networkpolicy

package
v1.7.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 14, 2022 License: Apache-2.0 Imports: 57 Imported by: 0

Documentation

Overview

Package networkpolicy provides NetworkPolicyController implementation to manage and synchronize the Pods and Namespaces affected by Network Policies and enforce their rules.

Package networkpolicy provides NetworkPolicyController implementation to manage and synchronize the GroupMembers and Namespaces affected by Network Policies and enforce their rules.

Package networkpolicy provides NetworkPolicyController implementation to manage and synchronize the Pods and Namespaces affected by Network Policies and enforce their rules.

Index

Constants

View Source 
const (

	// TierIndex is used to index ClusterNetworkPolicies by Tier names.
	TierIndex = "tier"
	// PriorityIndex is used to index Tiers by their priorities.
	PriorityIndex = "priority"
	// ClusterGroupIndex is used to index ClusterNetworkPolicies by ClusterGroup names.
	ClusterGroupIndex = "clustergroup"
)

Variables

View Source 
var (

	// DefaultTierPriority maintains the priority for the system generated default Tier.
	// This is the lowest priority for tiers that will be enforced before K8s NetworkPolicies.
	DefaultTierPriority = int32(250)
	// BaselineTierPriority maintains the priority for the system generated baseline Tier.
	// This is the tier that will be enforced after K8s NetworkPolicies.
	BaselineTierPriority = int32(253)
)

Functions

func ConvertClusterGroupCRD 

func ConvertClusterGroupCRD(Object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status)

func GetAdmissionResponseForErr 

func GetAdmissionResponseForErr(err error) *admv1.AdmissionResponse

GetAdmissionResponseForErr returns an object of type AdmissionResponse with the submitted error message.

func NewEndpointQuerier 

func NewEndpointQuerier(networkPolicyController *NetworkPolicyController) *endpointQuerier

NewEndpointQuerier returns a new *endpointQuerier.

Types

type Endpoint 

type Endpoint struct {
	Namespace string   `json:"namespace,omitempty"`
	Name      string   `json:"name,omitempty"`
	Policies  []Policy `json:"policies,omitempty"`
	Rules     []Rule   `json:"rules,omitempty"`
}

type EndpointQuerier 

type EndpointQuerier interface {
	// QueryNetworkPolicies returns the list of NetworkPolicies which apply to the provided Pod,
	// along with the list NetworkPolicies which select the provided Pod in one of their policy
	// rules (ingress or egress).
	QueryNetworkPolicies(namespace string, podName string) (*EndpointQueryResponse, error)
}

EndpointQuerier handles requests for antctl query

type EndpointQueryResponse 

type EndpointQueryResponse struct {
	Endpoints []Endpoint `json:"endpoints,omitempty"`
}

EndpointQueryResponse is the reply struct for anctl endpoint queries

type NetworkPolicyController 

type NetworkPolicyController struct {
	// contains filtered or unexported fields
}

NetworkPolicyController is responsible for synchronizing the Namespaces and Pods affected by a Network Policy.

func NewNetworkPolicyController 

func NewNetworkPolicyController(kubeClient clientset.Interface,
	crdClient versioned.Interface,
	groupingInterface grouping.Interface,
	namespaceInformer coreinformers.NamespaceInformer,
	serviceInformer coreinformers.ServiceInformer,
	networkPolicyInformer networkinginformers.NetworkPolicyInformer,
	nodeInformer coreinformers.NodeInformer,
	cnpInformer secinformers.ClusterNetworkPolicyInformer,
	anpInformer secinformers.NetworkPolicyInformer,
	tierInformer secinformers.TierInformer,
	cgInformer crdv1a3informers.ClusterGroupInformer,
	addressGroupStore storage.Interface,
	appliedToGroupStore storage.Interface,
	internalNetworkPolicyStore storage.Interface,
	internalGroupStore storage.Interface) *NetworkPolicyController

NewNetworkPolicyController returns a new *NetworkPolicyController.

func (*NetworkPolicyController) GetAddressGroupNum 

func (n *NetworkPolicyController) GetAddressGroupNum() int

func (*NetworkPolicyController) GetAppliedToGroupNum 

func (n *NetworkPolicyController) GetAppliedToGroupNum() int

func (*NetworkPolicyController) GetAssociatedGroups 

func (c *NetworkPolicyController) GetAssociatedGroups(name, namespace string) ([]antreatypes.Group, error)

GetAssociatedGroups retrieves the internal Groups associated with the entity being queried (Pod or ExternalEntity identified by name and namespace).

