Documentation ¶
Index ¶
- Constants
- Variables
- func GetApplyIPSetsTestCalls(toAddOrUpdateIPSets, toDeleteIPSets []*IPSetMetadata) []testutils.TestCmd
- func GetResetTestCalls() []testutils.TestCmd
- type IPSet
- type IPSetManager
- func (iMgr *IPSetManager) AddReference(setMetadata *IPSetMetadata, referenceName string, referenceType ReferenceType) error
- func (iMgr *IPSetManager) AddToLists(listMetadatas, setMetadatas []*IPSetMetadata) error
- func (iMgr *IPSetManager) AddToSets(addToSets []*IPSetMetadata, ip, podKey string) error
- func (iMgr *IPSetManager) ApplyIPSets() error
- func (iMgr *IPSetManager) CreateIPSets(setMetadatas []*IPSetMetadata)
- func (iMgr *IPSetManager) DeleteIPSet(name string, deleteOption util.DeleteOption)
- func (iMgr *IPSetManager) DeleteReference(setName, referenceName string, referenceType ReferenceType) error
- func (iMgr *IPSetManager) GetAllIPSets() map[string]string
- func (iMgr *IPSetManager) GetIPSet(name string) *IPSet
- func (iMgr *IPSetManager) Reconcile()
- func (iMgr *IPSetManager) RemoveFromList(listMetadata *IPSetMetadata, setMetadatas []*IPSetMetadata) error
- func (iMgr *IPSetManager) RemoveFromSets(removeFromSets []*IPSetMetadata, ip, podKey string) error
- func (iMgr *IPSetManager) ResetIPSets() error
- type IPSetManagerCfg
- type IPSetMetadata
- type IPSetMode
- type ReferenceType
- type SetKind
- type SetProperties
- type SetType
- type TestSet
- type TranslatedIPSet
Constants ¶
const ( // Unknown SetType UnknownType SetType = 0 // Namespace IPSet is created to hold // ips of pods in a given NameSapce Namespace SetType = 1 // KeyLabelOfNamespace IPSet is a list kind ipset // with members as ipsets of namespace with this Label Key KeyLabelOfNamespace SetType = 2 // KeyValueLabelOfNamespace IPSet is a list kind ipset // with members as ipsets of namespace with this Label KeyValueLabelOfNamespace SetType = 3 // KeyLabelOfPod IPSet contains IPs of Pods with this Label Key KeyLabelOfPod SetType = 4 // KeyValueLabelOfPod IPSet contains IPs of Pods with this Label KeyValueLabelOfPod SetType = 5 // NamedPorts IPSets contains a given namedport NamedPorts SetType = 6 // NestedLabelOfPod is derived for multivalue matchexpressions NestedLabelOfPod SetType = 7 // CIDRBlocks holds CIDR blocks CIDRBlocks SetType = 8 // EmptyHashSet is a set meant to have no members EmptyHashSet SetType = 9 // Unknown const for unknown string Unknown string = "unknown" )
Possble values for SetType
Variables ¶
var ( TestNSSet = CreateTestSet("test-ns-set", Namespace) TestKeyPodSet = CreateTestSet("test-keyPod-set", KeyLabelOfPod) TestKVPodSet = CreateTestSet("test-kvPod-set", KeyValueLabelOfPod) TestNamedportSet = CreateTestSet("test-namedport-set", NamedPorts) TestCIDRSet = CreateTestSet("test-cidr-set", CIDRBlocks) TestKeyNSList = CreateTestSet("test-keyNS-list", KeyLabelOfNamespace) TestKVNSList = CreateTestSet("test-kvNS-list", KeyValueLabelOfNamespace) TestNestedLabelList = CreateTestSet("test-nestedlabel-list", NestedLabelOfPod) )
var ( // ErrIPSetInvalidKind is returned when IPSet kind is invalid ErrIPSetInvalidKind = errors.New("invalid IPSet Kind") )
Functions ¶
func GetApplyIPSetsTestCalls ¶
func GetApplyIPSetsTestCalls(toAddOrUpdateIPSets, toDeleteIPSets []*IPSetMetadata) []testutils.TestCmd
func GetResetTestCalls ¶
Types ¶
type IPSet ¶
type IPSet struct { // Name is prefixed name of original set Name string // HashedName is AzureNpmPrefix (azure-npm-) + hash of prefixed name HashedName string // SetProperties embedding set properties SetProperties // IpPodKey is used for setMaps to store Ips and ports as keys // and podKey as value IPPodKey map[string]string // This is used for listMaps to store child IP Sets MemberIPSets map[string]*IPSet // Using a map to emulate set and value as struct{} for // minimal memory consumption // SelectorReference holds networkpolicy names where this IPSet // is being used in PodSelector and Namespace SelectorReference map[string]struct{} // NetPolReference holds networkpolicy names where this IPSet // is being referred as part of rules NetPolReference map[string]struct{} // contains filtered or unexported fields }
func NewIPSet ¶
func NewIPSet(setMetadata *IPSetMetadata) *IPSet
func (*IPSet) GetSetContents ¶
GetSetContents returns members of set as string slice
func (*IPSet) GetSetMetadata ¶
func (set *IPSet) GetSetMetadata() *IPSetMetadata
GetSetMetadata returns set metadata with unprefixed original name and SetType
func (*IPSet) PrettyString ¶
func (*IPSet) ShallowCompare ¶
ShallowCompare check if the properties of IPSets are same
type IPSetManager ¶
func NewIPSetManager ¶
func NewIPSetManager(iMgrCfg *IPSetManagerCfg, ioShim *common.IOShim) *IPSetManager
func (*IPSetManager) AddReference ¶
func (iMgr *IPSetManager) AddReference(setMetadata *IPSetMetadata, referenceName string, referenceType ReferenceType) error
AddReference creates the set if necessary and adds relevant reference it throws an error if the set and reference type are an invalid combination
