Documentation ¶
Index ¶
- Variables
- func GetAddPolicyFailureTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
- func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
- func GetBootupTestCalls() []testutils.TestCmd
- func GetRemovePolicyFailureTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
- func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
- func NormalizePolicy(networkPolicy *NPMNetworkPolicy)
- func ValidatePolicy(networkPolicy *NPMNetworkPolicy) error
- type ACLPolicy
- type Direction
- type MatchType
- type NPMNetworkPolicy
- type PolicyManager
- func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[string]string) error
- func (pMgr *PolicyManager) Bootup(epIDs []string) error
- func (pMgr *PolicyManager) GetAllPolicies() []string
- func (pMgr *PolicyManager) GetPolicy(policyKey string) (*NPMNetworkPolicy, bool)
- func (pMgr *PolicyManager) PolicyExists(policyKey string) bool
- func (pMgr *PolicyManager) Reconcile(stopChannel <-chan struct{})
- func (pMgr *PolicyManager) RemovePolicy(policyKey string, endpointList map[string]string) error
- type PolicyManagerCfg
- type PolicyManagerMode
- type PolicyMap
- type Ports
- type Protocol
- type SetInfo
- type UniqueDirection
- type Verdict
Constants ¶
This section is empty.
Variables ¶
var ( // TestNetworkPolicies for testing TestNetworkPolicies = []*NPMNetworkPolicy{ { Name: "test1", NameSpace: "x", PolicyKey: "x/test1", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestKeyPodSet.Metadata}, }, PodSelectorList: []SetInfo{ { IPSet: ipsets.TestKeyPodSet.Metadata, Included: true, MatchType: EitherMatch, }, }, ACLs: testACLs, }, { Name: "test2", NameSpace: "y", PolicyKey: "y/test2", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestKeyPodSet.Metadata}, {Metadata: ipsets.TestKVPodSet.Metadata}, }, PodSelectorList: []SetInfo{ { IPSet: ipsets.TestKeyPodSet.Metadata, Included: true, MatchType: EitherMatch, }, { IPSet: ipsets.TestKVPodSet.Metadata, Included: true, MatchType: EitherMatch, }, }, ACLs: []*ACLPolicy{ testACLs[0], }, }, { Name: "test3", NameSpace: "z", PolicyKey: "z/test3", ACLs: []*ACLPolicy{ testACLs[3], }, }, } )
TODO: deprecate this file. Updating this file impacts multiple tests.
Functions ¶
func GetAddPolicyFailureTestCalls ¶
func GetAddPolicyFailureTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
func GetAddPolicyTestCalls ¶
func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
func GetBootupTestCalls ¶
func GetRemovePolicyFailureTestCalls ¶
func GetRemovePolicyFailureTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
GetRemovePolicyFailureTestCalls fails on the restore
func GetRemovePolicyTestCalls ¶
func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
func NormalizePolicy ¶
func NormalizePolicy(networkPolicy *NPMNetworkPolicy)
NormalizePolicy helps fill in missed fields in aclPolicy
func ValidatePolicy ¶
func ValidatePolicy(networkPolicy *NPMNetworkPolicy) error
TODO do verification in controller?
Types ¶
type ACLPolicy ¶
type ACLPolicy struct { // PolicyID is the rules name with a given network policy // PolicyID will be same for all ACLs in a Network Policy // it will be "azure-acl-NetPolNS-netPolName" PolicyID string // Comment is the string attached to rule to identity its representation Comment string // TODO(jungukcho): now I think we do not need to manage SrcList and DstList // We may have just one PeerList to hold since it will depend on direction except for namedPort. // They are exclusive and each SetInfo even have its own direction. // PeerList []SetInfo // SrcList source IPSets condition setinfos SrcList []SetInfo // DstList destination IPSets condition setinfos DstList []SetInfo // Target defines a target in iptables for linux. i,e, Mark, Accept, Drop // in windows, this is either ALLOW or DENY Target Verdict // Direction defines the flow of traffic Direction Direction // DstPorts always holds the destination port information. // The valid value for port must be between 1 and 65535, inclusive // and the endPort must be equal or greater than port. DstPorts Ports // Protocol is the value of traffic protocol Protocol Protocol }
ACLPolicy equivalent to a single iptable rule in linux or a single HNS rule in windows
func NewACLPolicy ¶
TODO make this a method of NPMNetworkPolicy, and just use netPol.PolicyKey as the PolicyID
func (*ACLPolicy) AddSetInfo ¶
AddSetInfo is to add setInfo to SrcList or DstList based on direction except for a setInfo for namedPort since namedPort is always for destination. TODO(jungukcho): cannot come up with Both Direction.
