policies

package
v1.6.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 2, 2024 License: MIT Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	// TestNetworkPolicies for testing
	TestNetworkPolicies = []*NPMNetworkPolicy{
		{
			Namespace:   "x",
			PolicyKey:   "x/test1",
			ACLPolicyID: "azure-acl-x-test1",
			PodSelectorIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestKeyPodSet.Metadata},
			},
			PodSelectorList: []SetInfo{
				{
					IPSet:     ipsets.TestKeyPodSet.Metadata,
					Included:  true,
					MatchType: EitherMatch,
				},
			},

			RuleIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestCIDRSet.Metadata, Members: nil},
				{Metadata: ipsets.TestKeyPodSet.Metadata, Members: nil},
			},
			ACLs: testACLs,
		},
		{
			Namespace:   "y",
			PolicyKey:   "y/test2",
			ACLPolicyID: "azure-acl-y-test2",
			PodSelectorIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestKeyPodSet.Metadata},
				{Metadata: ipsets.TestKVPodSet.Metadata},
			},
			PodSelectorList: []SetInfo{
				{
					IPSet:     ipsets.TestKeyPodSet.Metadata,
					Included:  true,
					MatchType: EitherMatch,
				},
				{
					IPSet:     ipsets.TestKVPodSet.Metadata,
					Included:  true,
					MatchType: EitherMatch,
				},
			},
			RuleIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestCIDRSet.Metadata, Members: nil},
			},
			ACLs: []*ACLPolicy{
				testACLs[0],
			},
		},
		{
			Namespace:   "z",
			PolicyKey:   "z/test3",
			ACLPolicyID: "azure-acl-z-test3",
			RuleIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestCIDRSet.Metadata, Members: nil},
			},
			ACLs: []*ACLPolicy{
				testACLs[3],
			},
		},
	}
)

TODO: deprecate this file. Updating this file impacts multiple tests.

Functions

func GetAddPolicyFailureTestCalls

func GetAddPolicyFailureTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd

func GetAddPolicyTestCalls

func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd

func GetBootupTestCalls

func GetBootupTestCalls(addDetectCalls bool) []testutils.TestCmd

func GetRemovePolicyFailureTestCalls

func GetRemovePolicyFailureTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd

GetRemovePolicyFailureTestCalls fails on the restore

func GetRemovePolicyTestCalls

func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd

func NormalizePolicy

func NormalizePolicy(networkPolicy *NPMNetworkPolicy)

NormalizePolicy helps fill in missed fields in aclPolicy

func ValidatePolicy

func ValidatePolicy(networkPolicy *NPMNetworkPolicy) error

Types

type ACLPolicy

type ACLPolicy struct {
	// Comment is the string attached to rule to identity its representation
	Comment string
	// TODO(jungukcho): now I think we do not need to manage SrcList and DstList
	// We may have just one PeerList to hold since it will depend on direction except for namedPort.
	// They are exclusive and each SetInfo even have its own direction.
	// PeerList []SetInfo
	// SrcList source IPSets condition setinfos
	SrcList []SetInfo
	// DstList destination IPSets condition setinfos
	DstList []SetInfo
	// Target defines a target in iptables for linux. i,e, Mark, Accept, Drop
	// in windows, this is either ALLOW or DENY
	Target Verdict
	// Direction defines the flow of traffic
	Direction Direction
	// DstPorts always holds the destination port information.
	// The valid value for port must be between 1 and 65535, inclusive
	// and the endPort must be equal or greater than port.
	DstPorts Ports
	// Protocol is the value of traffic protocol
	Protocol Protocol
}

ACLPolicy equivalent to a single iptable rule in linux or a single HNS rule in windows

func NewACLPolicy

func NewACLPolicy(target Verdict, direction Direction) *ACLPolicy

func (*ACLPolicy) AddSetInfo

func (aclPolicy *ACLPolicy) AddSetInfo(peerList []SetInfo)

