policies

package
v1.4.17 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 4, 2022 License: MIT Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	// TestNetworkPolicies for testing
	TestNetworkPolicies = []*NPMNetworkPolicy{
		{
			Name:      "test1",
			NameSpace: "x",
			PolicyKey: "x/test1",
			PodSelectorIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestKeyPodSet.Metadata},
			},
			PodSelectorList: []SetInfo{
				{
					IPSet:     ipsets.TestKeyPodSet.Metadata,
					Included:  true,
					MatchType: EitherMatch,
				},
			},
			ACLs: testACLs,
		},
		{
			Name:      "test2",
			NameSpace: "y",
			PolicyKey: "y/test2",
			PodSelectorIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestKeyPodSet.Metadata},
				{Metadata: ipsets.TestKVPodSet.Metadata},
			},
			PodSelectorList: []SetInfo{
				{
					IPSet:     ipsets.TestKeyPodSet.Metadata,
					Included:  true,
					MatchType: EitherMatch,
				},
				{
					IPSet:     ipsets.TestKVPodSet.Metadata,
					Included:  true,
					MatchType: EitherMatch,
				},
			},
			ACLs: []*ACLPolicy{
				testACLs[0],
			},
		},
		{
			Name:      "test3",
			NameSpace: "z",
			PolicyKey: "z/test3",
			ACLs: []*ACLPolicy{
				testACLs[3],
			},
		},
	}
)

TODO: deprecate this file. Updating this file impacts multiple tests.

Functions

func GetAddPolicyFailureTestCalls 

func GetAddPolicyFailureTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd

func GetAddPolicyTestCalls 

func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd

func GetBootupTestCalls 

func GetBootupTestCalls() []testutils.TestCmd

func GetRemovePolicyFailureTestCalls 

func GetRemovePolicyFailureTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd

GetRemovePolicyFailureTestCalls fails on the restore

func GetRemovePolicyTestCalls 

func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd

Types

type ACLPolicy 

type ACLPolicy struct {
	// PolicyID is the rules name with a given network policy
	// PolicyID will be same for all ACLs in a Network Policy
	// it will be "azure-acl-NetPolNS-netPolName"
	PolicyID string
	// Comment is the string attached to rule to identity its representation
	Comment string
	// TODO(jungukcho): now I think we do not need to manage SrcList and DstList
	// We may have just one PeerList to hold since it will depend on direction except for namedPort.
	// They are exclusive and each SetInfo even have its own direction.
	// PeerList []SetInfo
	// SrcList source IPSets condition setinfos
	SrcList []SetInfo
	// DstList destination IPSets condition setinfos
	DstList []SetInfo
	// Target defines a target in iptables for linux. i,e, Mark, Accept, Drop
	// in windows, this is either ALLOW or DENY
	Target Verdict
	// Direction defines the flow of traffic
	Direction Direction
	// DstPorts always holds the destination port information.
	// The valid value for port must be between 1 and 65535, inclusive
	// and the endPort must be equal or greater than port.
	DstPorts Ports
	// Protocol is the value of traffic protocol
	Protocol Protocol
}

ACLPolicy equivalent to a single iptable rule in linux or a single HNS rule in windows

func NewACLPolicy 

func NewACLPolicy(policyNS, policyName string, target Verdict, direction Direction) *ACLPolicy

TODO make this a method of NPMNetworkPolicy, and just use netPol.PolicyKey as the PolicyID

func (*ACLPolicy) AddSetInfo 

func (aclPolicy *ACLPolicy) AddSetInfo(peerList []SetInfo)

AddSetInfo is to add setInfo to SrcList or DstList based on direction except for a setInfo for namedPort since namedPort is always for destination. TODO(jungukcho): cannot come up with Both Direction.

func (*ACLPolicy) String added in v1.4.16 

func (aclPolicy *ACLPolicy) String() string

type Direction 

type Direction string
const (
	// Ingress when packet is entering a container
	Ingress Direction = "IN"
	// Egress when packet is leaving a container
	Egress Direction = "OUT"
	// Both applies to both directions
	Both Direction = "BOTH"
)

type MatchType 

type MatchType int8
const (
	SrcMatch MatchType = 0
	DstMatch MatchType = 1
	// MatchTypes with 2 locations (e.g. DstDst) are for ip and port respectively.
	DstDstMatch MatchType = 2
	// This is used for podSelector under spec. It can be Src or Dst based on existence of ingress or egress rule.
	EitherMatch MatchType = 3
)

Possible MatchTypes.

