0x92, 0xb5, 0x87, 0x16, 0x01, 0x74, 0xc9, 0xda, 0xab, 0x1b,
+	0xa4, 0xfb, 0xd4, 0xb0, 0x69, 0x53, 0xa1, 0xc7, 0x68, 0x0d, 0xc0, 0x54, 0xe8, 0x71, 0xd3, 0x22,
-	0x64, 0x57, 0x3e, 0xe4, 0xa2, 0x88, 0x8b, 0x42, 0xdd, 0xa3, 0xe0, 0x00, 0x97, 0xf8, 0x2f, 0x02,
+	0x47, 0xea, 0x99, 0x10, 0x45, 0x42, 0x14, 0x9a, 0x3e, 0x05, 0x87, 0xb8, 0xe4, 0xbf, 0x94, 0xe0,
-	0xbc, 0xbc, 0x6c, 0x9b, 0x96, 0xd6, 0x5d, 0x27, 0x96, 0x21, 0xb7, 0x96, 0x6d, 0xc3, 0x20, 0xaa,
+	0x2b, 0x1b, 0x8e, 0x4d, 0x8d, 0xfe, 0x0e, 0xa1, 0x96, 0xda, 0xd9, 0x70, 0x2c, 0x8b, 0xe8, 0xb4,
-	0xd5, 0xb0, 0x24, 0xcb, 0x36, 0xfb, 0x9b, 0x81, 0x1e, 0x41, 0xfe, 0x40, 0x52, 0x6c, 0x52, 0xca,
+	0x45, 0x15, 0xea, 0xd8, 0xc3, 0xcd, 0x40, 0x9f, 0x41, 0xf1, 0x54, 0xd1, 0x1c, 0x52, 0xc9, 0xad,
-	0x2c, 0x08, 0x57, 0xc7, 0x16, 0x2b, 0x15, 0x7f, 0xb7, 0x79, 0x73, 0xaf, 0xe8, 0xfb, 0x1d, 0xb6,
+	0x4a, 0xf7, 0xa7, 0xd6, 0x6a, 0xb5, 0x60, 0xb6, 0xf9, 0x7d, 0xaf, 0x99, 0x27, 0x3d, 0x3e, 0xfd,
-	0xfd, 0xdc, 0x05, 0xad, 0x3c, 0xb4, 0x25, 0xd5, 0x92, 0xad, 0x5e, 0xed, 0x02, 0x87, 0x3c, 0xcf,
+	0xbc, 0x01, 0xad, 0x7d, 0xea, 0x28, 0x3a, 0x55, 0xe9, 0xa0, 0x71, 0x47, 0x40, 0xde, 0x16, 0x7a,
-	0xf5, 0x6e, 0x53, 0x2c, 0xec, 0x40, 0x8a, 0x7f, 0x0d, 0x97, 0x53, 0x4d, 0x5b, 0x93, 0x4d, 0x0b,
+	0x0f, 0x18, 0x16, 0x76, 0x21, 0xe5, 0xdf, 0x87, 0xbb, 0x99, 0xa6, 0x6d, 0xab, 0x36, 0x45, 0xcf,
-	0x3d, 0x86, 0xbc, 0x6c, 0x91, 0xae, 0x59, 0x12, 0x16, 0xb2, 0x57, 0xc7, 0x16, 0x6f, 0x57, 0x4e,
+	0xa0, 0xa8, 0x52, 0xd2, 0xb7, 0x2b, 0xd2, 0x6a, 0xfe, 0xfe, 0xd4, 0xda, 0x47, 0xb5, 0x4b, 0xa7,
-	0xdc, 0xea, 0x95, 0x54, 0xb0, 0xda, 0x38, 0x37, 0x23, 0xbf, 0x4a, 0xe1, 0xb0, 0x83, 0x2a, 0xfe,
+	0x7a, 0x2d, 0x13, 0xac, 0x31, 0x2d, 0xcc, 0x28, 0x6e, 0x31, 0x38, 0xec, 0xa2, 0xca, 0x7f, 0x2e,
-	0x93, 0x00, 0x28, 0x28, 0xd3, 0x94, 0x8c, 0x0e, 0xb1, 0x06, 0x70, 0xca, 0x5f, 0xfc, 0x38, 0xa7,
+	0x01, 0x0a, 0xcb, 0xb4, 0x15, 0xab, 0x47, 0xe8, 0x08, 0x4e, 0xf9, 0xdd, 0x2f, 0xe7, 0x94, 0x05,
-	0xcc, 0x70, 0xc8, 0x31, 0x47, 0x61, 0xc8, 0x27, 0x3a, 0xcc, 0xc6, 0x4d, 0x62, 0xce, 0xd8, 0x0e,
+	0x01, 0x39, 0xe5, 0x2a, 0x8c, 0xf8, 0xc4, 0x84, 0xc5, 0xa4, 0x49, 0xdc, 0x19, 0x07, 0x51, 0x67,
-	0x3b, 0xe3, 0xe6, 0x10, 0xce, 0x70, 0x50, 0x52, 0xbc, 0xf0, 0x59, 0x06, 0x46, 0x57, 0x24, 0xd2,
+	0x3c, 0x18, 0xc3, 0x19, 0x2e, 0x4a, 0x86, 0x17, 0x7e, 0x90, 0x83, 0xc9, 0x4d, 0x85, 0xf4, 0x0d,
-	0xd5, 0xd4, 0x06, 0xb1, 0xd0, 0x47, 0x50, 0xa4, 0xe7, 0xab, 0x2d, 0x59, 0x12, 0x73, 0xc0, 0xd8,
+	0xbd, 0x45, 0x28, 0xfa, 0x1c, 0xca, 0x6c, 0x7d, 0x75, 0x15, 0xaa, 0x70, 0x07, 0x4c, 0xad, 0xbd,
-	0xe2, 0x1b, 0x27, 0xcd, 0xce, 0xac, 0x50, 0xee, 0xca, 0xc1, 0xcd, 0xca, 0xe6, 0xce, 0x13, 0xd2,
+	0x77, 0x59, 0xef, 0xec, 0x1a, 0xe3, 0xae, 0x9d, 0x3e, 0xa8, 0xed, 0x1d, 0x3e, 0x27, 0x1d, 0xba,
-	0xb2, 0xd6, 0x89, 0x25, 0xf9, 0x7b, 0xd2, 0x1f, 0xc3, 0x1e, 0x2a, 0xda, 0x80, 0x9c, 0xa9, 0x93,
+	0x43, 0xa8, 0x12, 0xcc, 0xc9, 0xa0, 0x0d, 0xfb, 0xa8, 0x68, 0x17, 0x0a, 0xb6, 0x49, 0x3a, 0xc2,
-	0x16, 0xf7, 0xdd, 0xf5, 0x3e, 0xd3, 0xf0, 0x2c, 0x6b, 0xe8, 0xa4, 0xe5, 0x2f, 0x06, 0xfd, 0x85,
+	0x77, 0xef, 0x0c, 0xe9, 0x86, 0x6f, 0x59, 0xcb, 0x24, 0x9d, 0x60, 0x30, 0xd8, 0x17, 0xe6, 0x38,
-	0x19, 0x0e, 0xda, 0x86, 0x11, 0x93, 0xad, 0x72, 0x29, 0x1b, 0x5b, 0x8d, 0x93, 0x11, 0x9d, 0xbd,
+	0xe8, 0x00, 0x26, 0x6c, 0x3e, 0xca, 0x95, 0x7c, 0x62, 0x34, 0x2e, 0x47, 0x74, 0xe7, 0xc6, 0x8c,
-	0x31, 0xc1, 0x31, 0x47, 0x9c, 0xdf, 0x98, 0xa3, 0x89, 0x5f, 0x09, 0x30, 0xee, 0xf1, 0xb2, 0x15,
+	0xc0, 0x9c, 0x70, 0xbf, 0xb1, 0x40, 0x93, 0x7f, 0x22, 0xc1, 0xb4, 0xcf, 0xcb, 0x47, 0xe0, 0xdb,
-	0xf8, 0x30, 0xe6, 0x9b, 0xca, 0x60, 0xbe, 0xa1, 0xd2, 0xcc, 0x33, 0x53, 0x5c, 0x57, 0xd1, 0x1d,
+	0x09, 0xdf, 0xd4, 0x46, 0xf3, 0x0d, 0x93, 0xe6, 0x9e, 0x99, 0x13, 0xba, 0xca, 0x5e, 0x4b, 0xc8,
-	0x09, 0xf8, 0x65, 0xdd, 0x5d, 0xdf, 0x0c, 0x5b, 0xdf, 0xab, 0x83, 0x4e, 0x23, 0x65, 0x59, 0xff,
+	0x2f, 0x3b, 0xde, 0xf8, 0xe6, 0xf8, 0xf8, 0xde, 0x1f, 0xb5, 0x1b, 0x19, 0xc3, 0xfa, 0x17, 0x85,
-	0x39, 0x17, 0x30, 0x9f, 0xba, 0x0b, 0x3d, 0x86, 0xa2, 0x49, 0x14, 0xd2, 0xb2, 0x34, 0x83, 0x9b,
+	0x90, 0xf9, 0xcc, 0x5d, 0xe8, 0x19, 0x94, 0x6d, 0xa2, 0x91, 0x0e, 0x35, 0x2c, 0x61, 0xfe, 0xfb,
-	0xff, 0xe6, 0x80, 0xe6, 0x4b, 0x3b, 0x44, 0x69, 0x70, 0xd1, 0xda, 0x79, 0x6a, 0xbf, 0xfb, 0x0b,
+	0x23, 0x9a, 0xaf, 0x1c, 0x12, 0xad, 0x25, 0x44, 0x1b, 0xb7, 0x99, 0xfd, 0xde, 0x17, 0xf6, 0x21,
-	0x7b, 0x90, 0xe8, 0x21, 0x14, 0x2d, 0xd2, 0xd5, 0x15, 0xc9, 0x72, 0xcf, 0xc5, 0x6b, 0xc1, 0x29,
+	0xd1, 0xa7, 0x50, 0xa6, 0xa4, 0x6f, 0x6a, 0x0a, 0xf5, 0xd6, 0xc5, 0x9b, 0xe1, 0x2e, 0xb0, 0x64,
-	0xd0, 0x64, 0x42, 0xc1, 0xea, 0x5a, 0xbb, 0xc9, 0xd9, 0xd8, 0x92, 0x7a, 0x2e, 0x71, 0x47, 0xb1,
+	0xc2, 0xc0, 0x9a, 0x46, 0xb7, 0x2d, 0xd8, 0xf8, 0x90, 0xfa, 0x2e, 0xf1, 0x5a, 0xb1, 0x0f, 0x83,
-	0x07, 0x83, 0x0e, 0x60, 0xc2, 0xd6, 0xdb, 0x94, 0xd3, 0xa2, 0xa1, 0xb4, 0xd3, 0xe3, 0x4b, 0xfc,
+	0x4e, 0x61, 0xc6, 0x31, 0xbb, 0x8c, 0x93, 0xb2, 0x50, 0xda, 0x1b, 0x88, 0x21, 0xfe, 0x70, 0x54,
-	0xf6, 0xa0, 0xbe, 0xd9, 0x0a, 0x49, 0xd7, 0x66, 0xb9, 0xae, 0x89, 0xf0, 0x38, 0x8e, 0x68, 0x41,
+	0xdf, 0xec, 0x47, 0xa4, 0x1b, 0x8b, 0x42, 0xd7, 0x4c, 0xb4, 0x1d, 0xc7, 0xb4, 0xa0, 0x75, 0x98,
-	0x4b, 0x30, 0xd9, 0x95, 0x55, 0x4c, 0xa4, 0x76, 0xaf, 0x41, 0x5a, 0x9a, 0xda, 0x36, 0x4b, 0xb9,
+	0xed, 0xab, 0x3a, 0x26, 0x4a, 0x77, 0xd0, 0x22, 0x1d, 0x43, 0xef, 0xda, 0x95, 0xc2, 0xaa, 0x74,
-	0x05, 0xe1, 0x6a, 0xbe, 0x76, 0x91, 0x03, 0x4c, 0xae, 0x87, 0xc9, 0x38, 0xca, 0x8f, 0xde, 0x07,
+	0xbf, 0xd8, 0x58, 0x12, 0x00, 0xb3, 0x3b, 0x51, 0x32, 0x8e, 0xf3, 0xa3, 0x6f, 0x02, 0xf2, 0xba,
-	0xe4, 0x4e, 0xe3, 0xbe, 0x93, 0x09, 0x64, 0x4d, 0x2d, 0xe5, 0x17, 0x84, 0xab, 0xd9, 0xda, 0x1c,
+	0xf1, 0xc4, 0xcd, 0x04, 0xaa, 0xa1, 0x57, 0x8a, 0xab, 0xd2, 0xfd, 0x7c, 0x63, 0x59, 0xa0, 0xa0,
-	0x47, 0x41, 0xcd, 0x18, 0x07, 0x4e, 0x90, 0x42, 0x6b, 0x70, 0xc1, 0x20, 0x07, 0x32, 0x9d, 0xe3,
+	0x76, 0x82, 0x03, 0xa7, 0x48, 0xa1, 0x6d, 0xb8, 0x63, 0x91, 0x53, 0x95, 0xf5, 0xf1, 0xa9, 0x6a,
-	0x03, 0xd9, 0xb4, 0x34, 0xa3, 0xb7, 0x26, 0x77, 0x65, 0xab, 0x34, 0xc2, 0x6c, 0x2a, 0x1d, 0x1f,
+	0x53, 0xc3, 0x1a, 0x6c, 0xab, 0x7d, 0x95, 0x56, 0x26, 0xb8, 0x4d, 0x95, 0x8b, 0xf3, 0xea, 0x1d,
-	0x95, 0x2f, 0xe0, 0x04, 0x3a, 0x4e, 0x94, 0x12, 0xbf, 0xcc, 0xc3, 0x64, 0xe4, 0x0c, 0xa0, 0x6d,
+	0x9c, 0x42, 0xc7, 0xa9, 0x52, 0xf2, 0x8f, 0x8b, 0x30, 0x1b, 0x5b, 0x03, 0xe8, 0x00, 0x16, 0x3b,
-	0x98, 0x6d, 0x39, 0x01, 0x73, 0xc3, 0xee, 0xee, 0x10, 0xa3, 0xd1, 0xda, 0x23, 0x6d, 0x5b, 0x21,
+	0x6e, 0xc0, 0xdc, 0x75, 0xfa, 0x87, 0xc4, 0x6a, 0x75, 0x8e, 0x49, 0xd7, 0xd1, 0x48, 0x97, 0x4f,
-	0x6d, 0xb6, 0x51, 0xf2, 0xb5, 0x79, 0x6e, 0xf1, 0xec, 0x72, 0x22, 0x17, 0x4e, 0x91, 0xa6, 0x5e,
+	0x94, 0x62, 0x63, 0x45, 0x58, 0xbc, 0xb8, 0x91, 0xca, 0x85, 0x33, 0xa4, 0x99, 0x17, 0x74, 0xde,
-	0x50, 0xd9, 0xd0, 0xba, 0x6c, 0x9a, 0x1e, 0x66, 0x86, 0x61, 0x7a, 0x5e, 0xd8, 0x88, 0x71, 0xe0,
+	0xb4, 0xa3, 0xda, 0xb6, 0x8f, 0x99, 0xe3, 0x98, 0xbe, 0x17, 0x76, 0x13, 0x1c, 0x38, 0x45, 0x8a,
-	0x04, 0x29, 0x6a, 0x63, 0x9b, 0x98, 0xb2, 0x41, 0xda, 0x51, 0x1b, 0xb3, 0x61, 0x1b, 0x57, 0x12,
+	0xd9, 0xd8, 0x25, 0xb6, 0x6a, 0x91, 0x6e, 0xdc, 0xc6, 0x7c, 0xd4, 0xc6, 0xcd, 0x54, 0x2e, 0x9c,
-	0xb9, 0x70, 0x8a, 0x34, 0xba, 0x05, 0x63, 0x8e, 0x36, 0xb6, 0x7e, 0x7c, 0xa1, 0xbd, 0x10, 0xbd,
+	0x21, 0x8d, 0x1e, 0xc2, 0x94, 0xab, 0x8d, 0x8f, 0x9f, 0x18, 0x68, 0x3f, 0x44, 0xef, 0x06, 0x24,
-	0xe1, 0x93, 0x70, 0x90, 0x8f, 0x4e, 0x4d, 0xdb, 0x31, 0x89, 0x71, 0x40, 0xda, 0xe9, 0x0b, 0xbc,
+	0x1c, 0xe6, 0x63, 0x5d, 0x33, 0x0e, 0x6d, 0x62, 0x9d, 0x92, 0x6e, 0xf6, 0x00, 0xef, 0x25, 0x38,
-	0x19, 0xe3, 0xc0, 0x09, 0x52, 0x74, 0x6a, 0xce, 0x0e, 0x8c, 0x4d, 0x6d, 0x24, 0x3c, 0xb5, 0xad,
+	0x70, 0x8a, 0x14, 0xeb, 0x9a, 0x3b, 0x03, 0x13, 0x5d, 0x9b, 0x88, 0x76, 0x6d, 0x3f, 0x95, 0x0b,
-	0x44, 0x2e, 0x9c, 0x22, 0x4d, 0xf7, 0xb1, 0x63, 0xf2, 0xd2, 0x81, 0x24, 0x2b, 0xd2, 0x8e, 0x42,
+	0x67, 0x48, 0xb3, 0x79, 0xec, 0x9a, 0xbc, 0x7e, 0xaa, 0xa8, 0x9a, 0x72, 0xa8, 0x91, 0x4a, 0x29,
-	0x4a, 0x85, 0xf0, 0x3e, 0xde, 0x08, 0x93, 0x71, 0x94, 0x1f, 0xdd, 0x87, 0x69, 0x67, 0x68, 0x4b,
