Documentation ¶
Index ¶
- Constants
- type AntreaPolicyLogger
- type Clock
- type CompletedRule
- type Controller
- func (c *Controller) GetAddressGroupNum() int
- func (c *Controller) GetAddressGroups() []v1beta2.AddressGroup
- func (c *Controller) GetAppliedNetworkPolicies(pod, namespace string, npFilter *querier.NetworkPolicyQueryFilter) []v1beta2.NetworkPolicy
- func (c *Controller) GetAppliedToGroupNum() int
- func (c *Controller) GetAppliedToGroups() []v1beta2.AppliedToGroup
- func (c *Controller) GetControllerConnectionStatus() bool
- func (c *Controller) GetIGMPNPRuleInfo(podName, podNamespace string, groupAddress net.IP, igmpType uint8) (*types.IGMPNPRuleInfo, error)
- func (c *Controller) GetNetworkPolicies(npFilter *querier.NetworkPolicyQueryFilter) []v1beta2.NetworkPolicy
- func (c *Controller) GetNetworkPolicyByRuleFlowID(ruleFlowID uint32) *v1beta2.NetworkPolicyReference
- func (c *Controller) GetNetworkPolicyNum() int
- func (c *Controller) GetRuleByFlowID(ruleFlowID uint32) *types.PolicyRule
- func (c *Controller) HandlePacketIn(pktIn *ofctrl.PacketIn) error
- func (c *Controller) Run(stopCh <-chan struct{})
- func (c *Controller) SetDenyConnStore(denyConnStore *connections.DenyConnectionStore)
- type L7RuleReconciler
- type PriorityUpdate
- type Reconciler
- type RejectType
- type StatusController
- type StatusManager
Constants ¶
const ( MaxUint16 = ^uint16(0) DefaultTierPriority = int32(250) BaselinePolicyBottomPriority = uint16(10) BaselinePolicyTopPriority = uint16(180) PolicyBottomPriority = uint16(100) PolicyTopPriority = uint16(65000) PriorityOffsetBaselineTier = float64(10) TierOffsetBaselineTier = uint16(0) PriorityOffsetMultiTier = float64(20) PriorityOffsetDefaultTier = float64(100) TierOffsetMultiTier = uint16(200) )
const ( IPv4HdrLen uint16 = 20 IPv6HdrLen uint16 = 40 ICMPUnusedHdrLen uint16 = 4 TCPAck uint8 = 0b010000 TCPRst uint8 = 0b000100 ICMPDstUnreachableType uint8 = 3 ICMPDstHostAdminProhibitedCode uint8 = 10 ICMPv6DstUnreachableType uint8 = 1 ICMPv6DstAdminProhibitedCode uint8 = 1 )
const (
RuleIDLength = 16
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AntreaPolicyLogger ¶
type AntreaPolicyLogger struct {
// contains filtered or unexported fields
}
AntreaPolicyLogger is used for Antrea policy audit logging. Includes a lumberjack logger and a map used for log deduplication.
func (*AntreaPolicyLogger) LogDedupPacket ¶ added in v1.3.0
func (l *AntreaPolicyLogger) LogDedupPacket(ob *logInfo)
LogDedupPacket logs information in ob based on disposition and duplication conditions.
type CompletedRule ¶
type CompletedRule struct { // Source GroupMembers of this rule, can't coexist with ToAddresses. FromAddresses v1beta.GroupMemberSet // Destination GroupMembers of this rule, can't coexist with FromAddresses. ToAddresses v1beta.GroupMemberSet // Target GroupMembers of this rule. TargetMembers v1beta.GroupMemberSet // Vlan ID allocated for this rule if this rule is for L7 NetworkPolicy. L7RuleVlanID *uint32 // contains filtered or unexported fields }
CompletedRule contains IPAddresses and Pods flattened from AddressGroups and AppliedToGroups. It's the struct used by reconciler.
func (*CompletedRule) String ¶
func (r *CompletedRule) String() string
String returns the string representation of the CompletedRule.
type Controller ¶
type Controller struct {
// contains filtered or unexported fields
}
Controller is responsible for watching Antrea AddressGroups, AppliedToGroups, and NetworkPolicies, feeding them to ruleCache, getting dirty rules from ruleCache, invoking reconciler to reconcile them.