func (*IPSetManager) AddToLists ¶
func (iMgr *IPSetManager) AddToLists(listMetadatas, setMetadatas []*IPSetMetadata) error
func (*IPSetManager) AddToSets ¶
func (iMgr *IPSetManager) AddToSets(addToSets []*IPSetMetadata, ip, podKey string) error
func (*IPSetManager) ApplyIPSets ¶
func (iMgr *IPSetManager) ApplyIPSets() error
func (*IPSetManager) CreateIPSets ¶
func (iMgr *IPSetManager) CreateIPSets(setMetadatas []*IPSetMetadata)
func (*IPSetManager) DeleteIPSet ¶
func (iMgr *IPSetManager) DeleteIPSet(name string, deleteOption util.DeleteOption)
DeleteIPSet expects the prefixed ipset name
func (*IPSetManager) DeleteReference ¶
func (iMgr *IPSetManager) DeleteReference(setName, referenceName string, referenceType ReferenceType) error
DeleteReference removes relevant reference it throws an error if the set doesn't exist (since a set should exist in the cache & kernel if it has a reference)
func (*IPSetManager) GetAllIPSets ¶
func (iMgr *IPSetManager) GetAllIPSets() map[string]string
func (*IPSetManager) GetIPSet ¶
func (iMgr *IPSetManager) GetIPSet(name string) *IPSet
GetIPSet needs the prefixed ipset name
func (*IPSetManager) Reconcile ¶
func (iMgr *IPSetManager) Reconcile()
Reconcile removes empty/unreferenced sets from the cache. For ApplyAllIPSets mode, those sets are added to the toDeleteCache. We can't delete from kernel immediately unless we lock iMgr during policy CRUD.
func (*IPSetManager) RemoveFromList ¶
func (iMgr *IPSetManager) RemoveFromList(listMetadata *IPSetMetadata, setMetadatas []*IPSetMetadata) error
func (*IPSetManager) RemoveFromSets ¶
func (iMgr *IPSetManager) RemoveFromSets(removeFromSets []*IPSetMetadata, ip, podKey string) error
func (*IPSetManager) ResetIPSets ¶
func (iMgr *IPSetManager) ResetIPSets() error
type IPSetManagerCfg ¶
type IPSetManagerCfg struct { IPSetMode IPSetMode // NetworkName can be left empty or set to 'azure' (the only supported network) NetworkName string // AddEmptySetToLists determines whether all lists should have an empty set as a member. // This is necessary for HNS (Windows); otherwise, an allow ACL with a list condition // allows all IPs if the list has no members. AddEmptySetToLists bool }
type IPSetMetadata ¶
func GetMembersOfTranslatedSets ¶
func GetMembersOfTranslatedSets(members []string) []*IPSetMetadata
func NewIPSetMetadata ¶
func NewIPSetMetadata(name string, setType SetType) *IPSetMetadata
NewIPSetMetadata is used for controllers to send in skeleton ipsets to DP
func (*IPSetMetadata) GetHashedName ¶
func (setMetadata *IPSetMetadata) GetHashedName() string
func (*IPSetMetadata) GetPrefixName ¶
func (setMetadata *IPSetMetadata) GetPrefixName() string
TODO join with colon instead of dash for easier readability?
func (*IPSetMetadata) GetSetKind ¶
func (setMetadata *IPSetMetadata) GetSetKind() SetKind
type IPSetMode ¶
type IPSetMode string
IPSet Modes
- ApplyAllIPSets:
- all ipsets are added to the kernel
- ipsets are removed from the kernel when they are deleted from the cache
- creates empty ipsets
- adds empty/unreferenced ipsets to the toDelete cache periodically
- ApplyOnNeed:
- ipsets are added to the kernel when they are referenced by network policies or lists in the kernel
- ipsets are removed from the kernel when they no longer have a reference
- removes empty/unreferenced ipsets from the cache periodically
type ReferenceType ¶
type ReferenceType string
ReferenceType specifies the kind of reference for an IPSet
const ( SelectorType ReferenceType = "Selector" NetPolType ReferenceType = "NetPol" )
Possible ReferenceTypes
type SetProperties ¶
type TestSet ¶
type TestSet struct { Metadata *IPSetMetadata PrefixName string HashedName string }
TODO deprecate the TestSet type and replace TestNSSet etc. with just their metadata since you can get prefix name and hashed name with metadata methods
func CreateTestSet ¶
type TranslatedIPSet ¶
type TranslatedIPSet struct { Metadata *IPSetMetadata // Members holds member ipset names for NestedLabelOfPod and ip address ranges // for CIDRBlocks IPSet Members []string }
TranslatedIPSet is created by translation engine and provides IPSets used in network policy. Only 2 types of IPSets are generated with members: 1. CIDRBlocks IPSet 2. NestedLabelOfPod IPSet from multi value labels Members field holds member ipset names for NestedLabelOfPod and ip address ranges for CIDRBlocks IPSet Caveat: if a list set with translated members is referenced in multiple policies, then it must have a different ipset name for each policy. Otherwise, deleting the policy will result in removing the translated members from the set even if another policy requires those members. See dataplane.go for more details.
func NewTranslatedIPSet ¶
func NewTranslatedIPSet(name string, setType SetType, members ...string) *TranslatedIPSet
NewTranslatedIPSet creates TranslatedIPSet. Only nested labels from podSelector and IPBlock has members and others has nil slice.