+	0x3a, 0x8f, 0x77, 0xa3, 0x64, 0x1c, 0xe7, 0x47, 0x4f, 0x60, 0xde, 0x6d, 0xda, 0xd7, 0x15, 0x1f,
-	0x95, 0x3c, 0x90, 0x22, 0x03, 0x79, 0x99, 0x83, 0x4c, 0x6f, 0x44, 0x19, 0x70, 0x5c, 0x06, 0xbd,
+	0xa4, 0xcc, 0x41, 0xbe, 0x22, 0x40, 0xe6, 0x77, 0xe3, 0x0c, 0x38, 0x29, 0x83, 0x3e, 0x86, 0x99,
-	0x0b, 0x13, 0x2d, 0x4d, 0x51, 0xd8, 0x7e, 0x5c, 0xd6, 0x6c, 0xd5, 0x2a, 0x8d, 0x32, 0x14, 0x44,
+	0x8e, 0xa1, 0x69, 0x7c, 0x3e, 0x6e, 0x18, 0x8e, 0x4e, 0x2b, 0x93, 0x1c, 0x05, 0xb1, 0xf5, 0xb8,
-	0xcf, 0xe3, 0x72, 0x88, 0x82, 0x23, 0x9c, 0xe2, 0x4f, 0x04, 0xb8, 0x98, 0x72, 0xa6, 0xd1, 0x9f,
+	0x11, 0xa1, 0xe0, 0x18, 0xa7, 0xfc, 0x2f, 0x12, 0x2c, 0x65, 0xac, 0x69, 0xf4, 0x0d, 0x28, 0xd0,
-	0x40, 0xce, 0xea, 0xe9, 0x6e, 0xb6, 0xfe, 0x43, 0x37, 0x41, 0x34, 0x7b, 0x3a, 0x79, 0x76, 0x54,
+	0x81, 0xe9, 0x65, 0xeb, 0x5f, 0xf7, 0x12, 0x44, 0x7b, 0x60, 0x92, 0x97, 0xe7, 0xd5, 0xd7, 0x33,
-	0xbe, 0x94, 0x22, 0x46, 0xc9, 0x98, 0x09, 0x22, 0x15, 0xc6, 0x0d, 0xaa, 0x4e, 0xed, 0x38, 0x2c,
+	0xc4, 0x18, 0x19, 0x73, 0x41, 0xa4, 0xc3, 0xb4, 0xc5, 0xd4, 0xe9, 0x3d, 0x97, 0x45, 0x04, 0xaf,
-	0x3c, 0x78, 0xdd, 0xea, 0x13, 0x63, 0x70, 0x50, 0xc6, 0x0f, 0xc6, 0xd3, 0xc7, 0x47, 0xe5, 0xf1,
+	0x87, 0x43, 0x62, 0x0c, 0x0e, 0xcb, 0x04, 0xc1, 0x78, 0xfe, 0xe2, 0xbc, 0x3a, 0x1d, 0xa1, 0xe1,
-	0x10, 0x0d, 0x87, 0xe1, 0xc5, 0xcf, 0x33, 0x00, 0x2b, 0x44, 0x57, 0xb4, 0x5e, 0x97, 0xa8, 0x67,
+	0x28, 0xbc, 0xfc, 0xc3, 0x1c, 0xc0, 0x26, 0x31, 0x35, 0x63, 0xd0, 0x27, 0xfa, 0x4d, 0x24, 0xdc,
-	0x91, 0x70, 0x37, 0x43, 0x09, 0xf7, 0x46, 0xbf, 0xd8, 0xe9, 0x99, 0x96, 0x9a, 0x71, 0x3f, 0x88,
+	0xbd, 0x48, 0xc2, 0x7d, 0x77, 0x58, 0xec, 0xf4, 0x4d, 0xcb, 0xcc, 0xb8, 0xdf, 0x8a, 0x65, 0xdc,
-	0x64, 0xdc, 0xea, 0xe0, 0x90, 0x27, 0xa7, 0xdc, 0x5f, 0x64, 0x61, 0xc6, 0x67, 0x5e, 0xd6, 0xd4,
+	0xfa, 0xe8, 0x90, 0x97, 0xa7, 0xdc, 0xff, 0xc8, 0xc3, 0x42, 0xc0, 0xbc, 0x61, 0xe8, 0x5d, 0x95,
-	0xb6, 0xcc, 0xce, 0xc7, 0x9d, 0xd0, 0x1a, 0xff, 0x41, 0x64, 0x8d, 0x2f, 0x26, 0x88, 0x04, 0xd6,
+	0xaf, 0x8f, 0x4f, 0x22, 0x63, 0xfc, 0x6b, 0xb1, 0x31, 0x5e, 0x4a, 0x11, 0x09, 0x8d, 0xef, 0xb6,
-	0x77, 0xcd, 0xb3, 0x36, 0xc3, 0xc4, 0xdf, 0x0a, 0x2b, 0x7f, 0x76, 0x54, 0x4e, 0xb8, 0xf3, 0x54,
+	0x6f, 0x6d, 0x8e, 0x8b, 0x7f, 0x10, 0x55, 0xfe, 0xf2, 0xbc, 0x9a, 0xb2, 0xe7, 0xa9, 0xf9, 0x48,
-	0x3c, 0xa4, 0xb0, 0x89, 0xe8, 0x0a, 0x8c, 0x18, 0x44, 0x32, 0x35, 0x95, 0x05, 0x8a, 0x51, 0x7f,
+	0x51, 0x13, 0xd1, 0x3d, 0x98, 0xb0, 0x88, 0x62, 0x1b, 0x3a, 0x0f, 0x14, 0x93, 0x41, 0x57, 0x30,
-	0x2a, 0x98, 0x8d, 0x62, 0x4e, 0x45, 0xd7, 0xa0, 0xd0, 0x25, 0xa6, 0x29, 0x75, 0x08, 0x8b, 0x09,
+	0x6f, 0xc5, 0x82, 0x8a, 0xde, 0x82, 0x52, 0x9f, 0xd8, 0xb6, 0xd2, 0x23, 0x3c, 0x26, 0x4c, 0x36,
-	0xa3, 0xb5, 0x49, 0xce, 0x58, 0x58, 0x77, 0x86, 0xb1, 0x4b, 0x47, 0x4f, 0x60, 0x42, 0x91, 0x4c,
+	0x66, 0x05, 0x63, 0x69, 0xc7, 0x6d, 0xc6, 0x1e, 0x1d, 0x3d, 0x87, 0x19, 0x4d, 0xb1, 0xc5, 0x04,
-	0xbe, 0x41, 0x9b, 0x72, 0x97, 0xb0, 0x53, 0x3f, 0xb6, 0xf8, 0xfa, 0x60, 0xfb, 0x80, 0x4a, 0xf8,
+	0x6d, 0xab, 0x7d, 0xc2, 0x57, 0xfd, 0xd4, 0xda, 0xdb, 0xa3, 0xcd, 0x03, 0x26, 0x11, 0x64, 0xb6,
-	0x99, 0x6d, 0x2d, 0x84, 0x84, 0x23, 0xc8, 0xe8, 0x00, 0x10, 0x1d, 0x69, 0x1a, 0x92, 0x6a, 0x3a,
+	0xed, 0x08, 0x12, 0x8e, 0x21, 0xa3, 0x53, 0x40, 0xac, 0xa5, 0x6d, 0x29, 0xba, 0xed, 0x3a, 0x8a,
-	0x8e, 0xa2, 0xfa, 0x0a, 0x43, 0xeb, 0xf3, 0x22, 0xdc, 0x5a, 0x0c, 0x0d, 0x27, 0x68, 0x10, 0xff,
+	0xe9, 0x2b, 0x8d, 0xad, 0xcf, 0x8f, 0x70, 0xdb, 0x09, 0x34, 0x9c, 0xa2, 0x41, 0xfe, 0xa9, 0x04,
-	0x57, 0x80, 0x09, 0x7f, 0x99, 0xce, 0xa0, 0x9a, 0xda, 0x08, 0x57, 0x53, 0xd7, 0x06, 0xde, 0xa2,
+	0x33, 0xc1, 0x30, 0xdd, 0x40, 0x35, 0xb5, 0x1b, 0xad, 0xa6, 0xde, 0x1a, 0x79, 0x8a, 0x66, 0x94,
-	0x29, 0xe5, 0xd4, 0xaf, 0x33, 0x80, 0x7c, 0x26, 0x7a, 0xc0, 0x77, 0xa4, 0xd6, 0xfe, 0x00, 0x77,
+	0x53, 0xff, 0x9d, 0x03, 0x14, 0x30, 0xb1, 0x05, 0x7e, 0xa8, 0x74, 0x4e, 0x46, 0xd8, 0x2b, 0xfc,
-	0x85, 0xcf, 0x04, 0x40, 0x3c, 0x3c, 0x2f, 0xa9, 0xaa, 0x66, 0xb1, 0x88, 0xef, 0x9a, 0xb5, 0x3a,
+	0x40, 0x02, 0x24, 0xc2, 0xf3, 0xba, 0xae, 0x1b, 0x94, 0x47, 0x7c, 0xcf, 0xac, 0xad, 0x91, 0xcd,
-	0xb0, 0x59, 0xae, 0xc6, 0xca, 0x56, 0x0c, 0xeb, 0xae, 0x6a, 0x19, 0x3d, 0x7f, 0x45, 0xe2, 0x0c,
+	0xf2, 0x34, 0xd6, 0xf6, 0x13, 0x58, 0x8f, 0x74, 0x6a, 0x0d, 0x82, 0x11, 0x49, 0x32, 0xe0, 0x14,
-	0x38, 0xc1, 0x00, 0x24, 0x01, 0x18, 0x1c, 0xb3, 0xa9, 0xf1, 0x83, 0x7c, 0x63, 0x80, 0x98, 0x47,
+	0x03, 0x90, 0x02, 0x60, 0x09, 0xcc, 0xb6, 0x21, 0x16, 0xf2, 0xbb, 0x23, 0xc4, 0x3c, 0x26, 0xb0,
-	0x05, 0x96, 0x35, 0x75, 0x57, 0xee, 0xf8, 0x61, 0x07, 0x7b, 0x40, 0x38, 0x00, 0x3a, 0x77, 0x17,
+	0x61, 0xe8, 0x47, 0x6a, 0x2f, 0x08, 0x3b, 0xd8, 0x07, 0xc2, 0x21, 0xd0, 0xe5, 0x47, 0xb0, 0x94,
-	0x2e, 0xa6, 0x58, 0x8b, 0xa6, 0x20, 0xbb, 0x4f, 0x7a, 0x8e, 0xdb, 0x30, 0xfd, 0x13, 0x5d, 0x08,
+	0x61, 0x2d, 0x9a, 0x83, 0xfc, 0x09, 0x19, 0xb8, 0x6e, 0xc3, 0xec, 0x27, 0xba, 0x13, 0xde, 0x53,
-	0xde, 0xa9, 0x46, 0xf9, 0x75, 0xe8, 0xdd, 0xcc, 0x6d, 0x41, 0xfc, 0x2a, 0x1f, 0xdc, 0x3b, 0xac,
+	0x4d, 0x8a, 0xed, 0xd0, 0xc7, 0xb9, 0x8f, 0x24, 0xf9, 0x27, 0xc5, 0xf0, 0xdc, 0xe1, 0xa5, 0xec,
-	0x94, 0xbd, 0x0a, 0x45, 0x83, 0xe8, 0x8a, 0xdc, 0x92, 0x4c, 0x5e, 0xa1, 0xb0, 0xaa, 0x14, 0xf3,
+	0x7d, 0x28, 0x5b, 0xc4, 0xd4, 0xd4, 0x8e, 0x62, 0x8b, 0x0a, 0x85, 0x57, 0xa5, 0x58, 0xb4, 0x61,
-	0x31, 0xec, 0x51, 0x43, 0x45, 0x6f, 0xe6, 0xc5, 0x16, 0xbd, 0xd9, 0xe7, 0x53, 0xf4, 0xfe, 0x15,
+	0x9f, 0x1a, 0x29, 0x7a, 0x73, 0xd7, 0x5b, 0xf4, 0xe6, 0x5f, 0x4d, 0xd1, 0xfb, 0x7b, 0x50, 0xb6,
-	0x14, 0x4d, 0xb7, 0xdc, 0xcd, 0x31, 0xc8, 0x9b, 0x43, 0xc4, 0x57, 0x5e, 0xe9, 0x7a, 0x0a, 0xbc,
+	0xbd, 0x72, 0xb7, 0xc0, 0x21, 0x1f, 0x8c, 0x11, 0x5f, 0x45, 0xa5, 0xeb, 0x2b, 0xf0, 0x6b, 0x5c,
-	0x1a, 0xd7, 0x03, 0x4d, 0xaa, 0x6e, 0xf3, 0x43, 0x56, 0xb7, 0xcf, 0xb5, 0x22, 0xa5, 0x31, 0x55,
+	0x1f, 0x34, 0xad, 0xba, 0x2d, 0x8e, 0x59, 0xdd, 0xbe, 0xd2, 0x8a, 0x94, 0xc5, 0x54, 0x53, 0x71,
-	0x97, 0x6c, 0x93, 0xb4, 0x59, 0x20, 0x2a, 0xfa, 0x31, 0xb5, 0xce, 0x46, 0x31, 0xa7, 0xa2, 0xc7,
+	0x6c, 0xd2, 0xe5, 0x81, 0xa8, 0x1c, 0xc4, 0xd4, 0x26, 0x6f, 0xc5, 0x82, 0x8a, 0x9e, 0x45, 0xa6,
-	0xa1, 0x2d, 0x5b, 0x3c, 0xcd, 0x96, 0x9d, 0x48, 0xdf, 0xae, 0x68, 0x0b, 0x2e, 0xea, 0x86, 0xd6,
+	0x6c, 0xf9, 0x2a, 0x53, 0x76, 0x26, 0x7b, 0xba, 0xa2, 0x7d, 0x58, 0x32, 0x2d, 0xa3, 0x67, 0x11,
-	0x31, 0x88, 0x69, 0xae, 0x10, 0xa9, 0xad, 0xc8, 0x2a, 0x71, 0xfd, 0xe3, 0x94, 0x2a, 0x97, 0x8e,
+	0xdb, 0xde, 0x24, 0x4a, 0x57, 0x53, 0x75, 0xe2, 0xf9, 0xc7, 0x2d, 0x55, 0x5e, 0xbf, 0x38, 0xaf,
-	0x8f, 0xca, 0x17, 0xeb, 0xc9, 0x2c, 0x38, 0x4d, 0x56, 0x7c, 0x9a, 0x83, 0xa9, 0x68, 0x06, 0x4c,
+	0x2e, 0x35, 0xd3, 0x59, 0x70, 0x96, 0xac, 0xfc, 0xa2, 0x00, 0x73, 0xf1, 0x0c, 0x98, 0x51, 0x3d,
-	0xa9, 0x1e, 0x85, 0x53, 0x55, 0x8f, 0xd7, 0x03, 0x87, 0xc1, 0x29, 0xad, 0xbd, 0xd5, 0x4f, 0x38,
+	0x4a, 0x57, 0xaa, 0x1e, 0xdf, 0x09, 0x2d, 0x06, 0xb7, 0xb4, 0xf6, 0x47, 0x3f, 0x65, 0x41, 0xac,
-	0x10, 0x4b, 0x30, 0xc9, 0xa3, 0x81, 0x4b, 0xe4, 0xf5, 0xb3, 0xb7, 0xfa, 0x5b, 0x61, 0x32, 0x8e,
+	0xc3, 0xac, 0x88, 0x06, 0x1e, 0x51, 0xd4, 0xcf, 0xfe, 0xe8, 0xef, 0x47, 0xc9, 0x38, 0xce, 0xcf,
-	0xf2, 0xd3, 0x9a, 0xd0, 0x2f, 0xf5, 0x5c, 0x90, 0x5c, 0xb8, 0x26, 0x5c, 0x8a, 0x32, 0xe0, 0xb8,
+	0x6a, 0xc2, 0xa0, 0xd4, 0xf3, 0x40, 0x0a, 0xd1, 0x9a, 0x70, 0x3d, 0xce, 0x80, 0x93, 0x32, 0x68,
-	0x0c, 0x5a, 0x87, 0x19, 0x5b, 0x8d, 0x43, 0x39, 0xbb, 0xf1, 0x12, 0x87, 0x9a, 0xd9, 0x8a, 0xb3,
+	0x07, 0x16, 0x1c, 0x3d, 0x09, 0xe5, 0xce, 0xc6, 0xd7, 0x05, 0xd4, 0xc2, 0x7e, 0x92, 0x05, 0xa7,
-	0xe0, 0x24, 0x39, 0xb4, 0x0b, 0xd0, 0x72, 0xd3, 0xb6, 0x59, 0x1a, 0x61, 0x11, 0x76, 0x71, 0xe0,
+	0xc9, 0xa1, 0x23, 0x80, 0x8e, 0x97, 0xb6, 0xed, 0xca, 0x04, 0x8f, 0xb0, 0x6b, 0x23, 0xaf, 0x1d,
-	0xb3, 0xe3, 0x65, 0x7c, 0x3f, 0xae, 0x79, 0x43, 0x26, 0x0e, 0x20, 0xa3, 0x3b, 0x30, 0x6e, 0xb0,
+	0x3f, 0xe3, 0x07, 0x71, 0xcd, 0x6f, 0xb2, 0x71, 0x08, 0x19, 0x7d, 0x02, 0xd3, 0x16, 0xdf, 0x10,
-	0x0b, 0x81, 0x6b, 0xb0, 0x53, 0x54, 0xbf, 0xc4, 0xc5, 0xc6, 0x71, 0x90, 0x88, 0xc3, 0xbc, 0x09,
+	0x78, 0x06, 0xbb, 0x45, 0xf5, 0x6b, 0x42, 0x6c, 0x1a, 0x87, 0x89, 0x38, 0xca, 0x9b, 0x52, 0x07,
-	0x75, 0x70, 0x71, 0xe0, 0x3a, 0xf8, 0xff, 0x84, 0x60, 0x12, 0xf2, 0x4a, 0xe0, 0x77, 0x43, 0xe5,
+	0x97, 0x47, 0xae, 0x83, 0xff, 0x49, 0x0a, 0x27, 0x21, 0xbf, 0x04, 0xfe, 0x38, 0x52, 0x1e, 0xdd,
-	0xd1, 0x95, 0x48, 0x79, 0x34, 0x1b, 0x97, 0x08, 0x54, 0x47, 0x5a, 0x72, 0xf5, 0xfb, 0xf6, 0x50,
+	0x8b, 0x95, 0x47, 0x8b, 0x49, 0x89, 0x50, 0x75, 0x64, 0xa4, 0x57, 0xbf, 0x1f, 0x8e, 0x55, 0xfd,
-	0xd5, 0xaf, 0x9f, 0x3c, 0xfb, 0x97, 0xbf, 0x5f, 0x08, 0x30, 0x7b, 0xaf, 0x71, 0xdf, 0xd0, 0x6c,
+	0x06, 0xc9, 0x73, 0x78, 0xf9, 0xfb, 0x23, 0x09, 0x16, 0x1f, 0xb7, 0x9e, 0x58, 0x86, 0x63, 0x7a,
-	0xdd, 0x35, 0x67, 0x53, 0x77, 0xfc, 0xfa, 0x0e, 0xe4, 0x0c, 0x5b, 0x71, 0xe7, 0xf1, 0x9a, 0x3b,
+	0xe6, 0xec, 0x99, 0xae, 0x5f, 0xbf, 0x06, 0x05, 0xcb, 0xd1, 0xbc, 0x7e, 0xbc, 0xe9, 0xf5, 0x03,
-	0x0f, 0x6c, 0x2b, 0x74, 0x1e, 0x33, 0x11, 0x29, 0x67, 0x12, 0x54, 0x00, 0x6d, 0xc0, 0x88, 0x21,
+	0x3b, 0x1a, 0xeb, 0xc7, 0x42, 0x4c, 0xca, 0xed, 0x04, 0x13, 0x40, 0xbb, 0x30, 0x61, 0x29, 0x7a,
-	0xa9, 0x1d, 0xe2, 0xa6, 0xd5, 0x2b, 0x7d, 0xac, 0x5f, 0x5d, 0xc1, 0x94, 0x3d, 0x50, 0xbc, 0x31,
+	0x8f, 0x78, 0x69, 0xf5, 0xde, 0x10, 0xeb, 0xb7, 0x36, 0x31, 0x63, 0x0f, 0x15, 0x6f, 0x5c, 0x1a,
-	0x69, 0xcc, 0x51, 0xc4, 0xbf, 0x17, 0x60, 0xf2, 0x41, 0xb3, 0x59, 0x5f, 0x55, 0xd9, 0x89, 0x66,
+	0x0b, 0x14, 0xf9, 0x4f, 0x24, 0x98, 0x7d, 0xda, 0x6e, 0x37, 0xb7, 0x74, 0xbe, 0xa2, 0xf9, 0xe1,
-	0x8f, 0xaf, 0x0b, 0x90, 0xd3, 0x25, 0x6b, 0x2f, 0x9a, 0xe9, 0x29, 0x0d, 0x33, 0x0a, 0xfa, 0x73,
+	0xeb, 0x2a, 0x14, 0x4c, 0x85, 0x1e, 0xc7, 0x33, 0x3d, 0xa3, 0x61, 0x4e, 0x41, 0xbf, 0x03, 0x25,
-	0x28, 0xd0, 0x48, 0x42, 0xd4, 0xf6, 0x80, 0xa5, 0x36, 0x87, 0xaf, 0x39, 0x42, 0x7e, 0x85, 0xc8,
+	0x16, 0x49, 0x88, 0xde, 0x1d, 0xb1, 0xd4, 0x16, 0xf0, 0x0d, 0x57, 0x28, 0xa8, 0x10, 0x45, 0x03,
-	0x07, 0xb0, 0x0b, 0x27, 0xee, 0xc3, 0x85, 0x80, 0x39, 0xd4, 0x1f, 0xec, 0xcd, 0x10, 0x35, 0x20,
+	0xf6, 0xe0, 0xe4, 0x13, 0xb8, 0x13, 0x32, 0x87, 0xf9, 0x83, 0x9f, 0x19, 0xa2, 0x16, 0x14, 0x99,
-	0x4f, 0x35, 0xbb, 0x4f, 0x82, 0xfd, 0x5e, 0xbe, 0x22, 0x53, 0xf2, 0x2b, 0x1d, 0xfa, 0xcb, 0xc4,
+	0x66, 0xef, 0x48, 0x70, 0xd8, 0xc9, 0x57, 0xac, 0x4b, 0x41, 0xa5, 0xc3, 0xbe, 0x6c, 0xec, 0x62,
-	0x0e, 0x96, 0xb8, 0x0e, 0xe3, 0xec, 0xc5, 0x59, 0x33, 0x2c, 0xe6, 0x16, 0x74, 0x19, 0xb2, 0x5d,
+	0xc9, 0x3b, 0x30, 0xcd, 0x4f, 0x9c, 0x0d, 0x8b, 0x72, 0xb7, 0xa0, 0xbb, 0x90, 0xef, 0xab, 0xba,
-	0x59, 0xe5, 0x79, 0x76, 0x8c, 0xcb, 0x64, 0x69, 0x8e, 0xa0, 0xe3, 0x8c, 0x2c, 0x1d, 0xf2, 0xc8,
+	0xc8, 0xb3, 0x53, 0x42, 0x26, 0xcf, 0x72, 0x04, 0x6b, 0xe7, 0x64, 0xe5, 0x4c, 0x44, 0x9e, 0x80,
-	0xe3, 0x93, 0xa5, 0x43, 0x4c, 0xc7, 0xc5, 0xfb, 0x50, 0xe0, 0xee, 0x0e, 0x02, 0x65, 0x4f, 0x06,
+	0xac, 0x9c, 0x61, 0xd6, 0x2e, 0x3f, 0x81, 0x92, 0x70, 0x77, 0x18, 0x28, 0x7f, 0x39, 0x50, 0x3e,
-	0xca, 0x26, 0x00, 0x6d, 0x42, 0x61, 0xb5, 0x5e, 0x53, 0x34, 0xa7, 0xea, 0x6a, 0xc9, 0x6d, 0x23,
+	0x05, 0x68, 0x0f, 0x4a, 0x5b, 0xcd, 0x86, 0x66, 0xb8, 0x55, 0x57, 0x47, 0xed, 0x5a, 0xf1, 0xb1,
-	0xba, 0x16, 0xcb, 0xab, 0x2b, 0x18, 0x33, 0x0a, 0x12, 0x61, 0x84, 0x1c, 0xb6, 0x88, 0x6e, 0xb1,
+	0xd8, 0xd8, 0xda, 0xc4, 0x98, 0x53, 0x90, 0x0c, 0x13, 0xe4, 0xac, 0x43, 0x4c, 0xca, 0x67, 0xc4,
-	0x1d, 0x31, 0x5a, 0x03, 0xba, 0xca, 0x77, 0xd9, 0x08, 0xe6, 0x14, 0xf1, 0x1f, 0x32, 0x50, 0xe0,
+	0x64, 0x03, 0xd8, 0x28, 0x3f, 0xe2, 0x2d, 0x58, 0x50, 0xe4, 0x3f, 0xcd, 0x41, 0x49, 0xb8, 0xe3,
-	0xee, 0x38, 0x83, 0x5b, 0xd8, 0x5a, 0xe8, 0x16, 0xf6, 0xfa, 0x60, 0x5b, 0x23, 0xf5, 0x0a, 0xd6,
+	0x06, 0x76, 0x61, 0xdb, 0x91, 0x5d, 0xd8, 0xdb, 0xa3, 0x4d, 0x8d, 0xcc, 0x2d, 0x58, 0x3b, 0xb6,
-	0x8c, 0x5c, 0xc1, 0xae, 0x0f, 0x88, 0x77, 0xf2, 0xfd, 0xeb, 0x4b, 0x01, 0x26, 0xc2, 0x9b, 0x12,
+	0x05, 0x7b, 0x67, 0x44, 0xbc, 0xcb, 0xf7, 0x5f, 0x3f, 0x96, 0x60, 0x26, 0x3a, 0x29, 0xd1, 0x43,
-	0xdd, 0x82, 0x31, 0x9a, 0x70, 0xe4, 0x16, 0xd9, 0xf0, 0xeb, 0x5c, 0xef, 0x75, 0xa4, 0xe1, 0x93,
+	0x98, 0x62, 0x09, 0x47, 0xed, 0x90, 0xdd, 0xa0, 0xce, 0xf5, 0x4f, 0x47, 0x5a, 0x01, 0x09, 0x87,
-	0x70, 0x90, 0x0f, 0x75, 0x3c, 0x31, 0xba, 0x8f, 0xf8, 0xa4, 0xd3, 0x5d, 0x6a, 0x5b, 0xb2, 0x52,
+	0xf9, 0x50, 0xcf, 0x17, 0x63, 0xf3, 0x48, 0x74, 0x3a, 0xdb, 0xa5, 0x0e, 0x55, 0xb5, 0x9a, 0x7b,
-	0x71, 0x1a, 0x27, 0x95, 0x55, 0xd5, 0xda, 0x34, 0x1a, 0x96, 0x21, 0xab, 0x9d, 0x98, 0x22, 0xb6,
+	0x71, 0x52, 0xdb, 0xd2, 0xe9, 0x9e, 0xd5, 0xa2, 0x96, 0xaa, 0xf7, 0x12, 0x8a, 0xf8, 0xa4, 0x0c,
-	0x29, 0x83, 0xc8, 0xe2, 0xff, 0x08, 0x30, 0xc6, 0x4d, 0x3e, 0x83, 0x5b, 0xc5, 0x9f, 0x85, 0x6f,
+	0x23, 0xcb, 0xff, 0x28, 0xc1, 0x94, 0x30, 0xf9, 0x06, 0x76, 0x15, 0xbf, 0x1d, 0xdd, 0x55, 0xdc,
-	0x15, 0x57, 0x06, 0x3c, 0xe0, 0xc9, 0x57, 0x8a, 0x7f, 0xf7, 0x4d, 0xa7, 0x47, 0x9a, 0xee, 0xea,
+	0x1b, 0x71, 0x81, 0xa7, 0x6f, 0x29, 0xfe, 0x26, 0x30, 0x9d, 0x2d, 0x69, 0x36, 0xab, 0x8f, 0x0d,
-	0x3d, 0xcd, 0xb4, 0xa2, 0xbb, 0x9a, 0x1e, 0x46, 0xcc, 0x28, 0xc8, 0x86, 0x29, 0x39, 0x12, 0x03,
+	0x9b, 0xc6, 0x67, 0x35, 0x5b, 0x8c, 0x98, 0x53, 0x90, 0x03, 0x73, 0x6a, 0x2c, 0x06, 0x08, 0xd7,
-	0xb8, 0x6b, 0xab, 0x83, 0x59, 0xe2, 0x89, 0xd5, 0x4a, 0x1c, 0x7e, 0x2a, 0x4a, 0xc1, 0x31, 0x15,
+	0xd6, 0x47, 0xb3, 0xc4, 0x17, 0x6b, 0x54, 0x04, 0xfc, 0x5c, 0x9c, 0x82, 0x13, 0x2a, 0x64, 0x02,
-	0x22, 0x81, 0x18, 0x17, 0x7a, 0x08, 0xb9, 0x3d, 0xcb, 0xd2, 0x13, 0x1e, 0x92, 0xfb, 0x44, 0x1e,
+	0x09, 0x2e, 0xf4, 0x29, 0x14, 0x8e, 0x29, 0x35, 0x53, 0x0e, 0x92, 0x87, 0x44, 0x9e, 0xc0, 0x84,
-	0xdf, 0x84, 0x22, 0x9b, 0x5d, 0xb3, 0x59, 0xc7, 0x0c, 0x4a, 0xfc, 0x8d, 0xef, 0x8f, 0x86, 0xb3,
+	0x32, 0xef, 0x5d, 0xbb, 0xdd, 0xc4, 0x1c, 0x4a, 0xfe, 0x9f, 0xc0, 0x1f, 0x2d, 0x77, 0x8e, 0xfb,
-	0xc7, 0xbd, 0x78, 0x2a, 0x9c, 0x26, 0x9e, 0x8e, 0x25, 0xc5, 0x52, 0xf4, 0x00, 0xb2, 0x96, 0x32,
+	0xf1, 0x54, 0xba, 0x4a, 0x3c, 0x9d, 0x4a, 0x8b, 0xa5, 0xe8, 0x29, 0xe4, 0xa9, 0x36, 0xea, 0xb6,
-	0xe8, 0xb5, 0x90, 0x23, 0x36, 0xd7, 0x1a, 0x7e, 0x40, 0x6a, 0xae, 0x35, 0x30, 0x85, 0x40, 0x9b,
+	0x50, 0x20, 0xb6, 0xb7, 0x5b, 0x41, 0x40, 0x6a, 0x6f, 0xb7, 0x30, 0x83, 0x40, 0x7b, 0x50, 0x64,
-	0x90, 0xa7, 0xd9, 0x87, 0x1e, 0xc1, 0xec, 0xe0, 0x47, 0x9a, 0xce, 0xdf, 0xdf, 0x10, 0xf4, 0x97,
+	0xd9, 0x87, 0x2d, 0xc1, 0xfc, 0xe8, 0x4b, 0x9a, 0xf5, 0x3f, 0x98, 0x10, 0xec, 0xcb, 0xc6, 0x2e,
-	0x89, 0x1d, 0x1c, 0xf1, 0x63, 0x18, 0x0f, 0x9d, 0x53, 0xf4, 0x11, 0x9c, 0x57, 0x34, 0xa9, 0x5d,
+	0x8e, 0xfc, 0x5d, 0x98, 0x8e, 0xac, 0x53, 0xf4, 0x39, 0xdc, 0xd6, 0x0c, 0xa5, 0xdb, 0x50, 0x34,
-	0x93, 0x14, 0x49, 0x6d, 0x11, 0xf7, 0xd5, 0xfe, 0x4a, 0xd2, 0x0d, 0x63, 0x2d, 0xc0, 0xc7, 0x4f,
+	0x45, 0xef, 0x10, 0xef, 0xd4, 0xfe, 0x5e, 0xda, 0x0e, 0x63, 0x3b, 0xc4, 0x27, 0x56, 0xb9, 0x7f,
-	0xb9, 0xd7, 0x7b, 0x0b, 0xd2, 0x70, 0x08, 0x51, 0x94, 0x00, 0xfc, 0x39, 0xa2, 0x32, 0xe4, 0xe9,
+	0xf7, 0x16, 0xa6, 0xe1, 0x08, 0xa2, 0xac, 0x00, 0x04, 0x7d, 0x44, 0x55, 0x28, 0xb2, 0x79, 0xe6,
-	0x3e, 0x73, 0xf2, 0xc9, 0x68, 0x6d, 0x94, 0x5a, 0x48, 0xb7, 0x9f, 0x89, 0x9d, 0x71, 0xb4, 0x08,
+	0xe6, 0x93, 0xc9, 0xc6, 0x24, 0xb3, 0x90, 0x4d, 0x3f, 0x1b, 0xbb, 0xed, 0x68, 0x0d, 0xc0, 0x26,
-	0x60, 0x92, 0x96, 0x41, 0x2c, 0x16, 0x0c, 0x32, 0xe1, 0x0e, 0x64, 0xc3, 0xa3, 0xe0, 0x00, 0x97,
+	0x1d, 0x8b, 0x50, 0x1e, 0x0c, 0x72, 0xd1, 0x1b, 0xc8, 0x96, 0x4f, 0xc1, 0x21, 0x2e, 0xf9, 0x9f,
-	0xf8, 0xff, 0x02, 0x8c, 0x6f, 0x10, 0xeb, 0x13, 0xcd, 0xd8, 0xaf, 0xb3, 0x66, 0xf1, 0x19, 0x04,
+	0x25, 0x98, 0xde, 0x25, 0xf4, 0x7b, 0x86, 0x75, 0xd2, 0xe4, 0x97, 0xc5, 0x37, 0x10, 0x6c, 0x71,
-	0x5b, 0x1c, 0x0a, 0xb6, 0x6f, 0xf4, 0x59, 0x99, 0x90, 0x75, 0x69, 0x21, 0x97, 0xce, 0xa3, 0x14,
+	0x24, 0xd8, 0xbe, 0x37, 0x64, 0x64, 0x22, 0xd6, 0x65, 0x85, 0x5c, 0xf9, 0xa7, 0x12, 0x2c, 0x45,
-	0xe2, 0x0c, 0x9e, 0xdd, 0x2d, 0xc8, 0xeb, 0x9a, 0x61, 0xb9, 0x99, 0x78, 0x28, 0x8d, 0x34, 0x8e,
+	0x38, 0x1f, 0x05, 0x4b, 0x77, 0x1f, 0x8a, 0xa6, 0x61, 0x51, 0x2f, 0x11, 0x8f, 0xa5, 0x90, 0x85,
-	0x05, 0x72, 0x31, 0x85, 0xc1, 0x0e, 0x1a, 0x9d, 0xc7, 0xae, 0xa1, 0x75, 0xf9, 0x6e, 0x1d, 0x0e,
+	0xb1, 0x50, 0x2a, 0x66, 0x30, 0xd8, 0x45, 0x43, 0xdb, 0x90, 0xa3, 0x86, 0x98, 0xaa, 0xe3, 0x61,
-	0x95, 0x10, 0xc3, 0x9f, 0xc7, 0x3d, 0x43, 0xeb, 0x62, 0x86, 0x25, 0x7e, 0x2d, 0xc0, 0x74, 0x88,