a.Feed AddressGroups,AppliedToGroups and NetworkPolicies |-----------| <-------- |----------- | c. Reconcile dirty rules |----------- | | ruleCache | | Controller | ------------> | reconciler | | ----------| --------> |----------- | |----------- | b. Notify dirty rules
func NewNetworkPolicyController ¶
func NewNetworkPolicyController(antreaClientGetter agent.AntreaClientProvider, ofClient openflow.Client, ifaceStore interfacestore.InterfaceStore, nodeName string, podUpdateSubscriber channel.Subscriber, externalEntityUpdateSubscriber channel.Subscriber, groupCounters []proxytypes.GroupCounter, groupIDUpdates <-chan string, antreaPolicyEnabled bool, l7NetworkPolicyEnabled bool, antreaProxyEnabled bool, statusManagerEnabled bool, multicastEnabled bool, loggingEnabled bool, asyncRuleDeleteInterval time.Duration, dnsServerOverride string, nodeType config.NodeType, v4Enabled bool, v6Enabled bool, gwPort, tunPort uint32, nodeConfig *config.NodeConfig) (*Controller, error)
NewNetworkPolicyController returns a new *Controller.
func (*Controller) GetAddressGroupNum ¶
func (c *Controller) GetAddressGroupNum() int
func (*Controller) GetAddressGroups ¶
func (c *Controller) GetAddressGroups() []v1beta2.AddressGroup
func (*Controller) GetAppliedNetworkPolicies ¶
func (c *Controller) GetAppliedNetworkPolicies(pod, namespace string, npFilter *querier.NetworkPolicyQueryFilter) []v1beta2.NetworkPolicy
GetAppliedNetworkPolicies returns the NetworkPolicies applied to the Pod and match the filter.
func (*Controller) GetAppliedToGroupNum ¶
func (c *Controller) GetAppliedToGroupNum() int
func (*Controller) GetAppliedToGroups ¶
func (c *Controller) GetAppliedToGroups() []v1beta2.AppliedToGroup
func (*Controller) GetControllerConnectionStatus ¶
func (c *Controller) GetControllerConnectionStatus() bool
func (*Controller) GetIGMPNPRuleInfo ¶ added in v1.8.0
func (c *Controller) GetIGMPNPRuleInfo(podName, podNamespace string, groupAddress net.IP, igmpType uint8) (*types.IGMPNPRuleInfo, error)
GetIGMPNPRuleInfo looks up the IGMP NetworkPolicy rule that matches the given Pod and groupAddress, and returns the rule information if found.
func (*Controller) GetNetworkPolicies ¶
func (c *Controller) GetNetworkPolicies(npFilter *querier.NetworkPolicyQueryFilter) []v1beta2.NetworkPolicy
GetNetworkPolicies returns the requested NetworkPolicies. This func will return all NetworkPolicies that can match all provided attributes in NetworkPolicyQueryFilter. These not provided attributes in NetworkPolicyQueryFilter means match all.
func (*Controller) GetNetworkPolicyByRuleFlowID ¶
func (c *Controller) GetNetworkPolicyByRuleFlowID(ruleFlowID uint32) *v1beta2.NetworkPolicyReference
func (*Controller) GetNetworkPolicyNum ¶
func (c *Controller) GetNetworkPolicyNum() int
func (*Controller) GetRuleByFlowID ¶
func (c *Controller) GetRuleByFlowID(ruleFlowID uint32) *types.PolicyRule
func (*Controller) HandlePacketIn ¶
func (c *Controller) HandlePacketIn(pktIn *ofctrl.PacketIn) error
HandlePacketIn is the packetin handler registered to openflow by Antrea network policy agent controller. It performs the appropriate operations based on which bits are set in the "custom reasons" field of the packet received from OVS.
func (*Controller) Run ¶
func (c *Controller) Run(stopCh <-chan struct{})
Run begins watching and processing Antrea AddressGroups, AppliedToGroups and NetworkPolicies, and spawns workers that reconciles NetworkPolicy rules. Run will not return until stopCh is closed.
func (*Controller) SetDenyConnStore ¶ added in v1.5.0
func (c *Controller) SetDenyConnStore(denyConnStore *connections.DenyConnectionStore)
type L7RuleReconciler ¶ added in v1.10.0
type PriorityUpdate ¶
PriorityUpdate stores the original and updated ofPriority of a Priority.
