Documentation ¶
Index ¶
- Variables
- func GetAddPolicyFailureTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
- func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
- func GetBootupTestCalls(addDetectCalls bool) []testutils.TestCmd
- func GetRemovePolicyFailureTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
- func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
- func NormalizePolicy(networkPolicy *NPMNetworkPolicy)
- func ValidatePolicy(networkPolicy *NPMNetworkPolicy) error
- type ACLPolicy
- type Direction
- type MatchType
- type NPMNetworkPolicy
- type PolicyManager
- func (pMgr *PolicyManager) AddPolicies(policies []*NPMNetworkPolicy, endpointList map[string]string) error
- func (pMgr *PolicyManager) Bootup(epIDs []string) error
- func (pMgr *PolicyManager) GetPolicy(policyKey string) (*NPMNetworkPolicy, bool)
- func (pMgr *PolicyManager) PolicyExists(policyKey string) bool
- func (pMgr *PolicyManager) Reconcile()
- func (pMgr *PolicyManager) RemovePolicy(policyKey string) error
- func (pMgr *PolicyManager) RemovePolicyForEndpoints(policyKey string, endpointList map[string]string) error
- func (pMgr *PolicyManager) ResetEndpoint(epID string) error
- type PolicyManagerCfg
- type PolicyManagerMode
- type PolicyMap
- type Ports
- type Protocol
- type SetInfo
- type UniqueDirection
- type Verdict
Constants ¶
This section is empty.
Variables ¶
var ( // TestNetworkPolicies for testing TestNetworkPolicies = []*NPMNetworkPolicy{ { Namespace: "x", PolicyKey: "x/test1", ACLPolicyID: "azure-acl-x-test1", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestKeyPodSet.Metadata}, }, PodSelectorList: []SetInfo{ { IPSet: ipsets.TestKeyPodSet.Metadata, Included: true, MatchType: EitherMatch, }, }, RuleIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestCIDRSet.Metadata, Members: nil}, {Metadata: ipsets.TestKeyPodSet.Metadata, Members: nil}, }, ACLs: testACLs, }, { Namespace: "y", PolicyKey: "y/test2", ACLPolicyID: "azure-acl-y-test2", PodSelectorIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestKeyPodSet.Metadata}, {Metadata: ipsets.TestKVPodSet.Metadata}, }, PodSelectorList: []SetInfo{ { IPSet: ipsets.TestKeyPodSet.Metadata, Included: true, MatchType: EitherMatch, }, { IPSet: ipsets.TestKVPodSet.Metadata, Included: true, MatchType: EitherMatch, }, }, RuleIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestCIDRSet.Metadata, Members: nil}, }, ACLs: []*ACLPolicy{ testACLs[0], }, }, { Namespace: "z", PolicyKey: "z/test3", ACLPolicyID: "azure-acl-z-test3", RuleIPSets: []*ipsets.TranslatedIPSet{ {Metadata: ipsets.TestCIDRSet.Metadata, Members: nil}, }, ACLs: []*ACLPolicy{ testACLs[3], }, }, } )
TODO: deprecate this file. Updating this file impacts multiple tests.