+	0x12, 0x62, 0x35, 0x40, 0x60, 0xe6, 0xda, 0x06, 0xce, 0x51, 0x83, 0x0d, 0x44, 0x25, 0xc2, 0x15,
-	0xf3, 0x0c, 0xe2, 0xe6, 0xc3, 0x70, 0xdc, 0xbc, 0x3e, 0xcc, 0x44, 0x52, 0xa2, 0xe7, 0xd7, 0x99,
+	0x0e, 0x3e, 0xd7, 0xd4, 0x03, 0x0c, 0x85, 0x23, 0xcb, 0xe8, 0x5f, 0xb9, 0x0f, 0xfe, 0x40, 0x3c,
-	0xc8, 0x34, 0xe8, 0x84, 0xd1, 0x2e, 0x8c, 0xe9, 0x5a, 0xbb, 0xf1, 0x1c, 0xda, 0x5c, 0x93, 0x34,
+	0xb6, 0x8c, 0x3e, 0xe6, 0x58, 0xf2, 0xcf, 0x24, 0x98, 0x8f, 0x70, 0xde, 0x40, 0xe0, 0xff, 0x34,
-	0xed, 0xd4, 0x7d, 0x2c, 0x1c, 0x04, 0x46, 0x87, 0x30, 0xad, 0x4a, 0x5d, 0x62, 0xea, 0x52, 0x8b,
+	0x1a, 0xf8, 0xdf, 0x19, 0xa7, 0x23, 0x19, 0xe1, 0xff, 0x67, 0xb9, 0x58, 0x37, 0x58, 0x87, 0xd1,
-	0x34, 0x9e, 0xc3, 0xfb, 0xc2, 0x4b, 0xec, 0x1d, 0x3d, 0x8a, 0x88, 0xe3, 0x4a, 0xd0, 0x3a, 0x14,
+	0x11, 0x4c, 0x99, 0x46, 0xb7, 0xf5, 0x0a, 0xee, 0xe9, 0x66, 0x59, 0xde, 0x6c, 0x06, 0x58, 0x38,
-	0x64, 0x9d, 0x95, 0x41, 0x3c, 0xf5, 0xf7, 0x4d, 0x42, 0x4e, 0xd1, 0xe4, 0x84, 0x43, 0xfe, 0x03,
+	0x0c, 0x8c, 0xce, 0x60, 0x5e, 0x57, 0xfa, 0xc4, 0x36, 0x95, 0x0e, 0x69, 0xbd, 0x82, 0x03, 0x92,
-	0xbb, 0x18, 0xe2, 0x7f, 0x44, 0x77, 0x03, 0xdd, 0x7f, 0xe8, 0x3e, 0x14, 0xd9, 0x57, 0x0b, 0x2d,
+	0xd7, 0xf8, 0x45, 0x40, 0x1c, 0x11, 0x27, 0x95, 0xa0, 0x1d, 0x28, 0xa9, 0x26, 0xaf, 0xe3, 0x44,
-	0x4d, 0x71, 0x1f, 0xd6, 0xe9, 0xca, 0xd6, 0xf9, 0xd8, 0xb3, 0xa3, 0xf2, 0xa5, 0x84, 0x37, 0x53,
+	0xed, 0x32, 0x34, 0x8b, 0xba, 0x55, 0x9f, 0x1b, 0xcf, 0xc5, 0x07, 0xf6, 0x30, 0xe4, 0xbf, 0x8d,
-	0x97, 0x8c, 0x3d, 0x61, 0xb4, 0x01, 0x39, 0xfd, 0xc7, 0x14, 0x00, 0x2c, 0x47, 0xb0, 0xac, 0xcf,
+	0xcf, 0x06, 0x36, 0xff, 0xd0, 0x13, 0x28, 0xf3, 0x67, 0x17, 0x1d, 0x43, 0xf3, 0x6e, 0x06, 0xd8,
-	0x70, 0xc4, 0x1f, 0xa2, 0xe6, 0xb2, 0x4c, 0xf1, 0xe4, 0xb9, 0xad, 0xba, 0x57, 0x70, 0xa4, 0xae,
+	0xc8, 0x36, 0x45, 0xdb, 0xcb, 0xf3, 0xea, 0xeb, 0x29, 0x87, 0xbe, 0x1e, 0x19, 0xfb, 0xc2, 0x68,
-	0xfc, 0x0e, 0x14, 0x78, 0x82, 0xe4, 0x9b, 0xf9, 0x9d, 0x61, 0x36, 0x73, 0x30, 0x09, 0x78, 0xf5,
+	0x17, 0x0a, 0xe6, 0x97, 0xa9, 0x60, 0x78, 0x92, 0xe3, 0x65, 0x0b, 0xc7, 0x91, 0xff, 0x30, 0x1f,
-	0xbe, 0x3b, 0xe8, 0x02, 0x8b, 0x3f, 0x15, 0x60, 0x9a, 0x19, 0xd0, 0xb2, 0x0d, 0xd9, 0xea, 0x9d,
+	0x33, 0x97, 0xa7, 0xba, 0xe7, 0xaf, 0x6c, 0xd4, 0xfd, 0x8a, 0x29, 0x73, 0xe4, 0x0f, 0xa1, 0x24,
-	0x59, 0xd8, 0xdc, 0x0e, 0x85, 0xcd, 0xb7, 0xfa, 0x4c, 0x2c, 0x66, 0x61, 0x6a, 0xe8, 0xfc, 0x46,
+	0x32, 0xbc, 0x98, 0xcc, 0x5f, 0x1b, 0x67, 0x32, 0x87, 0xb3, 0x98, 0xbf, 0x61, 0xf1, 0x1a, 0x3d,
-	0x80, 0x97, 0x62, 0xdc, 0x67, 0x10, 0x76, 0xb6, 0xc2, 0x61, 0xe7, 0x8d, 0x61, 0x27, 0x94, 0x12,
+	0x60, 0xf4, 0x1d, 0x98, 0x20, 0xae, 0x0a, 0x37, 0x37, 0x7e, 0x38, 0x8e, 0x8a, 0x20, 0xae, 0x06,
-	0x7a, 0xfe, 0xf5, 0x7c, 0xc2, 0x74, 0xd8, 0x46, 0x5c, 0x04, 0xd0, 0x0d, 0xf9, 0x40, 0x56, 0x48,
+	0x85, 0xaa, 0x68, 0x13, 0xa8, 0xe8, 0x1b, 0xcc, 0x5f, 0x8c, 0x97, 0x6d, 0x02, 0xed, 0x4a, 0x81,
-	0x87, 0xf7, 0x4e, 0x8b, 0x81, 0x2f, 0x74, 0x3c, 0x0a, 0x0e, 0x70, 0x21, 0x13, 0x66, 0xdb, 0x64,
+	0xa7, 0xab, 0xbb, 0x6e, 0xb7, 0xfd, 0xe6, 0x97, 0xe7, 0x55, 0x08, 0x3e, 0x71, 0x58, 0x42, 0xfe,
-	0x57, 0xb2, 0x15, 0x6b, 0xa9, 0xdd, 0x5e, 0x96, 0x74, 0x69, 0x47, 0x56, 0x64, 0x4b, 0xe6, 0x97,
+	0x57, 0x09, 0xe6, 0xb9, 0x87, 0x3a, 0x8e, 0xa5, 0xd2, 0xc1, 0x8d, 0x25, 0xa6, 0x83, 0x48, 0x62,
-	0xd9, 0xd1, 0xda, 0x1d, 0xa7, 0xa7, 0x99, 0xc4, 0xf1, 0xec, 0xa8, 0x7c, 0x39, 0xa9, 0x77, 0xe1,
+	0xfa, 0x60, 0x88, 0x5b, 0x12, 0x16, 0x66, 0x26, 0xa7, 0x9f, 0x4b, 0xf0, 0x5a, 0x82, 0xfb, 0x06,
-	0xb2, 0xf4, 0x70, 0x0a, 0x34, 0xea, 0x41, 0xc9, 0x20, 0x1f, 0xdb, 0xb2, 0x41, 0xda, 0x2b, 0x86,
+	0xe2, 0xe2, 0x7e, 0x34, 0x2e, 0xbe, 0x37, 0x6e, 0x87, 0x32, 0x62, 0xe3, 0x5f, 0xdd, 0x4e, 0xe9,
-	0xa6, 0x87, 0xd4, 0x66, 0x99, 0xda, 0x3f, 0x3e, 0x3e, 0x2a, 0x97, 0x70, 0x0a, 0x4f, 0x7f, 0xc5,
+	0x0e, 0x5f, 0x29, 0x6b, 0x00, 0xa6, 0xa5, 0x9e, 0xaa, 0x1a, 0xe9, 0x89, 0xdb, 0xe9, 0x72, 0xe8,
-	0xa9, 0xf0, 0xe8, 0x09, 0xcc, 0x48, 0xce, 0x87, 0x4d, 0x21, 0xad, 0x39, 0xa6, 0xf5, 0xf6, 0xf1,
+	0x0d, 0x94, 0x4f, 0xc1, 0x21, 0x2e, 0x64, 0xc3, 0x62, 0x97, 0x1c, 0x29, 0x8e, 0x46, 0xd7, 0xbb,
-	0x51, 0x79, 0x66, 0x29, 0x4e, 0xee, 0xaf, 0x30, 0x09, 0x14, 0x55, 0xa1, 0x70, 0xa0, 0x29, 0x76,
+	0xdd, 0x0d, 0xc5, 0x54, 0x0e, 0x55, 0x4d, 0xa5, 0xaa, 0x38, 0x2e, 0x98, 0x6c, 0x7c, 0xe2, 0xde,
-	0x97, 0x98, 0xa5, 0x3c, 0xc3, 0xa7, 0x71, 0xb6, 0xb0, 0xed, 0x0c, 0x3d, 0x3b, 0x2a, 0x8f, 0xdc,
+	0x1a, 0xa7, 0x71, 0xbc, 0x3c, 0xaf, 0xde, 0x4d, 0xbb, 0x1d, 0xf2, 0x58, 0x06, 0x38, 0x03, 0x1a,
-	0x6b, 0xb0, 0x67, 0x04, 0x97, 0x8b, 0x5e, 0x77, 0x68, 0xa5, 0xc3, 0xcf, 0x2c, 0x7b, 0xcf, 0x2c,
+	0x0d, 0xa0, 0x62, 0x91, 0xef, 0x3a, 0xaa, 0x45, 0xba, 0x9b, 0x96, 0x61, 0x46, 0xd4, 0xe6, 0xb9,
-	0xfa, 0x41, 0xe1, 0x81, 0x4f, 0xc2, 0x41, 0x3e, 0xf4, 0x18, 0x46, 0xf7, 0xf8, 0x9d, 0xd9, 0x2c,
+	0xda, 0xdf, 0xbc, 0x38, 0xaf, 0x56, 0x70, 0x06, 0xcf, 0x70, 0xc5, 0x99, 0xf0, 0xe8, 0x39, 0x2c,
-	0x15, 0x06, 0xca, 0x71, 0xa1, 0x3b, 0x76, 0x6d, 0x9a, 0xab, 0x18, 0x75, 0x87, 0x4d, 0xec, 0x23,
+	0x28, 0xee, 0xd3, 0xb1, 0x88, 0x56, 0x77, 0x95, 0x7c, 0x74, 0x71, 0x5e, 0x5d, 0x58, 0x4f, 0x92,
-	0xa2, 0x6b, 0x50, 0x60, 0x3f, 0x56, 0x57, 0xd8, 0x63, 0x51, 0xd1, 0x0f, 0x1d, 0x0f, 0x9c, 0x61,
+	0x87, 0x2b, 0x4c, 0x03, 0x45, 0x75, 0x28, 0x9d, 0x1a, 0x9a, 0xd3, 0x27, 0x76, 0xa5, 0xc8, 0xf1,
-	0xec, 0xd2, 0x5d, 0xd6, 0xd5, 0xfa, 0x32, 0x7b, 0xb4, 0x8c, 0xb0, 0xae, 0xd6, 0x97, 0xb1, 0x4b,
+	0x59, 0x22, 0x28, 0x1d, 0xb8, 0x4d, 0x2f, 0xcf, 0xab, 0x13, 0x8f, 0x5b, 0x7c, 0xf5, 0x79, 0x5c,
-	0x47, 0x1f, 0x41, 0xc1, 0x24, 0x6b, 0xb2, 0x6a, 0x1f, 0x96, 0x60, 0xa0, 0x96, 0x67, 0xe3, 0x2e,
+	0x6c, 0x43, 0xc9, 0x6a, 0x49, 0xb1, 0xe2, 0xf9, 0x89, 0x71, 0x39, 0x88, 0x5a, 0x4f, 0x03, 0x12,
-	0xe3, 0x8e, 0x3c, 0xdb, 0xf8, 0x1a, 0x38, 0x1d, 0xbb, 0xb0, 0x68, 0x0f, 0x46, 0x0d, 0x5b, 0x5d,
+	0x0e, 0xf3, 0xa1, 0x67, 0x30, 0x79, 0x2c, 0x4e, 0x25, 0xec, 0x4a, 0x69, 0xa4, 0x24, 0x1c, 0x39,
-	0x32, 0xb7, 0x4c, 0x62, 0x94, 0xc6, 0x98, 0x8e, 0x7e, 0xd1, 0x12, 0xbb, 0xfc, 0x51, 0x2d, 0x9e,
+	0xc5, 0x68, 0xcc, 0x0b, 0x15, 0x93, 0x5e, 0xb3, 0x8d, 0x03, 0x44, 0xf4, 0x16, 0x94, 0xf8, 0xc7,
-	0x87, 0x3c, 0x0e, 0xec, 0x83, 0xa3, 0xbf, 0x13, 0x00, 0x99, 0xb6, 0xae, 0x2b, 0xa4, 0x4b, 0x54,
+	0xd6, 0x26, 0x3f, 0x8e, 0x2b, 0x07, 0xb1, 0xed, 0xa9, 0xdb, 0x8c, 0x3d, 0xba, 0xc7, 0xba, 0xd5,
-	0x4b, 0x52, 0xd8, 0x4b, 0x91, 0x59, 0x3a, 0xcf, 0x74, 0xfe, 0x69, 0xbf, 0x79, 0xc5, 0x04, 0xa3,
+	0xdc, 0xe0, 0xc7, 0xc2, 0x31, 0xd6, 0xad, 0xe6, 0x06, 0xf6, 0xe8, 0xe8, 0x73, 0x28, 0xd9, 0x64,
-	0xca, 0xbd, 0x27, 0xd9, 0x38, 0x2b, 0x4e, 0xd0, 0x4b, 0x5d, 0xbb, 0x6b, 0xb2, 0xbf, 0x4b, 0xe3,
+	0x5b, 0xd5, 0x9d, 0xb3, 0x0a, 0x8c, 0x74, 0xa9, 0xdc, 0x7a, 0xc4, 0xb9, 0x63, 0x07, 0x63, 0x81,
-	0x03, 0xb9, 0x36, 0xf9, 0x45, 0xcc, 0x77, 0x2d, 0xa7, 0x63, 0x17, 0x16, 0x6d, 0xc3, 0xac, 0x41,
+	0x06, 0x41, 0xc7, 0x1e, 0x2c, 0x3a, 0x86, 0x49, 0xcb, 0xd1, 0xd7, 0xed, 0x7d, 0x9b, 0x58, 0x95,
-	0xa4, 0xf6, 0xa6, 0xaa, 0xf4, 0xb0, 0xa6, 0x59, 0xf7, 0x64, 0x85, 0x98, 0x3d, 0xd3, 0x22, 0xdd,
+	0x29, 0xae, 0x63, 0x58, 0x38, 0xc7, 0x1e, 0x7f, 0x5c, 0x8b, 0xef, 0x21, 0x9f, 0x03, 0x07, 0xe0,
-	0xd2, 0x04, 0x5b, 0x76, 0xef, 0x93, 0x01, 0x9c, 0xc8, 0x85, 0x53, 0xa4, 0x51, 0x17, 0xca, 0x6e,
+	0xe8, 0x8f, 0x25, 0x40, 0xb6, 0x63, 0x9a, 0x1a, 0xe9, 0x13, 0x9d, 0x2a, 0x1a, 0x3f, 0x8b, 0xb3,
-	0xc8, 0xa0, 0xe7, 0xc9, 0x8b, 0x59, 0x77, 0xcd, 0x96, 0xa4, 0x38, 0xaf, 0xd4, 0x93, 0x4c, 0xc1,
+	0x2b, 0xb7, 0xb9, 0xce, 0xdf, 0x1a, 0xd6, 0xaf, 0x84, 0x60, 0x5c, 0xb9, 0x7f, 0xe8, 0x9d, 0x64,
-	0x6b, 0xc7, 0x47, 0xe5, 0xf2, 0xca, 0xc9, 0xac, 0xb8, 0x1f, 0x16, 0xfa, 0x10, 0x4a, 0x52, 0x9a,
+	0xc5, 0x29, 0x7a, 0x99, 0x6b, 0x8f, 0x6c, 0xfe, 0xbb, 0x32, 0x3d, 0x92, 0x6b, 0xd3, 0xcf, 0x1c,
-	0x9e, 0x29, 0xa6, 0x67, 0x81, 0x4f, 0xa4, 0x94, 0xaa, 0x24, 0x15, 0x01, 0x59, 0x30, 0x25, 0x85,
+	0x03, 0xd7, 0x0a, 0x3a, 0xf6, 0x60, 0xd1, 0x01, 0x2c, 0x5a, 0x44, 0xe9, 0xee, 0xe9, 0xda, 0x00,
-	0xbf, 0xa1, 0x34, 0x4b, 0xd3, 0x03, 0x3d, 0x95, 0x45, 0x3e, 0xbd, 0xf4, 0xaf, 0xcb, 0x11, 0x82,
+	0x1b, 0x06, 0x7d, 0xac, 0x6a, 0xc4, 0x1e, 0xd8, 0x94, 0xf4, 0x2b, 0x33, 0x7c, 0xd8, 0xfd, 0x47,
