Documentation
¶
Index ¶
- Constants
- Variables
- func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
- func GetInitializeTestCalls() []testutils.TestCmd
- func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
- func GetResetTestCalls() []testutils.TestCmd
- type ACLPolicy
- type Direction
- type MatchType
- type NPMNetworkPolicy
- type PolicyManager
- func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[string]string) error
- func (pMgr *PolicyManager) GetPolicy(name string) (*NPMNetworkPolicy, bool)
- func (pMgr *PolicyManager) Initialize() error
- func (pMgr *PolicyManager) PolicyExists(name string) bool
- func (pMgr *PolicyManager) ReconcileChains(stopChannel <-chan struct{})
- func (pMgr *PolicyManager) RemovePolicy(name string, endpointList map[string]string) error
- func (pMgr *PolicyManager) Reset() error
- type PolicyMap
- type Ports
- type Protocol
- type SetInfo
- type Verdict
Constants ¶
View Source
const ( // Ingress when packet is entering a container Ingress Direction = "IN" // Egress when packet is leaving a container Egress Direction = "OUT" // Both applies to both directions Both Direction = "BOTH" // Allowed is accept in linux Allowed Verdict = "ALLOW" // Dropped is denying a flow Dropped Verdict = "DROP" // TCP Protocol TCP Protocol = "tcp" // UDP Protocol UDP Protocol = "udp" // SCTP Protocol SCTP Protocol = "sctp" // ICMP Protocol ICMP Protocol = "icmp" // AnyProtocol can be used for all other protocols AnyProtocol Protocol = "all" )
Variables ¶
View Source
var ( // TestNetworkPolicies for testing TestNetworkPolicies = []*NPMNetworkPolicy{ { Name: "test1", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestKVNSList.Metadata}, }, ACLs: testACLs, }, { Name: "test2", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestKVNSList.Metadata}, {Metadata: ipsets.TestKeyPodSet.Metadata}, }, ACLs: []*ACLPolicy{ testACLs[0], }, }, { Name: "test3", ACLs: []*ACLPolicy{ testACLs[3], }, }, } )
Functions ¶
func GetAddPolicyTestCalls ¶
func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
func GetInitializeTestCalls ¶ added in v1.4.15
func GetRemovePolicyTestCalls ¶
func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
func GetResetTestCalls ¶ added in v1.4.15
Types ¶
type ACLPolicy ¶
type ACLPolicy struct {
// PolicyID is the rules name with a given network policy
// PolicyID will be same for all ACLs in a Network Policy
// it will be "azure-acl-NetPolNS-netPolName"
PolicyID string
// Comment is the string attached to rule to identity its representation
Comment string
// SrcList source IPSets condition setinfos
SrcList []SetInfo
// DstList destination IPSets condition setinfos
DstList []SetInfo
// Target defines a target in iptables for linux. i,e, Mark, Accept, Drop
// in windows, this is either ALLOW or DENY
Target Verdict
// Direction defines the flow of traffic
Direction Direction
// DstPorts holds the destination port information
// TODO(jungukcho): It may be better to use pointer to differentiate default value.
DstPorts Ports
// Protocol is the value of traffic protocol
Protocol Protocol
}
ACLPolicy equivalent to a single iptable rule in linux or a single HNS rule in windows
type NPMNetworkPolicy ¶
type NPMNetworkPolicy struct {
Name string
NameSpace string
// TODO(jungukcho)
// ipsets.IPSetMetadata is common data in both PodSelectorIPSets and PodSelectorList.
// So, they can be one datastructure holding all information without redundancy.
// PodSelectorIPSets holds all the IPSets generated from Pod Selector
PodSelectorIPSets []*ipsets.TranslatedIPSet
// PodSelectorList holds target pod information to avoid duplicatoin in SrcList and DstList fields in ACLs
PodSelectorList []SetInfo
// RuleIPSets holds all IPSets generated from policy's rules
// and not from pod selector IPSets
RuleIPSets []*ipsets.TranslatedIPSet
ACLs []*ACLPolicy
// podIP is key and endpoint ID as value
// Will be populated by dataplane and policy manager
PodEndpoints map[string]string
}
type PolicyManager ¶
type PolicyManager struct {
// contains filtered or unexported fields
}
func NewPolicyManager ¶
func NewPolicyManager(ioShim *common.IOShim) *PolicyManager
func (*PolicyManager) AddPolicy ¶ added in v1.4.13
func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[string]string) error
func (*PolicyManager) GetPolicy ¶
func (pMgr *PolicyManager) GetPolicy(name string) (*NPMNetworkPolicy, bool)
func (*PolicyManager) Initialize ¶ added in v1.4.15
func (pMgr *PolicyManager) Initialize() error
func (*PolicyManager) PolicyExists ¶
func (pMgr *PolicyManager) PolicyExists(name string) bool
func (*PolicyManager) ReconcileChains ¶ added in v1.4.15
func (pMgr *PolicyManager) ReconcileChains(stopChannel <-chan struct{})
ReconcileChains periodically creates the jump rule from FORWARD chain to AZURE-NPM chain (if it d.n.e) and makes sure it's after the jumps to KUBE-FORWARD & KUBE-SERVICES chains (if they exist).
func (*PolicyManager) RemovePolicy ¶
func (pMgr *PolicyManager) RemovePolicy(name string, endpointList map[string]string) error
func (*PolicyManager) Reset ¶ added in v1.4.15
func (pMgr *PolicyManager) Reset() error
type SetInfo ¶
type SetInfo struct {
IPSet *ipsets.IPSetMetadata
Included bool
MatchType MatchType
}
SetInfo helps capture additional details in a matchSet. Included flag captures the negative or positive match. Included is true when match set does not have "!". Included is false when match set have "!". MatchType captures match direction flags. For example match set in linux:
! azure-npm-123 src
"!" this indicates a negative match (Included is false) of an azure-npm-123 MatchType is "src"
func NewSetInfo ¶
Ports represents a range of ports. To specify one port, set Port and EndPort to the same value. uint16 is used since there are 2^16 - 1 TCP/UDP ports (0 is invalid) and 2^16 SCTP ports. ICMP is connectionless and doesn't use ports. NewSetInfo creates SetInfo.
Source Files
Click to show internal directories.
Click to hide internal directories.