AddSetInfo is to add setInfo to SrcList or DstList based on direction except for a setInfo for namedPort since namedPort is always for destination. TODO(jungukcho): cannot come up with Both Direction.

func (*ACLPolicy) PrettyString

func (aclPolicy *ACLPolicy) PrettyString() string

type Direction

type Direction string
const (
	// Ingress when packet is entering a container
	Ingress Direction = "IN"
	// Egress when packet is leaving a container
	Egress Direction = "OUT"
	// Both applies to both directions
	Both Direction = "BOTH"
)

type MatchType

type MatchType int8
const (
	SrcMatch MatchType = 0
	DstMatch MatchType = 1
	// MatchTypes with 2 locations (e.g. DstDst) are for ip and port respectively.
	DstDstMatch MatchType = 2
	// This is used for podSelector under spec. It can be Src or Dst based on existence of ingress or egress rule.
	EitherMatch MatchType = 3
)

Possible MatchTypes.

type NPMNetworkPolicy

type NPMNetworkPolicy struct {
	// Namespace is only used by Linux to construct an iptables comment
	Namespace string
	// PolicyKey is a unique combination of "namespace/name" of network policy
	PolicyKey string
	// ACLPolicyID is only used in Windows. See aclPolicyID() in policy_windows.go for more info
	ACLPolicyID string
	// TODO get rid of PodSelectorIPSets in favor of PodSelectorList (exact same except need to add members field to SetInfo)
	// PodSelectorIPSets holds the IPSets for the Pod Selector
	PodSelectorIPSets []*ipsets.TranslatedIPSet
	// ChildPodSelectorIPSets holds the IPSets that are members of any ipset in PodSelectorIPSets
	ChildPodSelectorIPSets []*ipsets.TranslatedIPSet
	// TODO change to slice of pointers
	// PodSelectorList holds the ipsets from PodSelectorIPSets and info about them to avoid duplication in SrcList and DstList fields in ACLs
	PodSelectorList []SetInfo
	// RuleIPSets holds all IPSets generated from policy's rules
	// and not from pod selector IPSets, including children of a NestedLabelOfPod ipset
	RuleIPSets []*ipsets.TranslatedIPSet
	ACLs       []*ACLPolicy
	// podIP is key and endpoint ID as value
	// Will be populated by dataplane and policy manager
	PodEndpoints map[string]string
}

func NewNPMNetworkPolicy

func NewNPMNetworkPolicy(netPolName, netPolNamespace string) *NPMNetworkPolicy

func (*NPMNetworkPolicy) AllPodSelectorIPSets

func (netPol *NPMNetworkPolicy) AllPodSelectorIPSets() []*ipsets.TranslatedIPSet

func (*NPMNetworkPolicy) PrettyString

func (netPol *NPMNetworkPolicy) PrettyString() string

type PolicyManager

type PolicyManager struct {
	*PolicyManagerCfg
	// contains filtered or unexported fields
}

PolicyManager has two locks. The PolicyMap lock is used only in Windows to prevent concurrent write access to the PolicyMap from both the NetPol Controller thread and the PodController thread, accessed respectively from dataplane.AddPolicy()/dataplane.RemovePolicy(), and dataplane.ApplyDataplane() --> dataplane.updatePod(). In Linux, the reconcileManager's lock is used to avoid iptables contention for adding/removing policies versus background cleanup of stale, ineffective chains.