func (*ACLPolicy) PrettyString ¶
type MatchType ¶
type MatchType int8
const ( SrcMatch MatchType = 0 DstMatch MatchType = 1 // MatchTypes with 2 locations (e.g. DstDst) are for ip and port respectively. DstDstMatch MatchType = 2 // This is used for podSelector under spec. It can be Src or Dst based on existence of ingress or egress rule. EitherMatch MatchType = 3 )
Possible MatchTypes.
type NPMNetworkPolicy ¶
type NPMNetworkPolicy struct { Name string NameSpace string // TODO remove Name and Namespace field // PolicyKey is a unique combination of "namespace/name" of network policy PolicyKey string // PodSelectorIPSets holds all the IPSets generated from Pod Selector PodSelectorIPSets []*ipsets.TranslatedIPSet // TODO change to slice of pointers // PodSelectorList holds target pod information to avoid duplicatoin in SrcList and DstList fields in ACLs PodSelectorList []SetInfo // RuleIPSets holds all IPSets generated from policy's rules // and not from pod selector IPSets RuleIPSets []*ipsets.TranslatedIPSet ACLs []*ACLPolicy // podIP is key and endpoint ID as value // Will be populated by dataplane and policy manager PodEndpoints map[string]string }
func NewNPMNetworkPolicy ¶
func NewNPMNetworkPolicy(netPolName, netPolNamespace string) *NPMNetworkPolicy
func (*NPMNetworkPolicy) PrettyString ¶
func (netPol *NPMNetworkPolicy) PrettyString() string
type PolicyManager ¶
type PolicyManager struct { *PolicyManagerCfg // contains filtered or unexported fields }
func NewPolicyManager ¶
func NewPolicyManager(ioShim *common.IOShim, cfg *PolicyManagerCfg) *PolicyManager
func (*PolicyManager) AddPolicy ¶ added in v1.4.13
func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[string]string) error
func (*PolicyManager) Bootup ¶
func (pMgr *PolicyManager) Bootup(epIDs []string) error
func (*PolicyManager) GetAllPolicies ¶ added in v1.4.20
func (pMgr *PolicyManager) GetAllPolicies() []string
func (*PolicyManager) GetPolicy ¶
func (pMgr *PolicyManager) GetPolicy(policyKey string) (*NPMNetworkPolicy, bool)
func (*PolicyManager) PolicyExists ¶
func (pMgr *PolicyManager) PolicyExists(policyKey string) bool
func (*PolicyManager) Reconcile ¶
func (pMgr *PolicyManager) Reconcile(stopChannel <-chan struct{})
func (*PolicyManager) RemovePolicy ¶
func (pMgr *PolicyManager) RemovePolicy(policyKey string, endpointList map[string]string) error
type PolicyManagerCfg ¶
type PolicyManagerCfg struct { // PolicyMode only affects Windows PolicyMode PolicyManagerMode // PlaceAzureChainFirst only affects Linux PlaceAzureChainFirst bool }
type PolicyManagerMode ¶
type PolicyManagerMode string
PolicyManagerMode will be used in windows to decide if SetPolicies should be used or not
const ( // IPSetPolicyMode will references IPSets in policies IPSetPolicyMode PolicyManagerMode = "IPSet" // IPPolicyMode will replace ipset names with their value IPs in policies IPPolicyMode PolicyManagerMode = "IP" )
type Protocol ¶
type Protocol string
Protocol can be TCP, UDP, SCTP, or unspecified since they are currently supported in networkpolicy. Protocol value is case-sensitive (Capital now). TODO: Need to remove this dependency on case-sensitivity. NPM is not fully tested with SCTP.
const ( // TCP Protocol TCP Protocol = "TCP" // UDP Protocol UDP Protocol = "UDP" // SCTP Protocol SCTP Protocol = "SCTP" // UnspecifiedProtocol leaves protocol unspecified. For a named port, this represents its protocol. Otherwise, this represents any protocol. UnspecifiedProtocol Protocol = "unspecified" )
type SetInfo ¶
type SetInfo struct { IPSet *ipsets.IPSetMetadata Included bool MatchType MatchType }
SetInfo helps capture additional details in a matchSet. Included flag captures the negative or positive match. Included is true when match set does not have "!". Included is false when match set have "!". MatchType captures match direction flags. For example match set in linux:
! azure-npm-123 src
"!" this indicates a negative match (Included is false) of an azure-npm-123 MatchType is "src"
func NewSetInfo ¶
Ports represents a range of ports. To specify one port, set Port and EndPort to the same value. uint16 is used since there are 2^16 - 1 TCP/UDP ports (0 is invalid) and 2^16 SCTP ports. NewSetInfo creates SetInfo.
func (SetInfo) PrettyString ¶
type UniqueDirection ¶
type UniqueDirection bool