type Reconciler ¶
type Reconciler interface { // Reconcile reconciles the desired state of the provided CompletedRule // with the actual state of Openflow entries. Reconcile(rule *CompletedRule) error // BatchReconcile reconciles the desired state of the provided CompletedRules // with the actual state of Openflow entries in batch. It should only be invoked // if all rules are newly added without last realized status. BatchReconcile(rules []*CompletedRule) error // Forget cleanups the actual state of Openflow entries of the specified ruleID. Forget(ruleID string) error // GetRuleByFlowID returns the rule from the async rule cache in idAllocator cache. GetRuleByFlowID(ruleID uint32) (*types.PolicyRule, bool, error) // RunIDAllocatorWorker runs the worker that deletes the rules from the cache // in idAllocator. RunIDAllocatorWorker(stopCh <-chan struct{}) }
Reconciler is an interface that knows how to reconcile the desired state of CompletedRule with the actual state of Openflow entries.
type RejectType ¶ added in v1.4.0
type RejectType int
const ( // RejectPodLocal represents this packetOut is used to reject Pod-to-Pod traffic // and for this response, the srcPod and the dstPod are on the same Node. RejectPodLocal RejectType = iota // RejectPodRemoteToLocal represents this packetOut is used to reject Pod-to-Pod // traffic and for this response, the srcPod is on a remote Node and the dstPod is // on the local Node. RejectPodRemoteToLocal // RejectPodLocalToRemote represents this packetOut is used to reject Pod-to-Pod // traffic and for this response, the srcPod is on the local Node and the dstPod is // on a remote Node. RejectPodLocalToRemote // RejectServiceLocal represents this packetOut is used to reject Service traffic, // when AntreaProxy is enabled. The EndpointPod and the dstPod of the reject // response are on the same Node. RejectServiceLocal // RejectServiceRemoteToLocal represents this packetOut is used to reject Service // traffic, when AntreaProxy is enabled. The EndpointPod is on a remote Node and // the dstPod of the reject response is on the local Node. RejectServiceRemoteToLocal // RejectServiceLocalToRemote represents this packetOut is used to reject Service // traffic, when AntreaProxy is enabled. The EndpointPod is on the local Node and // the dstPod of the reject response is on a remote Node. RejectServiceLocalToRemote // RejectNoAPServiceLocal represents this packetOut is used to reject Service // traffic, when AntreaProxy is disabled. The EndpointPod and the dstPod of the // reject response are on the same Node. RejectNoAPServiceLocal // RejectNoAPServiceRemoteToLocal represents this packetOut is used to reject // Service traffic, when AntreaProxy is disabled. The EndpointPod is on a remote // Node and the dstPod of the reject response is on the local Node. RejectNoAPServiceRemoteToLocal // RejectServiceRemoteToExternal represents this packetOut is used to reject // Service traffic, when AntreaProxy is enabled. The EndpointPod is on a remote // Node and the destination of the reject response is an external client. RejectServiceRemoteToExternal // Unsupported indicates that Antrea couldn't generate packetOut for current // packetIn. Unsupported )
type StatusController ¶
type StatusController struct {
// contains filtered or unexported fields
}
StatusController implements StatusManager.
func (*StatusController) DeleteRuleRealization ¶
func (c *StatusController) DeleteRuleRealization(ruleID string)
func (*StatusController) Resync ¶
func (c *StatusController) Resync(policyID types.UID)
func (*StatusController) Run ¶
func (c *StatusController) Run(stopCh <-chan struct{})
func (*StatusController) SetRuleRealization ¶
func (c *StatusController) SetRuleRealization(ruleID string, policyID types.UID)
type StatusManager ¶
type StatusManager interface { // SetRuleRealization updates the actual status for the given NetworkPolicy rule. SetRuleRealization(ruleID string, policyID types.UID) // DeleteRuleRealization deletes the actual status for the given NetworkPolicy rule. DeleteRuleRealization(ruleID string) // Resync triggers syncing status with the antrea-controller for the given NetworkPolicy. Resync(policyID types.UID) // Start the status sync loop. Run(stopCh <-chan struct{}) }
StatusManager keeps track of the realized NetworkPolicy rules. It syncs the status of a NetworkPolicy to the antrea-controller once it is realized. A policy is considered realized when all of its desired rules have been realized and all of its undesired rules have been removed. For each new policy, SetRuleRealization is supposed to be called for each of its desired rules while DeleteRuleRealization is supposed to be called for the removed rules.