-	0x89, 0x63, 0x1a, 0x58, 0x83, 0x9f, 0x3f, 0xf7, 0x9e, 0xcd, 0x17, 0x75, 0xc3, 0x35, 0xf8, 0x7d,
+	0x19, 0x38, 0x95, 0x0b, 0x67, 0x48, 0xa3, 0x3e, 0x54, 0xbd, 0x90, 0xc1, 0xd6, 0x93, 0x1f, 0xb3,
-	0xd3, 0x9e, 0x5b, 0x83, 0x3f, 0x00, 0x79, 0xf2, 0x03, 0xd3, 0xaf, 0x32, 0x30, 0xe3, 0x33, 0x0f,
+	0x1e, 0xd9, 0x1d, 0x45, 0x73, 0xef, 0x01, 0x66, 0xb9, 0x82, 0x37, 0x2f, 0xce, 0xab, 0xd5, 0xcd,
-	0xdc, 0xe0, 0x4f, 0x10, 0x79, 0x61, 0x0d, 0xfe, 0xe4, 0x0e, 0x79, 0xf6, 0x45, 0x77, 0xc8, 0x5f,
+	0xcb, 0x59, 0xf1, 0x30, 0x2c, 0xf4, 0x6d, 0xa8, 0x28, 0x59, 0x7a, 0xe6, 0xb8, 0x9e, 0x55, 0xd1,
-	0xc0, 0x87, 0x05, 0xac, 0xe9, 0xee, 0xbb, 0xee, 0x77, 0xaf, 0xe9, 0xee, 0xdb, 0x96, 0x52, 0x68,
+	0x91, 0x4a, 0xa6, 0x92, 0x4c, 0x04, 0x44, 0x61, 0x4e, 0x89, 0xbe, 0x52, 0xb5, 0x2b, 0xf3, 0x23,
-	0xfd, 0x57, 0x26, 0x38, 0x81, 0xdf, 0xfb, 0xce, 0xef, 0x8f, 0xff, 0xec, 0x50, 0xfc, 0x26, 0x0b,
+	0x1d, 0x46, 0xc6, 0x1e, 0xb7, 0x06, 0x07, 0x12, 0x31, 0x82, 0x8d, 0x13, 0x1a, 0xf8, 0x13, 0x0a,
-	0x53, 0xd1, 0xd3, 0x18, 0x6a, 0x10, 0x0a, 0x7d, 0x1b, 0x84, 0x75, 0xb8, 0xb0, 0x6b, 0x2b, 0x4a,
+	0x71, 0xa0, 0x7e, 0x33, 0x6f, 0x16, 0xc7, 0x7b, 0x42, 0x11, 0x98, 0xf6, 0xca, 0x9e, 0x50, 0x84,
-	0x8f, 0xb9, 0x21, 0xd0, 0x25, 0x74, 0x1e, 0xf8, 0x5f, 0xe1, 0x92, 0x17, 0xee, 0x25, 0xf0, 0xe0,
+	0x20, 0x2f, 0x3f, 0xc2, 0xfb, 0xaf, 0x1c, 0x2c, 0x04, 0xcc, 0x23, 0x3f, 0xa1, 0x48, 0x11, 0xb9,
-	0x44, 0xc9, 0x94, 0x66, 0x67, 0xf6, 0x54, 0xcd, 0xce, 0x58, 0xef, 0x2d, 0x37, 0x44, 0xef, 0x2d,
+	0xb6, 0x27, 0x14, 0xe9, 0x6f, 0x10, 0xf2, 0xd7, 0xfd, 0x06, 0xe1, 0x1a, 0x9e, 0x6e, 0xf0, 0x67,
-	0xb1, 0x71, 0x99, 0x3f, 0x45, 0xe3, 0xf2, 0x34, 0x9d, 0xc6, 0x84, 0x20, 0xd6, 0xaf, 0xd3, 0x28,
+	0x0d, 0x81, 0xeb, 0xfe, 0xef, 0x3d, 0x6b, 0x08, 0x6c, 0xcb, 0x28, 0xb4, 0xfe, 0x3e, 0x17, 0xee,
-	0xbe, 0x02, 0x73, 0x5c, 0xcc, 0x62, 0x4d, 0x40, 0xd5, 0x32, 0x34, 0x45, 0x21, 0xc6, 0x8a, 0xdd,
+	0xc0, 0xff, 0xfb, 0xbb, 0xf5, 0x2f, 0xff, 0xb0, 0x53, 0xfe, 0x79, 0x1e, 0xe6, 0xe2, 0xab, 0x31,
-	0xed, 0xf6, 0xc4, 0xf7, 0x60, 0x22, 0xdc, 0xde, 0x76, 0x56, 0xda, 0xe9, 0xb0, 0xf3, 0x36, 0x4b,
+	0x72, 0x05, 0x2b, 0x0d, 0xbd, 0x82, 0x6d, 0xc2, 0x9d, 0x23, 0x47, 0xd3, 0x06, 0xdc, 0x0d, 0xa1,
-	0x60, 0xa5, 0x9d, 0x71, 0xec, 0x71, 0x88, 0x9f, 0x0a, 0x30, 0x9b, 0xfc, 0x19, 0x1b, 0x52, 0x60,
+	0x7b, 0x58, 0xf7, 0x0a, 0xe5, 0x0d, 0x21, 0x79, 0xe7, 0x71, 0x0a, 0x0f, 0x4e, 0x95, 0xcc, 0xb8,
-	0xa2, 0x2b, 0x1d, 0x06, 0xbf, 0xf9, 0x13, 0x4e, 0x79, 0x83, 0x67, 0x7d, 0xcd, 0xf5, 0x10, 0x16,
+	0x4e, 0xce, 0x5f, 0xe9, 0x3a, 0x39, 0x71, 0xbb, 0x59, 0x18, 0xe3, 0x76, 0x33, 0xf5, 0x6a, 0xb8,
-	0x8e, 0x60, 0xd3, 0x5b, 0xfd, 0xc5, 0x94, 0x8e, 0xe2, 0xd9, 0x5a, 0x82, 0x1e, 0x41, 0xb1, 0x2b,
+	0x78, 0x85, 0xab, 0xe1, 0xab, 0xdc, 0xe5, 0xa6, 0x04, 0xb1, 0x61, 0x77, 0xb9, 0xf2, 0x1b, 0xb0,
-	0x1d, 0x36, 0x6c, 0xa3, 0x43, 0x4e, 0xfd, 0x66, 0xc1, 0x22, 0xc6, 0x3a, 0x47, 0xc1, 0x1e, 0x9e,
+	0x2c, 0xc4, 0x28, 0xbf, 0x66, 0xd5, 0xa9, 0x65, 0x68, 0x1a, 0xb1, 0x36, 0x9d, 0x7e, 0x7f, 0x20,
-	0xf8, 0x85, 0x00, 0xa5, 0xb4, 0xf2, 0x16, 0xdd, 0x0a, 0xf5, 0x3e, 0x5f, 0x8d, 0xf4, 0x3e, 0xa7,
+	0x7f, 0x1d, 0x66, 0xa2, 0x0f, 0x08, 0xdc, 0x91, 0x76, 0xdf, 0x30, 0x88, 0x8b, 0xac, 0xd0, 0x48,
-	0x63, 0x72, 0x2f, 0xa8, 0xf3, 0xf9, 0x9f, 0x02, 0xcc, 0x26, 0x97, 0xf9, 0xe8, 0xcd, 0x90, 0x85,
+	0xbb, 0xed, 0xd8, 0xe7, 0x90, 0xbf, 0x2f, 0xc1, 0x62, 0xfa, 0x43, 0x41, 0xa4, 0xc1, 0x4c, 0x5f,
-	0xe5, 0x88, 0x85, 0x93, 0x11, 0x29, 0x6e, 0xdf, 0x5f, 0xc2, 0x04, 0xbf, 0x0c, 0x70, 0x18, 0xee,
+	0x39, 0x0b, 0xbf, 0xaa, 0x94, 0xae, 0x78, 0xc4, 0xc0, 0x6f, 0x8e, 0x77, 0x22, 0x58, 0x38, 0x86,
-	0x55, 0x31, 0x29, 0x56, 0x72, 0x08, 0xb7, 0xf8, 0x65, 0xeb, 0x15, 0x1e, 0xc3, 0x11, 0x34, 0xf1,
+	0x2d, 0xff, 0x4a, 0x82, 0xa5, 0x8c, 0x3b, 0xdb, 0x9b, 0xb5, 0x04, 0x7d, 0x06, 0xe5, 0xbe, 0x72,
-	0x6f, 0x33, 0x90, 0x6f, 0xb4, 0x24, 0x85, 0x9c, 0x41, 0x99, 0xf5, 0x7e, 0xa8, 0xcc, 0xea, 0xf7,
+	0xd6, 0x72, 0xac, 0x1e, 0xb9, 0xf2, 0xa1, 0x0a, 0x8f, 0x18, 0x3b, 0x02, 0x05, 0xfb, 0x78, 0xf2,
-	0x7d, 0x3e, 0xb3, 0x2a, 0xb5, 0xc2, 0xc2, 0x91, 0x0a, 0xeb, 0xf5, 0x81, 0xd0, 0x4e, 0x2e, 0xae,
+	0x8f, 0x24, 0xa8, 0x64, 0x95, 0xb7, 0xe8, 0x61, 0xe4, 0x76, 0xf9, 0xab, 0xb1, 0xdb, 0xe5, 0xf9,
-	0xfe, 0x08, 0x46, 0x3d, 0xa5, 0xc3, 0xc5, 0x7c, 0xf1, 0xdf, 0x32, 0x30, 0x16, 0x50, 0x31, 0x64,
+	0x84, 0xdc, 0x35, 0xdd, 0x2d, 0xff, 0x9d, 0x04, 0x8b, 0xe9, 0x65, 0x3e, 0x7a, 0x3f, 0x62, 0x61,
-	0xc6, 0xd8, 0x0d, 0x65, 0xda, 0x41, 0xfe, 0x53, 0x27, 0xa0, 0xab, 0xe2, 0xe6, 0x56, 0xe7, 0x33,
+	0x35, 0x66, 0xe1, 0x6c, 0x4c, 0x4a, 0xd8, 0xf7, 0x1d, 0x98, 0x11, 0x9b, 0x01, 0x01, 0x23, 0xbc,
-	0x36, 0xff, 0xc3, 0xa5, 0x78, 0xca, 0x7d, 0x0f, 0x26, 0x2c, 0xf6, 0x9f, 0x2c, 0xde, 0x4b, 0x5f,
+	0x2a, 0xa7, 0xc5, 0x4a, 0x01, 0xe1, 0x15, 0xbf, 0x7c, 0xbc, 0xa2, 0x6d, 0x38, 0x86, 0x26, 0xff,
-	0x96, 0xed, 0x45, 0xef, 0xe3, 0xc7, 0x66, 0x88, 0x8a, 0x23, 0xdc, 0x73, 0x77, 0x60, 0x3c, 0xa4,
+	0x51, 0x0e, 0x8a, 0xad, 0x8e, 0xa2, 0x91, 0x1b, 0x28, 0xb3, 0xbe, 0x19, 0x29, 0xb3, 0x86, 0xfd,
-	0x6c, 0xa8, 0xaf, 0xd0, 0xfe, 0x5b, 0x80, 0x57, 0xfb, 0x5e, 0x14, 0x51, 0x2d, 0x74, 0x48, 0x2a,
+	0x03, 0x82, 0x5b, 0x95, 0x59, 0x61, 0xe1, 0x58, 0x85, 0xf5, 0xf6, 0x48, 0x68, 0x97, 0x17, 0x57,
-	0x91, 0x43, 0x32, 0x9f, 0x0e, 0xf0, 0x02, 0xbf, 0x66, 0xf8, 0x34, 0x03, 0xa8, 0xb9, 0x27, 0x1b,
+	0xbf, 0x01, 0x93, 0xbe, 0xd2, 0xf1, 0x62, 0xbe, 0xfc, 0xd7, 0x39, 0x98, 0x0a, 0xa9, 0x18, 0x33,
-	0xed, 0xba, 0x64, 0x58, 0x3d, 0xcc, 0xff, 0x1d, 0xe9, 0x0c, 0x0e, 0xcc, 0x2d, 0x18, 0x6b, 0x13,
+	0x63, 0x1c, 0x45, 0x32, 0xed, 0x28, 0xff, 0x85, 0x0a, 0xe9, 0xaa, 0x79, 0xb9, 0xd5, 0x7d, 0x28,
-	0xb3, 0x65, 0xc8, 0xcc, 0x39, 0xbc, 0x3a, 0xf7, 0x1e, 0x53, 0x56, 0x7c, 0x12, 0x0e, 0xf2, 0xa1,
+	0x18, 0x3c, 0x0d, 0x4b, 0xa6, 0xdc, 0xaf, 0xc3, 0x0c, 0xe5, 0xff, 0x15, 0xf2, 0x8f, 0x22, 0xf3,
-	0x0f, 0xa0, 0x78, 0xe0, 0xfc, 0x9b, 0x9c, 0xdb, 0x5a, 0xeb, 0x57, 0x48, 0xfa, 0xff, 0x58, 0xe7,
+	0x7c, 0x2e, 0xfa, 0xcf, 0x4b, 0xdb, 0x11, 0x2a, 0x8e, 0x71, 0x2f, 0x7f, 0x02, 0xd3, 0x11, 0x65,
-	0xef, 0x1f, 0x3e, 0x60, 0x62, 0x0f, 0x4c, 0xfc, 0x5c, 0x80, 0xd9, 0xb8, 0x23, 0x56, 0xa8, 0xa9,
+	0x63, 0xbd, 0xf3, 0xfb, 0x07, 0x09, 0xbe, 0x3a, 0x74, 0xa3, 0x88, 0x1a, 0x91, 0x45, 0x52, 0x8b,
-	0x2f, 0xde, 0x19, 0xaf, 0x40, 0x8e, 0xa1, 0x53, 0x2f, 0x9c, 0x77, 0xde, 0xb5, 0xa9, 0x66, 0xcc,
+	0x2d, 0x92, 0x95, 0x6c, 0x80, 0x6b, 0x7c, 0x2f, 0xf2, 0xfd, 0x1c, 0xa0, 0xf6, 0xb1, 0x6a, 0x75,
-	0x46, 0xc5, 0x9f, 0x0b, 0x30, 0x97, 0x6c, 0xda, 0x19, 0x94, 0xed, 0x8f, 0xc2, 0x65, 0x7b, 0xbf,
+	0x9b, 0x8a, 0x45, 0x07, 0x58, 0xfc, 0xe1, 0xeb, 0x06, 0x16, 0xcc, 0x43, 0x98, 0xea, 0x12, 0xbb,
-	0xb7, 0x8a, 0x64, 0x3b, 0x53, 0x4a, 0xf8, 0x9f, 0x25, 0xfa, 0xfc, 0x0c, 0x26, 0xb5, 0x1d, 0x9e,
+	0x63, 0xa9, 0xdc, 0x39, 0xa2, 0x3a, 0xf7, 0x0f, 0x53, 0x36, 0x03, 0x12, 0x0e, 0xf3, 0xa1, 0x6f,
-	0xd4, 0xcd, 0xa1, 0x27, 0x95, 0x3c, 0xa1, 0xda, 0x8d, 0xa7, 0xdf, 0xcf, 0x9f, 0xfb, 0xf6, 0xfb,
+	0x41, 0xf9, 0xd4, 0xfd, 0x23, 0xa2, 0x77, 0x40, 0x3b, 0xac, 0x90, 0x0c, 0xfe, 0xba, 0x18, 0xcc,
-	0xf9, 0x73, 0xdf, 0x7d, 0x3f, 0x7f, 0xee, 0x6f, 0x8e, 0xe7, 0x85, 0xa7, 0xc7, 0xf3, 0xc2, 0xb7,
+	0x1f, 0xd1, 0x60, 0x63, 0x1f, 0x4c, 0xfe, 0xa1, 0x04, 0x8b, 0x49, 0x47, 0x6c, 0x32, 0x53, 0xaf,
-	0xc7, 0xf3, 0xc2, 0x77, 0xc7, 0xf3, 0xc2, 0x2f, 0x8f, 0xe7, 0x85, 0x7f, 0xfc, 0x61, 0xfe, 0xdc,
+	0xdf, 0x19, 0x6f, 0x40, 0x81, 0xa3, 0x33, 0x2f, 0xdc, 0x76, 0x0f, 0xde, 0x99, 0x66, 0xcc, 0x5b,
-	0xa3, 0x02, 0xc7, 0xfd, 0x6d, 0x00, 0x00, 0x00, 0xff, 0xff, 0x71, 0x2c, 0x3f, 0x48, 0xe6, 0x3b,
+	0xe5, 0x7f, 0x97, 0x60, 0x39, 0xdd, 0xb4, 0x1b, 0x28, 0xdb, 0x3f, 0x8b, 0x96, 0xed, 0xc3, 0xce,
+	0x2a, 0xd2, 0xed, 0xcc, 0x28, 0xe1, 0xff, 0x2d, 0xd5, 0xe7, 0x37, 0xd0, 0xa9, 0x83, 0x68, 0xa7,
+	0x1e, 0x8c, 0xdd, 0xa9, 0xf4, 0x0e, 0x35, 0xde, 0x7d, 0xf1, 0xc5, 0xca, 0xad, 0x5f, 0x7c, 0xb1,
+	0x72, 0xeb, 0x97, 0x5f, 0xac, 0xdc, 0xfa, 0x83, 0x8b, 0x15, 0xe9, 0xc5, 0xc5, 0x8a, 0xf4, 0x8b,
+	0x8b, 0x15, 0xe9, 0x97, 0x17, 0x2b, 0xd2, 0x7f, 0x5e, 0xac, 0x48, 0x7f, 0xf6, 0xab, 0x95, 0x5b,
+	0x9f, 0x95, 0x04, 0xee, 0xff, 0x06, 0x00, 0x00, 0xff, 0xff, 0x57, 0xe8, 0x50, 0x1c, 0x48, 0x3d,
 	0x00, 0x00,
 }

staging/src/k8s.io/api/extensions/v1beta1/generated.proto

@@ -594,6 +594,27 @@ message NetworkPolicy {
   optional NetworkPolicySpec spec = 2;
 }
 
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+message NetworkPolicyEgressRule {
+  // List of destination ports for outgoing traffic.
+  // Each item in this list is combined using a logical OR. If this field is
+  // empty or missing, this rule matches all ports (traffic not restricted by port).
+  // If this field is present and contains at least one item, then this rule allows
+  // traffic only if the traffic matches at least one port in the list.
+  // +optional
+  repeated NetworkPolicyPort ports = 1;
+
+  // List of destinations for outgoing traffic of pods selected for this rule.
+  // Items in this list are combined using a logical OR operation. If this field is
+  // empty or missing, this rule matches all destinations (traffic not restricted by
+  // destination). If this field is present and contains at least one item, this rule
+  // allows traffic only if the traffic matches at least one item in the to list.
+  // +optional
+  repeated NetworkPolicyPeer to = 2;
+}
+
 // This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
 message NetworkPolicyIngressRule {
   // List of ports which should be made accessible on the pods selected for this rule.
@@ -675,6 +696,29 @@ message NetworkPolicySpec {
   // (and serves solely to ensure that the pods it selects are isolated by default).
   // +optional
   repeated NetworkPolicyIngressRule ingress = 2;
+
+  // List of egress rules to be applied to the selected pods. Outgoing traffic is
+  // allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+  // otherwise allows the traffic), OR if the traffic matches at least one egress rule
+  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
+  // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+  // solely to ensure that the pods it selects are isolated by default).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated NetworkPolicyEgressRule egress = 3;
+
+  // List of rule types that the NetworkPolicy relates to.
+  // Valid options are Ingress, Egress, or Ingress,Egress.
+  // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+  // policies that contain an Egress section are assumed to affect Egress, and all policies
+  // (whether or not they contain an Ingress section) are assumed to affect Ingress.
+  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+  // Likewise, if you want to write a policy that specifies that no egress is allowed,
+  // you must specify a policyTypes value that include "Egress" (since such a policy would not include
+  // an Egress section and would otherwise default to just [ "Ingress" ]).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated string policyTypes = 4;
 }
 
 // Pod Security Policy governs the ability to make requests that affect the Security Context

staging/src/k8s.io/api/extensions/v1beta1/types.go

@@ -1157,6 +1157,17 @@ type NetworkPolicy struct {
 	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
 }
 
+// Policy Type string describes the NetworkPolicy type
+// This type is beta-level in 1.8
+type PolicyType string
+
+const (
+	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
+	PolicyTypeIngress PolicyType = "Ingress"
+	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
+	PolicyTypeEgress PolicyType = "Egress"
+)
+
 type NetworkPolicySpec struct {
 	// Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules
 	// is applied to any pods selected by this field. Multiple network policies can select the
@@ -1174,6 +1185,29 @@ type NetworkPolicySpec struct {
 	// (and serves solely to ensure that the pods it selects are isolated by default).
 	// +optional
 	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
+
+	// List of egress rules to be applied to the selected pods. Outgoing traffic is
+	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	// +optional
+	Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
+
+	// List of rule types that the NetworkPolicy relates to.
+	// Valid options are Ingress, Egress, or Ingress,Egress.
+	// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+	// policies that contain an Egress section are assumed to affect Egress, and all policies
+	// (whether or not they contain an Ingress section) are assumed to affect Ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an Egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	// +optional
+	PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
 }
 
 // This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.
@@ -1195,6 +1229,27 @@ type NetworkPolicyIngressRule struct {
 	From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
 }
 
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+type NetworkPolicyEgressRule struct {
+	// List of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
+
+	// List of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
+}
+
 type NetworkPolicyPort struct {
 	// Optional.  The protocol (TCP or UDP) which traffic must match.
 	// If not specified, this field defaults to TCP.

staging/src/k8s.io/api/extensions/v1beta1/types_swagger_doc_generated.go

@@ -361,6 +361,16 @@ func (NetworkPolicy) SwaggerDoc() map[string]string {
 	return map_NetworkPolicy
 }
 
+var map_NetworkPolicyEgressRule = map[string]string{
+	"":      "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+	"ports": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+	"to":    "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
+}
+
+func (NetworkPolicyEgressRule) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyEgressRule
+}
+
 var map_NetworkPolicyIngressRule = map[string]string{
 	"":      "This NetworkPolicyIngressRule matches traffic if and only if the traffic matches both ports AND from.",
 	"ports": "List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
@@ -403,6 +413,8 @@ func (NetworkPolicyPort) SwaggerDoc() map[string]string {
 var map_NetworkPolicySpec = map[string]string{
 	"podSelector": "Selects the pods to which this NetworkPolicy object applies.  The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods.  In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
 	"ingress":     "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default).",
+	"egress":      "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
+	"policyTypes": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
 }
 
 func (NetworkPolicySpec) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/extensions/v1beta1/zz_generated.deepcopy.go

@@ -171,6 +171,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 			in.(*NetworkPolicy).DeepCopyInto(out.(*NetworkPolicy))
 			return nil
 		}, InType: reflect.TypeOf(&NetworkPolicy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyEgressRule).DeepCopyInto(out.(*NetworkPolicyEgressRule))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyEgressRule{})},
 		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
 			in.(*NetworkPolicyIngressRule).DeepCopyInto(out.(*NetworkPolicyIngressRule))
 			return nil
@@ -1117,6 +1121,36 @@ func (in *NetworkPolicy) DeepCopyObject() runtime.Object {
 	}
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyEgressRule) DeepCopyInto(out *NetworkPolicyEgressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.To != nil {
+		in, out := &in.To, &out.To
+		*out = make([]NetworkPolicyPeer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEgressRule.
+func (in *NetworkPolicyEgressRule) DeepCopy() *NetworkPolicyEgressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyEgressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkPolicyIngressRule) DeepCopyInto(out *NetworkPolicyIngressRule) {
 	*out = *in
@@ -1269,6 +1303,18 @@ func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]NetworkPolicyEgressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyTypes != nil {
+		in, out := &in.PolicyTypes, &out.PolicyTypes
+		*out = make([]PolicyType, len(*in))
+		copy(*out, *in)
+	}
 	return
 }
 

staging/src/k8s.io/api/networking/v1/generated.pb.go

@@ -27,6 +27,7 @@ limitations under the License.
 	It has these top-level messages:
 		IPBlock
 		NetworkPolicy
+		NetworkPolicyEgressRule
 		NetworkPolicyIngressRule
 		NetworkPolicyList
 		NetworkPolicyPeer
@@ -69,31 +70,36 @@ func (m *NetworkPolicy) Reset()                    { *m = NetworkPolicy{} }
 func (*NetworkPolicy) ProtoMessage()               {}
 func (*NetworkPolicy) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{1} }
 
+func (m *NetworkPolicyEgressRule) Reset()                    { *m = NetworkPolicyEgressRule{} }
+func (*NetworkPolicyEgressRule) ProtoMessage()               {}
+func (*NetworkPolicyEgressRule) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{2} }
+
 func (m *NetworkPolicyIngressRule) Reset()      { *m = NetworkPolicyIngressRule{} }
 func (*NetworkPolicyIngressRule) ProtoMessage() {}
 func (*NetworkPolicyIngressRule) Descriptor() ([]byte, []int) {
-	return fileDescriptorGenerated, []int{2}
+	return fileDescriptorGenerated, []int{3}
 }
 
 func (m *NetworkPolicyList) Reset()                    { *m = NetworkPolicyList{} }
 func (*NetworkPolicyList) ProtoMessage()               {}
-func (*NetworkPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{3} }
+func (*NetworkPolicyList) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
 
 func (m *NetworkPolicyPeer) Reset()                    { *m = NetworkPolicyPeer{} }
 func (*NetworkPolicyPeer) ProtoMessage()               {}
-func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{4} }
+func (*NetworkPolicyPeer) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
 
 func (m *NetworkPolicyPort) Reset()                    { *m = NetworkPolicyPort{} }
 func (*NetworkPolicyPort) ProtoMessage()               {}
-func (*NetworkPolicyPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{5} }
+func (*NetworkPolicyPort) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
 
 func (m *NetworkPolicySpec) Reset()                    { *m = NetworkPolicySpec{} }
 func (*NetworkPolicySpec) ProtoMessage()               {}
-func (*NetworkPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{6} }
+func (*NetworkPolicySpec) Descriptor() ([]byte, []int) { return fileDescriptorGenerated, []int{7} }
 
 func init() {
 	proto.RegisterType((*IPBlock)(nil), "k8s.io.api.networking.v1.IPBlock")
 	proto.RegisterType((*NetworkPolicy)(nil), "k8s.io.api.networking.v1.NetworkPolicy")
+	proto.RegisterType((*NetworkPolicyEgressRule)(nil), "k8s.io.api.networking.v1.NetworkPolicyEgressRule")
 	proto.RegisterType((*NetworkPolicyIngressRule)(nil), "k8s.io.api.networking.v1.NetworkPolicyIngressRule")
 	proto.RegisterType((*NetworkPolicyList)(nil), "k8s.io.api.networking.v1.NetworkPolicyList")
 	proto.RegisterType((*NetworkPolicyPeer)(nil), "k8s.io.api.networking.v1.NetworkPolicyPeer")
@@ -171,6 +177,48 @@ func (m *NetworkPolicy) MarshalTo(dAtA []byte) (int, error) {
 	return i, nil
 }
 
+func (m *NetworkPolicyEgressRule) Marshal() (dAtA []byte, err error) {
+	size := m.Size()
+	dAtA = make([]byte, size)
+	n, err := m.MarshalTo(dAtA)
+	if err != nil {
+		return nil, err
+	}
+	return dAtA[:n], nil
+}
+
+func (m *NetworkPolicyEgressRule) MarshalTo(dAtA []byte) (int, error) {
+	var i int
+	_ = i
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, msg := range m.Ports {
+			dAtA[i] = 0xa
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.To) > 0 {
+		for _, msg := range m.To {
+			dAtA[i] = 0x12
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	return i, nil
+}
+
 func (m *NetworkPolicyIngressRule) Marshal() (dAtA []byte, err error) {
 	size := m.Size()
 	dAtA = make([]byte, size)
@@ -368,6 +416,33 @@ func (m *NetworkPolicySpec) MarshalTo(dAtA []byte) (int, error) {
 			i += n
 		}
 	}
+	if len(m.Egress) > 0 {
+		for _, msg := range m.Egress {
+			dAtA[i] = 0x1a
+			i++
+			i = encodeVarintGenerated(dAtA, i, uint64(msg.Size()))
+			n, err := msg.MarshalTo(dAtA[i:])
+			if err != nil {
+				return 0, err
+			}
+			i += n
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			dAtA[i] = 0x22
+			i++
+			l = len(s)
+			for l >= 1<<7 {
+				dAtA[i] = uint8(uint64(l)&0x7f | 0x80)
+				l >>= 7
+				i++
+			}
+			dAtA[i] = uint8(l)
+			i++
+			i += copy(dAtA[i:], s)
+		}
+	}
 	return i, nil
 }
 
@@ -422,6 +497,24 @@ func (m *NetworkPolicy) Size() (n int) {
 	return n
 }
 
+func (m *NetworkPolicyEgressRule) Size() (n int) {
+	var l int
+	_ = l
+	if len(m.Ports) > 0 {
+		for _, e := range m.Ports {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.To) > 0 {
+		for _, e := range m.To {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	return n
+}
+
 func (m *NetworkPolicyIngressRule) Size() (n int) {
 	var l int
 	_ = l
@@ -497,6 +590,18 @@ func (m *NetworkPolicySpec) Size() (n int) {
 			n += 1 + l + sovGenerated(uint64(l))
 		}
 	}
+	if len(m.Egress) > 0 {
+		for _, e := range m.Egress {
+			l = e.Size()
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
+	if len(m.PolicyTypes) > 0 {
+		for _, s := range m.PolicyTypes {
+			l = len(s)
+			n += 1 + l + sovGenerated(uint64(l))
+		}
+	}
 	return n
 }
 
@@ -535,6 +640,17 @@ func (this *NetworkPolicy) String() string {
 	}, "")
 	return s
 }
+func (this *NetworkPolicyEgressRule) String() string {
+	if this == nil {
+		return "nil"
+	}
+	s := strings.Join([]string{`&NetworkPolicyEgressRule{`,
+		`Ports:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ports), "NetworkPolicyPort", "NetworkPolicyPort", 1), `&`, ``, 1) + `,`,
+		`To:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.To), "NetworkPolicyPeer", "NetworkPolicyPeer", 1), `&`, ``, 1) + `,`,
+		`}`,
+	}, "")
+	return s
+}
 func (this *NetworkPolicyIngressRule) String() string {
 	if this == nil {
 		return "nil"
@@ -587,6 +703,8 @@ func (this *NetworkPolicySpec) String() string {
 	s := strings.Join([]string{`&NetworkPolicySpec{`,
 		`PodSelector:` + strings.Replace(strings.Replace(this.PodSelector.String(), "LabelSelector", "k8s_io_apimachinery_pkg_apis_meta_v1.LabelSelector", 1), `&`, ``, 1) + `,`,
 		`Ingress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Ingress), "NetworkPolicyIngressRule", "NetworkPolicyIngressRule", 1), `&`, ``, 1) + `,`,
+		`Egress:` + strings.Replace(strings.Replace(fmt.Sprintf("%v", this.Egress), "NetworkPolicyEgressRule", "NetworkPolicyEgressRule", 1), `&`, ``, 1) + `,`,
+		`PolicyTypes:` + fmt.Sprintf("%v", this.PolicyTypes) + `,`,
 		`}`,
 	}, "")
 	return s
@@ -817,6 +935,118 @@ func (m *NetworkPolicy) Unmarshal(dAtA []byte) error {
 	}
 	return nil
 }
+func (m *NetworkPolicyEgressRule) Unmarshal(dAtA []byte) error {
+	l := len(dAtA)
+	iNdEx := 0
+	for iNdEx < l {
+		preIndex := iNdEx
+		var wire uint64
+		for shift := uint(0); ; shift += 7 {
+			if shift >= 64 {
+				return ErrIntOverflowGenerated
+			}
+			if iNdEx >= l {
+				return io.ErrUnexpectedEOF
+			}
+			b := dAtA[iNdEx]
+			iNdEx++
+			wire |= (uint64(b) & 0x7F) << shift
+			if b < 0x80 {
+				break
+			}
+		}
+		fieldNum := int32(wire >> 3)
+		wireType := int(wire & 0x7)
+		if wireType == 4 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: wiretype end group for non-group")
+		}
+		if fieldNum <= 0 {
+			return fmt.Errorf("proto: NetworkPolicyEgressRule: illegal tag %d (wire type %d)", fieldNum, wire)
+		}
+		switch fieldNum {
+		case 1:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Ports", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Ports = append(m.Ports, NetworkPolicyPort{})
+			if err := m.Ports[len(m.Ports)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 2:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field To", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.To = append(m.To, NetworkPolicyPeer{})
+			if err := m.To[len(m.To)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		default:
+			iNdEx = preIndex
+			skippy, err := skipGenerated(dAtA[iNdEx:])
+			if err != nil {
+				return err
+			}
+			if skippy < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			if (iNdEx + skippy) > l {
+				return io.ErrUnexpectedEOF
+			}
+			iNdEx += skippy
+		}
+	}
+
+	if iNdEx > l {
+		return io.ErrUnexpectedEOF
+	}
+	return nil
+}
 func (m *NetworkPolicyIngressRule) Unmarshal(dAtA []byte) error {
 	l := len(dAtA)
 	iNdEx := 0
@@ -1392,6 +1622,66 @@ func (m *NetworkPolicySpec) Unmarshal(dAtA []byte) error {
 				return err
 			}
 			iNdEx = postIndex
+		case 3:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field Egress", wireType)
+			}
+			var msglen int
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				msglen |= (int(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			if msglen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + msglen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.Egress = append(m.Egress, NetworkPolicyEgressRule{})
+			if err := m.Egress[len(m.Egress)-1].Unmarshal(dAtA[iNdEx:postIndex]); err != nil {
+				return err
+			}
+			iNdEx = postIndex
+		case 4:
+			if wireType != 2 {
+				return fmt.Errorf("proto: wrong wireType = %d for field PolicyTypes", wireType)
+			}
+			var stringLen uint64
+			for shift := uint(0); ; shift += 7 {
+				if shift >= 64 {
+					return ErrIntOverflowGenerated
+				}
+				if iNdEx >= l {
+					return io.ErrUnexpectedEOF
+				}
+				b := dAtA[iNdEx]
+				iNdEx++
+				stringLen |= (uint64(b) & 0x7F) << shift
+				if b < 0x80 {
+					break
+				}
+			}
+			intStringLen := int(stringLen)
+			if intStringLen < 0 {
+				return ErrInvalidLengthGenerated
+			}
+			postIndex := iNdEx + intStringLen
+			if postIndex > l {
+				return io.ErrUnexpectedEOF
+			}
+			m.PolicyTypes = append(m.PolicyTypes, PolicyType(dAtA[iNdEx:postIndex]))
+			iNdEx = postIndex
 		default:
 			iNdEx = preIndex
 			skippy, err := skipGenerated(dAtA[iNdEx:])
@@ -1523,52 +1813,57 @@ func init() {
 }
 
 var fileDescriptorGenerated = []byte{
-	// 745 bytes of a gzipped FileDescriptorProto
+	// 829 bytes of a gzipped FileDescriptorProto
-	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xac, 0x54, 0xcd, 0x4e, 0xdb, 0x4a,
+	0x1f, 0x8b, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0xff, 0xb4, 0x55, 0x4d, 0x6f, 0x1b, 0x45,
-	0x14, 0x8e, 0x43, 0x20, 0x61, 0x72, 0x11, 0x17, 0x5f, 0x5d, 0x29, 0xa2, 0x92, 0x93, 0x7a, 0x53,
+	0x18, 0xf6, 0x3a, 0xce, 0x47, 0x27, 0x94, 0x92, 0x41, 0x08, 0x2b, 0x88, 0x75, 0xd8, 0x0b, 0x41,
-	0x2a, 0xc4, 0xb8, 0x81, 0xaa, 0xea, 0xb6, 0xee, 0x6f, 0x24, 0x7e, 0x22, 0xb3, 0xab, 0x5a, 0xa9,
+	0x55, 0x67, 0x71, 0x8b, 0x10, 0x37, 0xc4, 0x42, 0x29, 0x96, 0x9a, 0xc4, 0x9a, 0xf4, 0x02, 0x02,
-	0x8e, 0x73, 0x30, 0x43, 0x62, 0x8f, 0x35, 0x33, 0x49, 0x61, 0xd7, 0x47, 0xe8, 0x83, 0xf4, 0x0d,
+	0x89, 0xf5, 0xfa, 0xcd, 0x66, 0x6a, 0xef, 0xce, 0x6a, 0x66, 0x6c, 0x92, 0x1b, 0x3f, 0x81, 0x1f,
-	0xba, 0xa0, 0x4b, 0x96, 0x2c, 0x59, 0x59, 0xc5, 0x7d, 0x8b, 0xae, 0xaa, 0x99, 0x38, 0x71, 0x48,
+	0xc2, 0x91, 0x1b, 0x87, 0x72, 0xcc, 0xb1, 0xc7, 0x9e, 0x56, 0x64, 0xf9, 0x17, 0x39, 0xa1, 0x99,
-	0x88, 0x1a, 0xaa, 0xee, 0x66, 0xce, 0x9c, 0xef, 0xfb, 0xce, 0xef, 0xa0, 0x67, 0x9d, 0xa7, 0x1c,
+	0x1d, 0x7b, 0xfd, 0x51, 0x0b, 0xb7, 0xa2, 0x37, 0xcf, 0x3b, 0xcf, 0xf3, 0xbc, 0x1f, 0xf3, 0xf8,
-	0x13, 0x6a, 0x75, 0x7a, 0x2d, 0x60, 0x21, 0x08, 0xe0, 0x56, 0x1f, 0xc2, 0x36, 0x65, 0x56, 0xfa,
+	0x5d, 0xf4, 0xd5, 0xe0, 0x0b, 0x49, 0x18, 0xf7, 0x07, 0xa3, 0x1e, 0x88, 0x14, 0x14, 0x48, 0x7f,
-	0xe0, 0x46, 0xc4, 0x0a, 0x41, 0x7c, 0xa4, 0xac, 0x43, 0x42, 0xdf, 0xea, 0xd7, 0x2d, 0x1f, 0x42,
+	0x0c, 0x69, 0x9f, 0x0b, 0xdf, 0x5e, 0x84, 0x19, 0xf3, 0x53, 0x50, 0xbf, 0x70, 0x31, 0x60, 0x69,
-	0x60, 0xae, 0x80, 0x36, 0x8e, 0x18, 0x15, 0x54, 0xaf, 0x0c, 0x3c, 0xb1, 0x1b, 0x11, 0x9c, 0x79,
+	0xec, 0x8f, 0xdb, 0x7e, 0x0c, 0x29, 0x88, 0x50, 0x41, 0x9f, 0x64, 0x82, 0x2b, 0x8e, 0x9b, 0x25,
-	0xe2, 0x7e, 0x7d, 0x7d, 0xcb, 0x27, 0xe2, 0xb8, 0xd7, 0xc2, 0x1e, 0x0d, 0x2c, 0x9f, 0xfa, 0xd4,
+	0x92, 0x84, 0x19, 0x23, 0x15, 0x92, 0x8c, 0xdb, 0xfb, 0xf7, 0x62, 0xa6, 0xce, 0x47, 0x3d, 0x12,
-	0x52, 0x80, 0x56, 0xef, 0x48, 0xdd, 0xd4, 0x45, 0x9d, 0x06, 0x44, 0xeb, 0xe6, 0x98, 0xa4, 0x47,
+	0xf1, 0xc4, 0x8f, 0x79, 0xcc, 0x7d, 0x43, 0xe8, 0x8d, 0xce, 0xcc, 0xc9, 0x1c, 0xcc, 0xaf, 0x52,
-	0x19, 0xdc, 0x22, 0xb6, 0xbe, 0x35, 0xe6, 0x03, 0xa7, 0x02, 0x42, 0x4e, 0x68, 0xc8, 0xad, 0x7e,
+	0x68, 0xdf, 0x9b, 0x49, 0x19, 0x71, 0x01, 0x2f, 0x49, 0xb6, 0x7f, 0x6f, 0x06, 0x03, 0x17, 0x0a,
-	0xbd, 0x05, 0xc2, 0x9d, 0x76, 0x7f, 0x38, 0xe6, 0x1e, 0xd1, 0x2e, 0xf1, 0xce, 0x66, 0xba, 0x3e,
+	0x52, 0xc9, 0x78, 0x2a, 0xfd, 0x71, 0xbb, 0x07, 0x2a, 0x5c, 0x86, 0x7f, 0x32, 0x03, 0xcf, 0xf8,
-	0xce, 0x5c, 0x03, 0xd7, 0x3b, 0x26, 0x21, 0xb0, 0x33, 0x2b, 0xea, 0xf8, 0xd2, 0xc0, 0xad, 0x00,
+	0x90, 0x45, 0x97, 0x2b, 0xa1, 0x9f, 0x55, 0xd0, 0x24, 0x8c, 0xce, 0x59, 0x0a, 0xe2, 0xd2, 0xcf,
-	0x84, 0x7b, 0x5b, 0x3c, 0xd6, 0x2c, 0x14, 0xeb, 0x85, 0x82, 0x04, 0x30, 0x05, 0x78, 0xf2, 0x3b,
+	0x06, 0xb1, 0x0e, 0x48, 0x3f, 0x01, 0x15, 0xbe, 0xac, 0x1e, 0x7f, 0x15, 0x4b, 0x8c, 0x52, 0xc5,
-	0x00, 0xf7, 0x8e, 0x21, 0x70, 0xa7, 0x70, 0x3b, 0xb3, 0x70, 0x3d, 0x41, 0xba, 0x16, 0x09, 0x05,
+	0x12, 0x58, 0x22, 0x7c, 0xfe, 0x5f, 0x04, 0x19, 0x9d, 0x43, 0x12, 0x2e, 0xf1, 0x1e, 0xac, 0xe2,
-	0x17, 0x6c, 0x12, 0x64, 0x1e, 0xa0, 0x62, 0xa3, 0x69, 0x77, 0xa9, 0xd7, 0xd1, 0x6b, 0xa8, 0xe0,
+	0x8d, 0x14, 0x1b, 0xfa, 0x2c, 0x55, 0x52, 0x89, 0x45, 0x92, 0x77, 0x82, 0xb6, 0x3b, 0xdd, 0x60,
-	0x91, 0x36, 0xab, 0x68, 0x35, 0x6d, 0x63, 0xd9, 0xfe, 0xe7, 0x22, 0xae, 0xe6, 0x92, 0xb8, 0x5a,
+	0xc8, 0xa3, 0x01, 0x3e, 0x40, 0x8d, 0x88, 0xf5, 0x45, 0xd3, 0x39, 0x70, 0x0e, 0x6f, 0x05, 0x6f,
-	0x78, 0xde, 0x78, 0xe1, 0x38, 0xea, 0x45, 0x37, 0xd1, 0x12, 0x9c, 0x7a, 0x10, 0x89, 0x4a, 0xbe,
+	0x5d, 0xe5, 0xad, 0x5a, 0x91, 0xb7, 0x1a, 0x5f, 0x77, 0xbe, 0xa1, 0xd4, 0xdc, 0x60, 0x0f, 0x6d,
-	0xb6, 0xb0, 0xb1, 0x6c, 0xa3, 0x24, 0xae, 0x2e, 0xbd, 0x54, 0x16, 0x27, 0x7d, 0x31, 0xbf, 0x69,
+	0xc1, 0x45, 0x04, 0x99, 0x6a, 0xd6, 0x0f, 0x36, 0x0e, 0x6f, 0x05, 0xa8, 0xc8, 0x5b, 0x5b, 0x0f,
-	0x68, 0x65, 0x7f, 0xd0, 0xe3, 0xa6, 0x2a, 0xa7, 0xfe, 0x01, 0x95, 0x64, 0x6d, 0xda, 0xae, 0x70,
+	0x4d, 0x84, 0xda, 0x1b, 0xef, 0x2f, 0x07, 0xdd, 0x3e, 0x2e, 0xdf, 0xb8, 0x6b, 0xc6, 0x89, 0x7f,
-	0x15, 0x77, 0x79, 0xfb, 0x11, 0xce, 0x06, 0x62, 0x14, 0x2a, 0x8e, 0x3a, 0xbe, 0x34, 0x70, 0x2c,
+	0x46, 0x3b, 0x7a, 0x36, 0xfd, 0x50, 0x85, 0x46, 0x7b, 0xf7, 0xfe, 0xa7, 0xa4, 0x32, 0xc4, 0xb4,
-	0xbd, 0x71, 0xbf, 0x8e, 0x0f, 0x5a, 0x27, 0xe0, 0x89, 0x3d, 0x10, 0xae, 0xad, 0xa7, 0xd1, 0xa0,
+	0x54, 0x92, 0x0d, 0x62, 0x1d, 0x90, 0x44, 0xa3, 0xc9, 0xb8, 0x4d, 0x4e, 0x7a, 0x4f, 0x21, 0x52,
-	0xcc, 0xe6, 0x8c, 0x58, 0xf5, 0x3d, 0x54, 0xe0, 0x11, 0x78, 0x95, 0xbc, 0x62, 0xdf, 0xc4, 0xb3,
+	0x47, 0xa0, 0xc2, 0x00, 0xdb, 0x6a, 0x50, 0x15, 0xa3, 0x53, 0x55, 0x7c, 0x84, 0x1a, 0x32, 0x83,
-	0xc6, 0x0d, 0xdf, 0x08, 0xec, 0x30, 0x02, 0x2f, 0x4b, 0x53, 0xde, 0x1c, 0x45, 0x63, 0x7e, 0xd5,
+	0xa8, 0x59, 0x37, 0xea, 0x77, 0xc9, 0x2a, 0xbb, 0x91, 0xb9, 0xc2, 0x4e, 0x33, 0x88, 0xaa, 0x36,
-	0x50, 0xe5, 0x86, 0x67, 0x23, 0xf4, 0x19, 0x70, 0xee, 0xf4, 0xba, 0xa0, 0x37, 0xd1, 0x62, 0x44,
+	0xf5, 0x89, 0x1a, 0x19, 0xef, 0x0f, 0x07, 0xbd, 0x3f, 0x87, 0x7c, 0x18, 0x0b, 0x90, 0x92, 0x8e,
-	0x99, 0xe0, 0x15, 0xad, 0xb6, 0x70, 0x07, 0xb1, 0x26, 0x65, 0xc2, 0x5e, 0x49, 0xc5, 0x16, 0xe5,
+	0x86, 0x80, 0xbb, 0x68, 0x33, 0xe3, 0x42, 0xc9, 0xa6, 0x73, 0xb0, 0xf1, 0x0a, 0xb9, 0xba, 0x5c,
-	0x8d, 0x3b, 0x03, 0x22, 0x19, 0xfd, 0x11, 0xa3, 0x81, 0xaa, 0xe9, 0x1d, 0x08, 0x01, 0x58, 0x16,
+	0xa8, 0xe0, 0xb6, 0xcd, 0xb5, 0xa9, 0x4f, 0x92, 0x96, 0x42, 0xf8, 0x11, 0xaa, 0x2b, 0x6e, 0x06,
-	0xfd, 0x2b, 0x46, 0x03, 0x47, 0xd1, 0x98, 0xe7, 0x1a, 0x5a, 0xbb, 0xe1, 0xb9, 0x4b, 0xb8, 0xd0,
+	0xfa, 0x0a, 0x72, 0x00, 0x22, 0x40, 0x56, 0xae, 0xfe, 0x84, 0xd3, 0xba, 0xe2, 0xde, 0x9f, 0x0e,
-	0xdf, 0x4d, 0x35, 0x01, 0xcf, 0xd7, 0x04, 0x89, 0x56, 0x2d, 0xf8, 0x37, 0xd5, 0x2a, 0x0d, 0x2d,
+	0x6a, 0xce, 0xa1, 0x3a, 0xe9, 0x9b, 0xac, 0xfb, 0x08, 0x35, 0xce, 0x04, 0x4f, 0x5e, 0xa7, 0xf2,
-	0x63, 0x0d, 0xd8, 0x45, 0x8b, 0x44, 0x40, 0xc0, 0xd3, 0x1c, 0x1e, 0xcc, 0x99, 0x43, 0x56, 0x90,
+	0xe9, 0xd0, 0xbf, 0x15, 0x3c, 0xa1, 0x46, 0xc6, 0x7b, 0xe6, 0xa0, 0xbd, 0x39, 0xe4, 0x63, 0x26,
-	0x86, 0x44, 0x3b, 0x03, 0x12, 0xf3, 0x3c, 0x3f, 0x91, 0x81, 0xcc, 0x55, 0x3f, 0x42, 0xe5, 0x88,
+	0x15, 0xfe, 0x71, 0xc9, 0x3b, 0x64, 0x3d, 0xef, 0x68, 0xb6, 0x71, 0xce, 0x3b, 0x36, 0xd7, 0xce,
-	0xb6, 0x0f, 0xa1, 0x0b, 0x9e, 0xa0, 0x2c, 0x4d, 0x62, 0x67, 0xce, 0x24, 0xdc, 0x16, 0x74, 0x87,
+	0x24, 0x32, 0xe3, 0x9b, 0xc7, 0x68, 0x93, 0x29, 0x48, 0xa4, 0xed, 0xe1, 0xe3, 0x35, 0x7b, 0xa8,
-	0x50, 0x7b, 0x35, 0x89, 0xab, 0xe5, 0x66, 0xc6, 0xe5, 0x8c, 0x13, 0xeb, 0xa7, 0x68, 0x2d, 0x74,
+	0x06, 0xd2, 0xd1, 0x6c, 0x5a, 0x8a, 0x78, 0xcf, 0xea, 0x0b, 0x1d, 0xe8, 0x5e, 0xf1, 0x19, 0xda,
-	0x03, 0xe0, 0x91, 0xeb, 0xc1, 0x48, 0x2d, 0xff, 0xe7, 0x6a, 0xff, 0x27, 0x71, 0x75, 0x6d, 0x7f,
+	0xcd, 0x78, 0xff, 0x14, 0x86, 0x10, 0x29, 0x2e, 0x6c, 0x13, 0x0f, 0xd6, 0x6c, 0x22, 0xec, 0xc1,
-	0x92, 0xd1, 0x99, 0x16, 0xd1, 0xdf, 0xa0, 0x22, 0x89, 0xd4, 0x2e, 0x56, 0x16, 0x94, 0xde, 0xfd,
+	0x70, 0x42, 0x0d, 0xee, 0x14, 0x79, 0x6b, 0xb7, 0x5b, 0x69, 0xd1, 0x59, 0x61, 0x7c, 0x81, 0xf6,
-	0xd9, 0x75, 0x4c, 0x97, 0xd6, 0x2e, 0x27, 0x71, 0x75, 0xb8, 0xc1, 0xce, 0x10, 0x6e, 0x7e, 0x99,
+	0xd2, 0x30, 0x01, 0x99, 0x85, 0x11, 0x4c, 0xb3, 0xd5, 0x5f, 0x3f, 0xdb, 0x7b, 0x45, 0xde, 0xda,
-	0x9c, 0x01, 0x39, 0x70, 0xfa, 0x6b, 0x54, 0x52, 0x4b, 0xef, 0xd1, 0x6e, 0xba, 0xe4, 0x9b, 0xb2,
+	0x3b, 0x5e, 0x54, 0xa4, 0xcb, 0x49, 0xf0, 0x77, 0x68, 0x9b, 0x65, 0x66, 0x85, 0x34, 0x37, 0x4c,
-	0x9f, 0xcd, 0xd4, 0xf6, 0x33, 0xae, 0xde, 0x9b, 0xfe, 0x5f, 0xf1, 0xf0, 0xd9, 0x19, 0x81, 0xf5,
+	0xbe, 0x8f, 0x56, 0xcf, 0xd1, 0xee, 0x9a, 0x60, 0xb7, 0xc8, 0x5b, 0x93, 0xc5, 0x43, 0x27, 0x74,
-	0x7d, 0x54, 0x90, 0xa3, 0x9b, 0x56, 0x65, 0xf6, 0x36, 0xcb, 0x8f, 0x07, 0x0f, 0x3e, 0x1e, 0xdc,
+	0xef, 0xf7, 0x45, 0x0f, 0x68, 0xc3, 0xe1, 0x47, 0x68, 0xc7, 0xec, 0xaa, 0x88, 0x0f, 0xed, 0x6e,
-	0x08, 0xc5, 0x01, 0x3b, 0x14, 0x8c, 0x84, 0xbe, 0x5d, 0x92, 0x23, 0x2b, 0x43, 0x72, 0x14, 0x8f,
+	0xba, 0xab, 0xdf, 0xb3, 0x6b, 0x63, 0x37, 0x79, 0xeb, 0x83, 0xe5, 0xcf, 0x02, 0x99, 0x5c, 0xd3,
-	0x19, 0x4f, 0x86, 0x2b, 0x97, 0x51, 0x3f, 0xf9, 0x6b, 0x0d, 0xff, 0x2f, 0x1d, 0xb3, 0xd9, 0x4d,
+	0x29, 0x19, 0x1f, 0xa3, 0x86, 0xb6, 0xae, 0x9d, 0xca, 0xea, 0x25, 0xa4, 0xf7, 0x25, 0x29, 0xf7,
-	0x7f, 0x8f, 0x8a, 0x64, 0xb0, 0xe4, 0xe9, 0x08, 0x6f, 0xcf, 0x39, 0xc2, 0x63, 0x5f, 0x83, 0xbd,
+	0x25, 0xe9, 0xa4, 0xea, 0x44, 0x9c, 0x2a, 0xc1, 0xd2, 0x38, 0xd8, 0xd1, 0x96, 0xd5, 0x25, 0x51,
-	0x9a, 0xca, 0x14, 0x87, 0xc6, 0x21, 0xa7, 0xbd, 0x71, 0x71, 0x6d, 0xe4, 0x2e, 0xaf, 0x8d, 0xdc,
+	0xa3, 0xe3, 0xdd, 0x2c, 0x3e, 0xb8, 0xde, 0x21, 0xf8, 0xe9, 0xff, 0xf6, 0xe0, 0xef, 0x5a, 0x9b,
-	0xd5, 0xb5, 0x91, 0xfb, 0x94, 0x18, 0xda, 0x45, 0x62, 0x68, 0x97, 0x89, 0xa1, 0x5d, 0x25, 0x86,
+	0xad, 0x7e, 0xf4, 0x9f, 0xd0, 0x36, 0x2b, 0xff, 0xe4, 0xd6, 0xc2, 0xf7, 0xd7, 0xb4, 0xf0, 0xcc,
-	0xf6, 0x3d, 0x31, 0xb4, 0xcf, 0x3f, 0x8c, 0xdc, 0xdb, 0x7c, 0xbf, 0xfe, 0x2b, 0x00, 0x00, 0xff,
+	0x6a, 0x08, 0xee, 0xd8, 0x34, 0xdb, 0x93, 0xe0, 0x44, 0x13, 0x7f, 0x8f, 0xb6, 0xa0, 0x54, 0xdf,
-	0xff, 0x3b, 0x3f, 0x8c, 0x26, 0x6e, 0x07, 0x00, 0x00,
+	0x30, 0xea, 0xed, 0x35, 0xd5, 0xab, 0x7d, 0x19, 0xbc, 0x6d, 0xc5, 0xb7, 0x6c, 0xcc, 0x0a, 0xe2,
+	0x2f, 0xf5, 0x94, 0x34, 0xf6, 0xc9, 0x65, 0x06, 0xb2, 0xd9, 0x30, 0xdf, 0x93, 0x0f, 0xcb, 0x66,
+	0xa7, 0xe1, 0x9b, 0xbc, 0x85, 0xaa, 0x23, 0x9d, 0x65, 0x04, 0x87, 0x57, 0xd7, 0x6e, 0xed, 0xf9,
+	0xb5, 0x5b, 0x7b, 0x71, 0xed, 0xd6, 0x7e, 0x2d, 0x5c, 0xe7, 0xaa, 0x70, 0x9d, 0xe7, 0x85, 0xeb,
+	0xbc, 0x28, 0x5c, 0xe7, 0xef, 0xc2, 0x75, 0x7e, 0xfb, 0xc7, 0xad, 0xfd, 0x50, 0x1f, 0xb7, 0xff,
+	0x0d, 0x00, 0x00, 0xff, 0xff, 0x48, 0x47, 0x24, 0xc9, 0xc1, 0x08, 0x00, 0x00,
 }

staging/src/k8s.io/api/networking/v1/generated.proto

@@ -59,6 +59,27 @@ message NetworkPolicy {
   optional NetworkPolicySpec spec = 2;
 }
 
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+message NetworkPolicyEgressRule {
+  // List of destination ports for outgoing traffic.
+  // Each item in this list is combined using a logical OR. If this field is
+  // empty or missing, this rule matches all ports (traffic not restricted by port).
+  // If this field is present and contains at least one item, then this rule allows
+  // traffic only if the traffic matches at least one port in the list.
+  // +optional
+  repeated NetworkPolicyPort ports = 1;
+
+  // List of destinations for outgoing traffic of pods selected for this rule.
+  // Items in this list are combined using a logical OR operation. If this field is
+  // empty or missing, this rule matches all destinations (traffic not restricted by
+  // destination). If this field is present and contains at least one item, this rule
+  // allows traffic only if the traffic matches at least one item in the to list.
+  // +optional
+  repeated NetworkPolicyPeer to = 2;
+}
+
 // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
 // matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.
 message NetworkPolicyIngressRule {
@@ -142,5 +163,28 @@ message NetworkPolicySpec {
   // solely to ensure that the pods it selects are isolated by default)
   // +optional
   repeated NetworkPolicyIngressRule ingress = 2;
+
+  // List of egress rules to be applied to the selected pods. Outgoing traffic is
+  // allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+  // otherwise allows the traffic), OR if the traffic matches at least one egress rule
+  // across all of the NetworkPolicy objects whose podSelector matches the pod. If
+  // this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+  // solely to ensure that the pods it selects are isolated by default).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated NetworkPolicyEgressRule egress = 3;
+
+  // List of rule types that the NetworkPolicy relates to.
+  // Valid options are Ingress, Egress, or Ingress,Egress.
+  // If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+  // policies that contain an Egress section are assumed to affect Egress, and all policies
+  // (whether or not they contain an Ingress section) are assumed to affect Ingress.
+  // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+  // Likewise, if you want to write a policy that specifies that no egress is allowed,
+  // you must specify a policyTypes value that include "Egress" (since such a policy would not include
+  // an Egress section and would otherwise default to just [ "Ingress" ]).
+  // This field is beta-level in 1.8
+  // +optional
+  repeated string policyTypes = 4;
 }
 

staging/src/k8s.io/api/networking/v1/types.go

@@ -38,6 +38,17 @@ type NetworkPolicy struct {
 	Spec NetworkPolicySpec `json:"spec,omitempty" protobuf:"bytes,2,opt,name=spec"`
 }
 
+// Policy Type string describes the NetworkPolicy type
+// This type is beta-level in 1.8
+type PolicyType string
+
+const (
+	// PolicyTypeIngress is a NetworkPolicy that affects ingress traffic on selected pods
+	PolicyTypeIngress PolicyType = "Ingress"
+	// PolicyTypeEgress is a NetworkPolicy that affects egress traffic on selected pods
+	PolicyTypeEgress PolicyType = "Egress"
+)
+
 // NetworkPolicySpec provides the specification of a NetworkPolicy
 type NetworkPolicySpec struct {
 	// Selects the pods to which this NetworkPolicy object applies. The array of
@@ -57,6 +68,29 @@ type NetworkPolicySpec struct {
 	// solely to ensure that the pods it selects are isolated by default)
 	// +optional
 	Ingress []NetworkPolicyIngressRule `json:"ingress,omitempty" protobuf:"bytes,2,rep,name=ingress"`
+
+	// List of egress rules to be applied to the selected pods. Outgoing traffic is
+	// allowed if there are no NetworkPolicies selecting the pod (and cluster policy
+	// otherwise allows the traffic), OR if the traffic matches at least one egress rule
+	// across all of the NetworkPolicy objects whose podSelector matches the pod. If
+	// this field is empty then this NetworkPolicy limits all outgoing traffic (and serves
+	// solely to ensure that the pods it selects are isolated by default).
+	// This field is beta-level in 1.8
+	// +optional
+	Egress []NetworkPolicyEgressRule `json:"egress,omitempty" protobuf:"bytes,3,rep,name=egress"`
+
+	// List of rule types that the NetworkPolicy relates to.
+	// Valid options are Ingress, Egress, or Ingress,Egress.
+	// If this field is not specified, it will default based on the existence of Ingress or Egress rules;
+	// policies that contain an Egress section are assumed to affect Egress, and all policies
+	// (whether or not they contain an Ingress section) are assumed to affect Ingress.
+	// If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ].
+	// Likewise, if you want to write a policy that specifies that no egress is allowed,
+	// you must specify a policyTypes value that include "Egress" (since such a policy would not include
+	// an Egress section and would otherwise default to just [ "Ingress" ]).
+	// This field is beta-level in 1.8
+	// +optional
+	PolicyTypes []PolicyType `json:"policyTypes,omitempty" protobuf:"bytes,4,rep,name=policyTypes,casttype=PolicyType"`
 }
 
 // NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods
@@ -79,6 +113,27 @@ type NetworkPolicyIngressRule struct {
 	From []NetworkPolicyPeer `json:"from,omitempty" protobuf:"bytes,2,rep,name=from"`
 }
 
+// NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods
+// matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to.
+// This type is beta-level in 1.8
+type NetworkPolicyEgressRule struct {
+	// List of destination ports for outgoing traffic.
+	// Each item in this list is combined using a logical OR. If this field is
+	// empty or missing, this rule matches all ports (traffic not restricted by port).
+	// If this field is present and contains at least one item, then this rule allows
+	// traffic only if the traffic matches at least one port in the list.
+	// +optional
+	Ports []NetworkPolicyPort `json:"ports,omitempty" protobuf:"bytes,1,rep,name=ports"`
+
+	// List of destinations for outgoing traffic of pods selected for this rule.
+	// Items in this list are combined using a logical OR operation. If this field is
+	// empty or missing, this rule matches all destinations (traffic not restricted by
+	// destination). If this field is present and contains at least one item, this rule
+	// allows traffic only if the traffic matches at least one item in the to list.
+	// +optional
+	To []NetworkPolicyPeer `json:"to,omitempty" protobuf:"bytes,2,rep,name=to"`
+}
+
 // NetworkPolicyPort describes a port to allow traffic on
 type NetworkPolicyPort struct {
 	// The protocol (TCP or UDP) which traffic must match. If not specified, this

staging/src/k8s.io/api/networking/v1/types_swagger_doc_generated.go

@@ -47,6 +47,16 @@ func (NetworkPolicy) SwaggerDoc() map[string]string {
 	return map_NetworkPolicy
 }
 
+var map_NetworkPolicyEgressRule = map[string]string{
+	"":      "NetworkPolicyEgressRule describes a particular set of traffic that is allowed out of pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and to. This type is beta-level in 1.8",
+	"ports": "List of destination ports for outgoing traffic. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
+	"to":    "List of destinations for outgoing traffic of pods selected for this rule. Items in this list are combined using a logical OR operation. If this field is empty or missing, this rule matches all destinations (traffic not restricted by destination). If this field is present and contains at least one item, this rule allows traffic only if the traffic matches at least one item in the to list.",
+}
+
+func (NetworkPolicyEgressRule) SwaggerDoc() map[string]string {
+	return map_NetworkPolicyEgressRule
+}
+
 var map_NetworkPolicyIngressRule = map[string]string{
 	"":      "NetworkPolicyIngressRule describes a particular set of traffic that is allowed to the pods matched by a NetworkPolicySpec's podSelector. The traffic must match both ports and from.",
 	"ports": "List of ports which should be made accessible on the pods selected for this rule. Each item in this list is combined using a logical OR. If this field is empty or missing, this rule matches all ports (traffic not restricted by port). If this field is present and contains at least one item, then this rule allows traffic only if the traffic matches at least one port in the list.",
@@ -92,6 +102,8 @@ var map_NetworkPolicySpec = map[string]string{
 	"":            "NetworkPolicySpec provides the specification of a NetworkPolicy",
 	"podSelector": "Selects the pods to which this NetworkPolicy object applies. The array of ingress rules is applied to any pods selected by this field. Multiple network policies can select the same set of pods. In this case, the ingress rules for each are combined additively. This field is NOT optional and follows standard label selector semantics. An empty podSelector matches all pods in this namespace.",
 	"ingress":     "List of ingress rules to be applied to the selected pods. Traffic is allowed to a pod if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic source is the pod's local node, OR if the traffic matches at least one ingress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy does not allow any traffic (and serves solely to ensure that the pods it selects are isolated by default)",
+	"egress":      "List of egress rules to be applied to the selected pods. Outgoing traffic is allowed if there are no NetworkPolicies selecting the pod (and cluster policy otherwise allows the traffic), OR if the traffic matches at least one egress rule across all of the NetworkPolicy objects whose podSelector matches the pod. If this field is empty then this NetworkPolicy limits all outgoing traffic (and serves solely to ensure that the pods it selects are isolated by default). This field is beta-level in 1.8",
+	"policyTypes": "List of rule types that the NetworkPolicy relates to. Valid options are Ingress, Egress, or Ingress,Egress. If this field is not specified, it will default based on the existence of Ingress or Egress rules; policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. If you want to write an egress-only policy, you must explicitly specify policyTypes [ \"Egress\" ]. Likewise, if you want to write a policy that specifies that no egress is allowed, you must specify a policyTypes value that include \"Egress\" (since such a policy would not include an Egress section and would otherwise default to just [ \"Ingress\" ]). This field is beta-level in 1.8",
 }
 
 func (NetworkPolicySpec) SwaggerDoc() map[string]string {

staging/src/k8s.io/api/networking/v1/zz_generated.deepcopy.go

@@ -47,6 +47,10 @@ func RegisterDeepCopies(scheme *runtime.Scheme) error {
 			in.(*NetworkPolicy).DeepCopyInto(out.(*NetworkPolicy))
 			return nil
 		}, InType: reflect.TypeOf(&NetworkPolicy{})},
+		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
+			in.(*NetworkPolicyEgressRule).DeepCopyInto(out.(*NetworkPolicyEgressRule))
+			return nil
+		}, InType: reflect.TypeOf(&NetworkPolicyEgressRule{})},
 		conversion.GeneratedDeepCopyFunc{Fn: func(in interface{}, out interface{}, c *conversion.Cloner) error {
 			in.(*NetworkPolicyIngressRule).DeepCopyInto(out.(*NetworkPolicyIngressRule))
 			return nil
@@ -119,6 +123,36 @@ func (in *NetworkPolicy) DeepCopyObject() runtime.Object {
 	}
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *NetworkPolicyEgressRule) DeepCopyInto(out *NetworkPolicyEgressRule) {
+	*out = *in
+	if in.Ports != nil {
+		in, out := &in.Ports, &out.Ports
+		*out = make([]NetworkPolicyPort, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.To != nil {
+		in, out := &in.To, &out.To
+		*out = make([]NetworkPolicyPeer, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NetworkPolicyEgressRule.
+func (in *NetworkPolicyEgressRule) DeepCopy() *NetworkPolicyEgressRule {
+	if in == nil {
+		return nil
+	}
+	out := new(NetworkPolicyEgressRule)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *NetworkPolicyIngressRule) DeepCopyInto(out *NetworkPolicyIngressRule) {
 	*out = *in
@@ -271,6 +305,18 @@ func (in *NetworkPolicySpec) DeepCopyInto(out *NetworkPolicySpec) {
 			(*in)[i].DeepCopyInto(&(*out)[i])
 		}
 	}
+	if in.Egress != nil {
+		in, out := &in.Egress, &out.Egress
+		*out = make([]NetworkPolicyEgressRule, len(*in))
+		for i := range *in {
+			(*in)[i].DeepCopyInto(&(*out)[i])
+		}
+	}
+	if in.PolicyTypes != nil {
+		in, out := &in.PolicyTypes, &out.PolicyTypes
+		*out = make([]PolicyType, len(*in))
+		copy(*out, *in)
+	}
 	return
 }