type NPMNetworkPolicy 

type NPMNetworkPolicy struct {
	Name      string
	NameSpace string
	// TODO remove Name and Namespace field
	// PolicyKey is a unique combination of "namespace/name" of network policy
	PolicyKey string
	// PodSelectorIPSets holds all the IPSets generated from Pod Selector
	PodSelectorIPSets []*ipsets.TranslatedIPSet
	// PodSelectorList holds target pod information to avoid duplicatoin in SrcList and DstList fields in ACLs
	PodSelectorList []SetInfo
	// RuleIPSets holds all IPSets generated from policy's rules
	// and not from pod selector IPSets
	RuleIPSets []*ipsets.TranslatedIPSet
	ACLs       []*ACLPolicy
	// podIP is key and endpoint ID as value
	// Will be populated by dataplane and policy manager
	PodEndpoints map[string]string
}

func NewNPMNetworkPolicy 

func NewNPMNetworkPolicy(netPolName, netPolNamespace string) *NPMNetworkPolicy

func (*NPMNetworkPolicy) String added in v1.4.16 

func (netPol *NPMNetworkPolicy) String() string

type PolicyManager 

type PolicyManager struct {
	*PolicyManagerCfg
	// contains filtered or unexported fields
}

func NewPolicyManager 

func NewPolicyManager(ioShim *common.IOShim, cfg *PolicyManagerCfg) *PolicyManager

func (*PolicyManager) AddPolicy added in v1.4.13 

func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[string]string) error

func (*PolicyManager) Bootup 

func (pMgr *PolicyManager) Bootup(epIDs []string) error

func (*PolicyManager) GetPolicy 

func (pMgr *PolicyManager) GetPolicy(policyKey string) (*NPMNetworkPolicy, bool)

func (*PolicyManager) PolicyExists 

func (pMgr *PolicyManager) PolicyExists(policyKey string) bool

func (*PolicyManager) Reconcile 

func (pMgr *PolicyManager) Reconcile(stopChannel <-chan struct{})

func (*PolicyManager) RemovePolicy 

func (pMgr *PolicyManager) RemovePolicy(policyKey string, endpointList map[string]string) error

type PolicyManagerCfg 

type PolicyManagerCfg struct {
	// PolicyMode only affects Windows
	PolicyMode PolicyManagerMode
}

type PolicyManagerMode 

type PolicyManagerMode string

PolicyManagerMode will be used in windows to decide if SetPolicies should be used or not 

const (
	// IPSetPolicyMode will references IPSets in policies
	IPSetPolicyMode PolicyManagerMode = "IPSet"
	// IPPolicyMode will replace ipset names with their value IPs in policies
	IPPolicyMode PolicyManagerMode = "IP"
)

type PolicyMap 

type PolicyMap struct {
	// contains filtered or unexported fields
}

type Ports 

type Ports struct {
	Port    int32
	EndPort int32
}

type Protocol 

type Protocol string

Protocol can be TCP, UDP, SCTP, or unspecified since they are currently supported in networkpolicy. Protocol value is case-sensitive (Capital now). TODO: Need to remove this dependency on case-sensitivity. NPM is not fully tested with SCTP. 

const (

	// TCP Protocol
	TCP Protocol = "TCP"
	// UDP Protocol
	UDP Protocol = "UDP"
	// SCTP Protocol
	SCTP Protocol = "SCTP"
	// UnspecifiedProtocol leaves protocol unspecified. For a named port, this represents its protocol. Otherwise, this represents any protocol.
	UnspecifiedProtocol Protocol = "unspecified"
)

type SetInfo 

type SetInfo struct {
	IPSet     *ipsets.IPSetMetadata
	Included  bool
	MatchType MatchType
}

SetInfo helps capture additional details in a matchSet. Included flag captures the negative or positive match. Included is true when match set does not have "!". Included is false when match set have "!". MatchType captures match direction flags. For example match set in linux: 

! azure-npm-123 src

"!" this indicates a negative match (Included is false) of an azure-npm-123 MatchType is "src"

func NewSetInfo 

func NewSetInfo(name string, setType ipsets.SetType, included bool, matchType MatchType) SetInfo

Ports represents a range of ports. To specify one port, set Port and EndPort to the same value. uint16 is used since there are 2^16 - 1 TCP/UDP ports (0 is invalid) and 2^16 SCTP ports. NewSetInfo creates SetInfo.

func (SetInfo) String added in v1.4.16 

func (info SetInfo) String() string

type UniqueDirection 

type UniqueDirection bool

type Verdict 

type Verdict string
const (
	// Allowed is accept in linux
	Allowed Verdict = "ALLOW"
	// Dropped is denying a flow
	Dropped Verdict = "DROP"
)

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.