func (*NetworkPolicyController) GetConnectedAgentNum 

func (n *NetworkPolicyController) GetConnectedAgentNum() int

GetConnectedAgentNum gets the number of Agents which are connected to this Controller. Since Agent will watch all the three stores (internalNetworkPolicyStore, appliedToGroupStore, addressGroupStore), the number of watchers of one of these three stores is equal to the number of connected Agents. Here, we uses the number of watchers of appliedToGroupStore to represent the number of connected Agents as internalNetworkPolicyStore is also watched by the StatusController of the process itself.

func (*NetworkPolicyController) GetGroupMembers 

func (c *NetworkPolicyController) GetGroupMembers(cgName string) (controlplane.GroupMemberSet, []controlplane.IPBlock, error)

GetGroupMembers returns the current members of a ClusterGroup. If the ClusterGroup is defined with IPBlocks, the returned members will be []controlplane.IPBlock. Otherwise, the returned members will be of type controlplane.GroupMemberSet.

func (*NetworkPolicyController) GetNetworkPolicyNum 

func (n *NetworkPolicyController) GetNetworkPolicyNum() int

func (*NetworkPolicyController) InitializeTiers 

func (n *NetworkPolicyController) InitializeTiers()

InitializeTiers initializes the default Tiers created by Antrea on init. It will first attempt to retrieve the Tier by it's name from K8s and if missing, create the CR. InitializeTiers will be called as part of a Post-Start hook of antrea-controller's APIServer.

func (*NetworkPolicyController) Run 

func (n *NetworkPolicyController) Run(stopCh <-chan struct{})

Run begins watching and syncing of a NetworkPolicyController.

type NetworkPolicyMutator 

type NetworkPolicyMutator struct {
	// contains filtered or unexported fields
}

func NewNetworkPolicyMutator 

func NewNetworkPolicyMutator(networkPolicyController *NetworkPolicyController) *NetworkPolicyMutator

NewNetworkPolicyMutator returns a new *NetworkPolicyMutator.

func (*NetworkPolicyMutator) Mutate 

func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.AdmissionResponse

Mutate function mutates an Antrea-native policy object

type NetworkPolicyValidator 

type NetworkPolicyValidator struct {
	// contains filtered or unexported fields
}

NetworkPolicyValidator maintains list of validator objects which validate the Antrea-native policy related resources.

func NewNetworkPolicyValidator 

func NewNetworkPolicyValidator(networkPolicyController *NetworkPolicyController) *NetworkPolicyValidator

NewNetworkPolicyValidator returns a new *NetworkPolicyValidator.

func (*NetworkPolicyValidator) RegisterAntreaPolicyValidator 

func (v *NetworkPolicyValidator) RegisterAntreaPolicyValidator(a validator)

RegisterAntreaPolicyValidator registers an Antrea-native policy validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) RegisterGroupValidator 

func (v *NetworkPolicyValidator) RegisterGroupValidator(g validator)

RegisterGroupValidator registers a Group validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) RegisterTierValidator 

func (v *NetworkPolicyValidator) RegisterTierValidator(t validator)

RegisterTierValidator registers a Tier validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) Validate 

func (v *NetworkPolicyValidator) Validate(ar *admv1.AdmissionReview) *admv1.AdmissionResponse

Validate function validates a ClusterGroup, Tier or Antrea Policy object

type Policy 

type Policy struct {
	PolicyRef
}

type PolicyRef 

type PolicyRef struct {
	Namespace string    `json:"namespace,omitempty"`
	Name      string    `json:"name,omitempty"`
	UID       types.UID `json:"uid,omitempty"`
}

type Rule 

type Rule struct {
	PolicyRef
	Direction cpv1beta.Direction `json:"direction,omitempty"`
	RuleIndex int                `json:"ruleindex,omitempty"`
}

type StatusController 

type StatusController struct {
	// contains filtered or unexported fields
}

StatusController is responsible for synchronizing the status of Antrea ClusterNetworkPolicy and Antrea NetworkPolicy.

func NewStatusController 

func NewStatusController(antreaClient antreaclientset.Interface, internalNetworkPolicyStore storage.Interface, cnpInformer crdinformers.ClusterNetworkPolicyInformer, anpInformer crdinformers.NetworkPolicyInformer) *StatusController

func (*StatusController) Run 

func (c *StatusController) Run(stopCh <-chan struct{})

Run begins watching and syncing of a StatusController.

func (*StatusController) UpdateStatus 

func (c *StatusController) UpdateStatus(status *controlplane.NetworkPolicyStatus) error

Source Files

View all Source files

Directories

Path Synopsis
Package testing is a generated GoMock package.
 Package testing is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.