Functions ¶
func GetAddPolicyFailureTestCalls ¶
func GetAddPolicyFailureTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
func GetAddPolicyTestCalls ¶
func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd
func GetBootupTestCalls ¶
func GetRemovePolicyFailureTestCalls ¶
func GetRemovePolicyFailureTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
GetRemovePolicyFailureTestCalls fails on the restore
func GetRemovePolicyTestCalls ¶
func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd
func NormalizePolicy ¶
func NormalizePolicy(networkPolicy *NPMNetworkPolicy)
NormalizePolicy helps fill in missed fields in aclPolicy
func ValidatePolicy ¶
func ValidatePolicy(networkPolicy *NPMNetworkPolicy) error
Types ¶
type ACLPolicy ¶
type ACLPolicy struct { // Comment is the string attached to rule to identity its representation Comment string // TODO(jungukcho): now I think we do not need to manage SrcList and DstList // We may have just one PeerList to hold since it will depend on direction except for namedPort. // They are exclusive and each SetInfo even have its own direction. // PeerList []SetInfo // SrcList source IPSets condition setinfos SrcList []SetInfo // DstList destination IPSets condition setinfos DstList []SetInfo // Target defines a target in iptables for linux. i,e, Mark, Accept, Drop // in windows, this is either ALLOW or DENY Target Verdict // Direction defines the flow of traffic Direction Direction // DstPorts always holds the destination port information. // The valid value for port must be between 1 and 65535, inclusive // and the endPort must be equal or greater than port. DstPorts Ports // Protocol is the value of traffic protocol Protocol Protocol }
ACLPolicy equivalent to a single iptable rule in linux or a single HNS rule in windows
func NewACLPolicy ¶
func (*ACLPolicy) AddSetInfo ¶
AddSetInfo is to add setInfo to SrcList or DstList based on direction except for a setInfo for namedPort since namedPort is always for destination. TODO(jungukcho): cannot come up with Both Direction.
func (*ACLPolicy) PrettyString ¶
type MatchType ¶
type MatchType int8
const ( SrcMatch MatchType = 0 DstMatch MatchType = 1 // MatchTypes with 2 locations (e.g. DstDst) are for ip and port respectively. DstDstMatch MatchType = 2 // This is used for podSelector under spec. It can be Src or Dst based on existence of ingress or egress rule. EitherMatch MatchType = 3 )
Possible MatchTypes.
type NPMNetworkPolicy ¶
type NPMNetworkPolicy struct { // Namespace is only used by Linux to construct an iptables comment Namespace string // PolicyKey is a unique combination of "namespace/name" of network policy PolicyKey string // ACLPolicyID is only used in Windows. See aclPolicyID() in policy_windows.go for more info ACLPolicyID string // TODO get rid of PodSelectorIPSets in favor of PodSelectorList (exact same except need to add members field to SetInfo) // PodSelectorIPSets holds the IPSets for the Pod Selector PodSelectorIPSets []*ipsets.TranslatedIPSet // ChildPodSelectorIPSets holds the IPSets that are members of any ipset in PodSelectorIPSets ChildPodSelectorIPSets []*ipsets.TranslatedIPSet // TODO change to slice of pointers // PodSelectorList holds the ipsets from PodSelectorIPSets and info about them to avoid duplication in SrcList and DstList fields in ACLs PodSelectorList []SetInfo // RuleIPSets holds all IPSets generated from policy's rules // and not from pod selector IPSets, including children of a NestedLabelOfPod ipset RuleIPSets []*ipsets.TranslatedIPSet ACLs []*ACLPolicy // podIP is key and endpoint ID as value // Will be populated by dataplane and policy manager PodEndpoints map[string]string }
func NewNPMNetworkPolicy ¶
func NewNPMNetworkPolicy(netPolName, netPolNamespace string) *NPMNetworkPolicy
func (*NPMNetworkPolicy) AllPodSelectorIPSets ¶
func (netPol *NPMNetworkPolicy) AllPodSelectorIPSets() []*ipsets.TranslatedIPSet
func (*NPMNetworkPolicy) PrettyString ¶
func (netPol *NPMNetworkPolicy) PrettyString() string
type PolicyManager ¶
type PolicyManager struct { *PolicyManagerCfg // contains filtered or unexported fields }
PolicyManager has two locks. The PolicyMap lock is used only in Windows to prevent concurrent write access to the PolicyMap from both the NetPol Controller thread and the PodController thread, accessed respectively from dataplane.AddPolicy()/dataplane.RemovePolicy(), and dataplane.ApplyDataplane() --> dataplane.updatePod(). In Linux, the reconcileManager's lock is used to avoid iptables contention for adding/removing policies versus background cleanup of stale, ineffective chains.
func NewPolicyManager ¶
func NewPolicyManager(ioShim *common.IOShim, cfg *PolicyManagerCfg) *PolicyManager
func (*PolicyManager) AddPolicies ¶
func (pMgr *PolicyManager) AddPolicies(policies []*NPMNetworkPolicy, endpointList map[string]string) error
func (*PolicyManager) Bootup ¶
func (pMgr *PolicyManager) Bootup(epIDs []string) error
func (*PolicyManager) GetPolicy ¶
func (pMgr *PolicyManager) GetPolicy(policyKey string) (*NPMNetworkPolicy, bool)
func (*PolicyManager) PolicyExists ¶
func (pMgr *PolicyManager) PolicyExists(policyKey string) bool
func (*PolicyManager) Reconcile ¶
func (pMgr *PolicyManager) Reconcile()
func (*PolicyManager) RemovePolicy ¶
func (pMgr *PolicyManager) RemovePolicy(policyKey string) error
func (*PolicyManager) RemovePolicyForEndpoints ¶
func (pMgr *PolicyManager) RemovePolicyForEndpoints(policyKey string, endpointList map[string]string) error
RemovePolicyForEndpoints is identical to RemovePolicy except it will not remove the policy from the cache. This function is intended for Windows only.
func (*PolicyManager) ResetEndpoint ¶
func (pMgr *PolicyManager) ResetEndpoint(epID string) error
type PolicyManagerCfg ¶
type PolicyManagerCfg struct { // NodeIP is only used in Windows NodeIP string // PolicyMode only affects Windows PolicyMode PolicyManagerMode // PlaceAzureChainFirst only affects Linux PlaceAzureChainFirst bool // MaxBatchedACLsPerPod is the maximum number of ACLs that can be added to a Pod at once in Windows. // The zero value is valid. // A NetworkPolicy's ACLs are always in the same batch, and there will be at least one NetworkPolicy per batch. MaxBatchedACLsPerPod int }
type PolicyManagerMode ¶
type PolicyManagerMode string
PolicyManagerMode will be used in windows to decide if SetPolicies should be used or not
const ( // IPSetPolicyMode will references IPSets in policies IPSetPolicyMode PolicyManagerMode = "IPSet" // IPPolicyMode will replace ipset names with their value IPs in policies // NOTE: this is currently unimplemented IPPolicyMode PolicyManagerMode = "IP" )
type Protocol ¶
type Protocol string
Protocol can be TCP, UDP, SCTP, or unspecified since they are currently supported in networkpolicy. Protocol value is case-sensitive (Capital now). TODO: Need to remove this dependency on case-sensitivity. NPM is not fully tested with SCTP.
const ( // TCP Protocol TCP Protocol = "TCP" // UDP Protocol UDP Protocol = "UDP" // SCTP Protocol SCTP Protocol = "SCTP" // UnspecifiedProtocol leaves protocol unspecified. For a named port, this represents its protocol. Otherwise, this represents any protocol. UnspecifiedProtocol Protocol = "unspecified" )
type SetInfo ¶
type SetInfo struct { IPSet *ipsets.IPSetMetadata Included bool MatchType MatchType }
SetInfo helps capture additional details in a matchSet. Included flag captures the negative or positive match. Included is true when match set does not have "!". Included is false when match set have "!". MatchType captures match direction flags. For example match set in linux:
! azure-npm-123 src
"!" this indicates a negative match (Included is false) of an azure-npm-123 MatchType is "src"
func NewSetInfo ¶
Ports represents a range of ports. To specify one port, set Port and EndPort to the same value. uint16 is used since there are 2^16 - 1 TCP/UDP ports (0 is invalid) and 2^16 SCTP ports. NewSetInfo creates SetInfo.
func (SetInfo) PrettyString ¶
type UniqueDirection ¶
type UniqueDirection bool