func NewPolicyManager

func NewPolicyManager(ioShim *common.IOShim, cfg *PolicyManagerCfg) *PolicyManager

func (*PolicyManager) AddPolicies

func (pMgr *PolicyManager) AddPolicies(policies []*NPMNetworkPolicy, endpointList map[string]string) error

func (*PolicyManager) Bootup

func (pMgr *PolicyManager) Bootup(epIDs []string) error

func (*PolicyManager) GetPolicy

func (pMgr *PolicyManager) GetPolicy(policyKey string) (*NPMNetworkPolicy, bool)

func (*PolicyManager) PolicyExists

func (pMgr *PolicyManager) PolicyExists(policyKey string) bool

func (*PolicyManager) Reconcile

func (pMgr *PolicyManager) Reconcile()

func (*PolicyManager) RemovePolicy

func (pMgr *PolicyManager) RemovePolicy(policyKey string) error

func (*PolicyManager) RemovePolicyForEndpoints

func (pMgr *PolicyManager) RemovePolicyForEndpoints(policyKey string, endpointList map[string]string) error

RemovePolicyForEndpoints is identical to RemovePolicy except it will not remove the policy from the cache. This function is intended for Windows only.

func (*PolicyManager) ResetEndpoint

func (pMgr *PolicyManager) ResetEndpoint(epID string) error

type PolicyManagerCfg

type PolicyManagerCfg struct {
	// NodeIP is only used in Windows
	NodeIP string
	// PolicyMode only affects Windows
	PolicyMode PolicyManagerMode
	// PlaceAzureChainFirst only affects Linux
	PlaceAzureChainFirst bool
	// MaxBatchedACLsPerPod is the maximum number of ACLs that can be added to a Pod at once in Windows.
	// The zero value is valid.
	// A NetworkPolicy's ACLs are always in the same batch, and there will be at least one NetworkPolicy per batch.
	MaxBatchedACLsPerPod int
}

type PolicyManagerMode

type PolicyManagerMode string

PolicyManagerMode will be used in windows to decide if SetPolicies should be used or not

const (
	// IPSetPolicyMode will references IPSets in policies
	IPSetPolicyMode PolicyManagerMode = "IPSet"
	// IPPolicyMode will replace ipset names with their value IPs in policies
	// NOTE: this is currently unimplemented
	IPPolicyMode PolicyManagerMode = "IP"
)

type PolicyMap

type PolicyMap struct {
	sync.RWMutex
	// contains filtered or unexported fields
}

type Ports

type Ports struct {
	Port    int32
	EndPort int32
}

type Protocol

type Protocol string

Protocol can be TCP, UDP, SCTP, or unspecified since they are currently supported in networkpolicy. Protocol value is case-sensitive (Capital now). TODO: Need to remove this dependency on case-sensitivity. NPM is not fully tested with SCTP.

const (

	// TCP Protocol
	TCP Protocol = "TCP"
	// UDP Protocol
	UDP Protocol = "UDP"
	// SCTP Protocol
	SCTP Protocol = "SCTP"
	// UnspecifiedProtocol leaves protocol unspecified. For a named port, this represents its protocol. Otherwise, this represents any protocol.
	UnspecifiedProtocol Protocol = "unspecified"
)

type SetInfo

type SetInfo struct {
	IPSet     *ipsets.IPSetMetadata
	Included  bool
	MatchType MatchType
}

SetInfo helps capture additional details in a matchSet. Included flag captures the negative or positive match. Included is true when match set does not have "!". Included is false when match set have "!". MatchType captures match direction flags. For example match set in linux:

! azure-npm-123 src

"!" this indicates a negative match (Included is false) of an azure-npm-123 MatchType is "src"

func NewSetInfo

func NewSetInfo(name string, setType ipsets.SetType, included bool, matchType MatchType) SetInfo

Ports represents a range of ports. To specify one port, set Port and EndPort to the same value. uint16 is used since there are 2^16 - 1 TCP/UDP ports (0 is invalid) and 2^16 SCTP ports. NewSetInfo creates SetInfo.

func (SetInfo) PrettyString

func (info SetInfo) PrettyString() string

type UniqueDirection

type UniqueDirection bool

type Verdict

type Verdict string
const (
	// Allowed is accept in linux
	Allowed Verdict = "ALLOW"
	// Dropped is denying a flow
	Dropped Verdict = "DROP"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL