ipsets

package
v1.4.33 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 2, 2022 License: MIT Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// Unknown SetType
	UnknownType SetType = 0
	// Namespace IPSet is created to hold
	// ips of pods in a given NameSapce
	Namespace SetType = 1
	// KeyLabelOfNamespace IPSet is a list kind ipset
	// with members as ipsets of namespace with this Label Key
	KeyLabelOfNamespace SetType = 2
	// KeyValueLabelOfNamespace IPSet is a list kind ipset
	// with members as ipsets of namespace with this Label
	KeyValueLabelOfNamespace SetType = 3
	// KeyLabelOfPod IPSet contains IPs of Pods with this Label Key
	KeyLabelOfPod SetType = 4
	// KeyValueLabelOfPod IPSet contains IPs of Pods with this Label
	KeyValueLabelOfPod SetType = 5
	// NamedPorts IPSets contains a given namedport
	NamedPorts SetType = 6
	// NestedLabelOfPod is derived for multivalue matchexpressions
	NestedLabelOfPod SetType = 7
	// CIDRBlocks holds CIDR blocks
	CIDRBlocks SetType = 8
	// EmptyHashSet is a set meant to have no members
	EmptyHashSet SetType = 9

	// Unknown const for unknown string
	Unknown string = "unknown"
)

Possble values for SetType

Variables

View Source
var (
	TestNSSet           = CreateTestSet("test-ns-set", Namespace)
	TestKeyPodSet       = CreateTestSet("test-keyPod-set", KeyLabelOfPod)
	TestKVPodSet        = CreateTestSet("test-kvPod-set", KeyValueLabelOfPod)
	TestNamedportSet    = CreateTestSet("test-namedport-set", NamedPorts)
	TestCIDRSet         = CreateTestSet("test-cidr-set", CIDRBlocks)
	TestKeyNSList       = CreateTestSet("test-keyNS-list", KeyLabelOfNamespace)
	TestKVNSList        = CreateTestSet("test-kvNS-list", KeyValueLabelOfNamespace)
	TestNestedLabelList = CreateTestSet("test-nestedlabel-list", NestedLabelOfPod)
)
View Source
var (

	// ErrIPSetInvalidKind is returned when IPSet kind is invalid
	ErrIPSetInvalidKind = errors.New("invalid IPSet Kind")
)

Functions

func GetApplyIPSetsTestCalls

func GetApplyIPSetsTestCalls(toAddOrUpdateIPSets, toDeleteIPSets []*IPSetMetadata) []testutils.TestCmd

func GetResetTestCalls

func GetResetTestCalls() []testutils.TestCmd

Types

type IPSet

type IPSet struct {
	// Name is prefixed name of original set
	Name string

	// HashedName is AzureNpmPrefix (azure-npm-) + hash of prefixed name
	HashedName string
	// SetProperties embedding set properties
	SetProperties
	// IpPodKey is used for setMaps to store Ips and ports as keys
	// and podKey as value
	IPPodKey map[string]string
	// This is used for listMaps to store child IP Sets
	MemberIPSets map[string]*IPSet
	// Using a map to emulate set and value as struct{} for
	// minimal memory consumption
	// SelectorReference holds networkpolicy names where this IPSet
	// is being used in PodSelector and Namespace
	SelectorReference map[string]struct{}
	// NetPolReference holds networkpolicy names where this IPSet
	// is being referred as part of rules
	NetPolReference map[string]struct{}
	// contains filtered or unexported fields
}

func NewIPSet

func NewIPSet(setMetadata *IPSetMetadata) *IPSet

func (*IPSet) GetSetContents

func (set *IPSet) GetSetContents() ([]string, error)

GetSetContents returns members of set as string slice

func (*IPSet) GetSetMetadata

func (set *IPSet) GetSetMetadata() *IPSetMetadata

GetSetMetadata returns set metadata with unprefixed original name and SetType

func (*IPSet) PrettyString

func (set *IPSet) PrettyString() string

func (*IPSet) ShallowCompare

func (set *IPSet) ShallowCompare(newSet *IPSet) bool

ShallowCompare check if the properties of IPSets are same

type IPSetManager

type IPSetManager struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

func NewIPSetManager

func NewIPSetManager(iMgrCfg *IPSetManagerCfg, ioShim *common.IOShim) *IPSetManager

func (*IPSetManager) AddReference

func (iMgr *IPSetManager) AddReference(setMetadata *IPSetMetadata, referenceName string, referenceType ReferenceType) error

AddReference creates the set if necessary and adds relevant reference it throws an error if the set and reference type are an invalid combination

func (*IPSetManager) AddToLists

func (iMgr *IPSetManager) AddToLists(listMetadatas, setMetadatas []*IPSetMetadata) error

func (*IPSetManager) AddToSets

func (iMgr *IPSetManager) AddToSets(addToSets []*IPSetMetadata, ip, podKey string) error

func (*IPSetManager) ApplyIPSets

func (iMgr *IPSetManager) ApplyIPSets() error

func (*IPSetManager) CreateIPSets

func (iMgr *IPSetManager) CreateIPSets(setMetadatas []*IPSetMetadata)

func (*IPSetManager) DeleteIPSet

func (iMgr *IPSetManager) DeleteIPSet(name string, deleteOption util.DeleteOption)

DeleteIPSet expects the prefixed ipset name

func (*IPSetManager) DeleteReference

func (iMgr *IPSetManager) DeleteReference(setName, referenceName string, referenceType ReferenceType) error

DeleteReference removes relevant reference it throws an error if the set doesn't exist (since a set should exist in the cache & kernel if it has a reference)

func (*IPSetManager) GetAllIPSets

func (iMgr *IPSetManager) GetAllIPSets() map[string]string

func (*IPSetManager) GetIPSet

func (iMgr *IPSetManager) GetIPSet(name string) *IPSet

GetIPSet needs the prefixed ipset name

func (*IPSetManager) Reconcile

func (iMgr *IPSetManager) Reconcile()

Reconcile removes empty/unreferenced sets from the cache. For ApplyAllIPSets mode, those sets are added to the toDeleteCache. We can't delete from kernel immediately unless we lock iMgr during policy CRUD.

func (*IPSetManager) RemoveFromList

func (iMgr *IPSetManager) RemoveFromList(listMetadata *IPSetMetadata, setMetadatas []*IPSetMetadata) error

func (*IPSetManager) RemoveFromSets

func (iMgr *IPSetManager) RemoveFromSets(removeFromSets []*IPSetMetadata, ip, podKey string) error

func (*IPSetManager) ResetIPSets

func (iMgr *IPSetManager) ResetIPSets() error

type IPSetManagerCfg

type IPSetManagerCfg struct {
	IPSetMode IPSetMode
	// NetworkName can be left empty or set to 'azure' (the only supported network)
	NetworkName string
	// AddEmptySetToLists determines whether all lists should have an empty set as a member.
	// This is necessary for HNS (Windows); otherwise, an allow ACL with a list condition
	// allows all IPs if the list has no members.
	AddEmptySetToLists bool
}

type IPSetMetadata

type IPSetMetadata struct {
	Name string
	Type SetType
}

func GetMembersOfTranslatedSets

func GetMembersOfTranslatedSets(members []string) []*IPSetMetadata

func NewIPSetMetadata

func NewIPSetMetadata(name string, setType SetType) *IPSetMetadata

NewIPSetMetadata is used for controllers to send in skeleton ipsets to DP

func (*IPSetMetadata) GetHashedName

func (setMetadata *IPSetMetadata) GetHashedName() string

func (*IPSetMetadata) GetPrefixName

func (setMetadata *IPSetMetadata) GetPrefixName() string

TODO join with colon instead of dash for easier readability?

func (*IPSetMetadata) GetSetKind

func (setMetadata *IPSetMetadata) GetSetKind() SetKind

type IPSetMode

type IPSetMode string
const (
	ApplyAllIPSets IPSetMode = "all"
	ApplyOnNeed    IPSetMode = "on-need"
)

IPSet Modes

- ApplyAllIPSets:

  • all ipsets are added to the kernel
  • ipsets are removed from the kernel when they are deleted from the cache
  • creates empty ipsets
  • adds empty/unreferenced ipsets to the toDelete cache periodically

- ApplyOnNeed:

  • ipsets are added to the kernel when they are referenced by network policies or lists in the kernel
  • ipsets are removed from the kernel when they no longer have a reference
  • removes empty/unreferenced ipsets from the cache periodically

type ReferenceType

type ReferenceType string

ReferenceType specifies the kind of reference for an IPSet

const (
	SelectorType ReferenceType = "Selector"
	NetPolType   ReferenceType = "NetPol"
)

Possible ReferenceTypes

type SetKind

type SetKind string
const (
	// ListSet is of kind list with members as other IPSets
	ListSet SetKind = "list"
	// HashSet is of kind hashset with members as IPs and/or port
	HashSet SetKind = "set"
	// UnknownKind is returned when kind is unknown
	UnknownKind SetKind = "unknown"
)

type SetProperties

type SetProperties struct {
	// Stores type of ip grouping
	Type SetType
	// Stores kind of ipset in dataplane
	Kind SetKind
}

type SetType

type SetType int8

func (SetType) String

func (x SetType) String() string

type TestSet

type TestSet struct {
	Metadata   *IPSetMetadata
	PrefixName string
	HashedName string
}

TODO deprecate the TestSet type and replace TestNSSet etc. with just their metadata since you can get prefix name and hashed name with metadata methods

func CreateTestSet

func CreateTestSet(name string, setType SetType) *TestSet

type TranslatedIPSet

type TranslatedIPSet struct {
	Metadata *IPSetMetadata
	// Members holds member ipset names for NestedLabelOfPod and ip address ranges
	// for CIDRBlocks IPSet
	Members []string
}

TranslatedIPSet is created by translation engine and provides IPSets used in network policy. Only 2 types of IPSets are generated with members: 1. CIDRBlocks IPSet 2. NestedLabelOfPod IPSet from multi value labels Members field holds member ipset names for NestedLabelOfPod and ip address ranges for CIDRBlocks IPSet Caveat: if a list set with translated members is referenced in multiple policies, then it must have a different ipset name for each policy. Otherwise, deleting the policy will result in removing the translated members from the set even if another policy requires those members. See dataplane.go for more details.

func NewTranslatedIPSet

func NewTranslatedIPSet(name string, setType SetType, members ...string) *TranslatedIPSet

NewTranslatedIPSet creates TranslatedIPSet. Only nested labels from podSelector and IPBlock has members and others has nil slice.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL