Documentation ¶
Index ¶
- Constants
- type AllocatedIDs
- type Config
- type ContivRuleTable
- func (crt *ContivRuleTable) DiffRules(crt2 *ContivRuleTable) (notIn2, notInThis []*renderer.ContivRule)
- func (crt *ContivRuleTable) GetID() string
- func (crt *ContivRuleTable) HasRule(rule *renderer.ContivRule) bool
- func (crt *ContivRuleTable) InsertRule(rule *renderer.ContivRule) bool
- func (crt *ContivRuleTable) RemoveByPredicate(predicate func(rule *renderer.ContivRule) bool) int
- func (crt *ContivRuleTable) RemoveRuleByIdx(idx int) bool
- func (crt *ContivRuleTable) String() string
- type Deps
- type LocalTables
- func (lts *LocalTables) AssignPod(table *ContivRuleTable, podID podmodel.ID)
- func (lts *LocalTables) GetIsolatedPods() PodSet
- func (lts *LocalTables) Insert(table *ContivRuleTable) bool
- func (lts *LocalTables) LookupByID(id string) *ContivRuleTable
- func (lts *LocalTables) LookupByPod(podID podmodel.ID) *ContivRuleTable
- func (lts *LocalTables) LookupByRules(rules []*renderer.ContivRule) *ContivRuleTable
- func (lts *LocalTables) Remove(table *ContivRuleTable) bool
- func (lts *LocalTables) RemoveByIdx(idx int) bool
- func (lts *LocalTables) RemoveByPredicate(predicate func(table *ContivRuleTable) bool) int
- func (lts *LocalTables) String() string
- func (lts *LocalTables) UnassignPod(table *ContivRuleTable, podID podmodel.ID)
- type Orientation
- type PodConfig
- type PodSet
- type Ports
- type RendererCache
- func (rc *RendererCache) Flush()
- func (rc *RendererCache) GetAllPods() PodSet
- func (rc *RendererCache) GetGlobalTable() *ContivRuleTable
- func (rc *RendererCache) GetIsolatedPods() PodSet
- func (rc *RendererCache) GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable
- func (rc *RendererCache) GetPodConfig(pod podmodel.ID) *PodConfig
- func (rc *RendererCache) Init(orientation Orientation)
- func (rc *RendererCache) NewTxn() Txn
- func (rc *RendererCache) Resync(tables []*ContivRuleTable) error
- type RendererCacheAPI
- type RendererCacheTxn
- func (rct *RendererCacheTxn) Commit() error
- func (rct *RendererCacheTxn) GetAllPods() PodSet
- func (rct *RendererCacheTxn) GetChanges() (changes []*TxnChange)
- func (rct *RendererCacheTxn) GetGlobalTable() *ContivRuleTable
- func (rct *RendererCacheTxn) GetIsolatedPods() PodSet
- func (rct *RendererCacheTxn) GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable
- func (rct *RendererCacheTxn) GetPodConfig(pod podmodel.ID) *PodConfig
- func (rct *RendererCacheTxn) GetRemovedPods() PodSet
- func (rct *RendererCacheTxn) GetUpdatedPods() PodSet
- func (rct *RendererCacheTxn) Update(pod podmodel.ID, podConfig *PodConfig)
- type TableType
- type Txn
- type TxnChange
- type View
Constants ¶
const AnyPort uint16 = 0
AnyPort is a constant that represents any port.
const GlobalTableID = "NODE-GLOBAL"
GlobalTableID is the ID of the global table.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AllocatedIDs ¶
type AllocatedIDs map[string]struct{}
AllocatedIDs represents a set of all allocated IDs.
type Config ¶
Config is used to store snapshot of the configuration as received through RendererCacheTxn.Update().
type ContivRuleTable ¶
type ContivRuleTable struct { // Type is used to differentiate the global table from the local ones. Type TableType // Set of all pods that have this table assigned. // Empty for the global table and a removed local table. Pods PodSet // Rules applied on the ingress or the egress side for one or multiple pods // (local) or globally for the node (global). // The rules are in the order such that if rule *r1* matches subset // of the traffic matched by *r2*, then r1 precedes r2 in the list. // It is the order at which the rules should by applied by the rule // matching algorithm in the destination network stack (otherwise the more // specific rules could be overshadowed and never matched). // First *NumOfRules* entries are filled with rules, the rest are nils. Rules []*renderer.ContivRule // NumOfRules is the number of rules inserted in the table (remaining entries // in *Rules* are nils). NumOfRules int // Private can be used by renderer to store the configuration of the table // in the format used by the destination network stack. Private interface{} // contains filtered or unexported fields }
ContivRuleTable is a table consisting of Contiv Rules, ordered such that if rule *r1* matches subset of the traffic matched by *r2*, then r1 precedes r2 in the list. It is the order at which the rules should by applied by the rule matching algorithm in the destination network stack (otherwise the more specific rules could be overshadowed and never matched). There are two types of tables distinguished:
- Local table: should be applied to match against traffic leaving (IngressOrientation) or entering (EgressOrientation) a selected subset of pods. Every pod has at most one local table installed at any given time. For local table, the set of rules is immutable. Different content is treated as a new local table (and the original table may get unassigned from some or all originally associated pods). Local table has always at least one rule, otherwise it is simply not tracked and returned by the cache.
- Global table: should be applied to match against traffic entering (IngressOrientation) or leaving (EgressOrientation) the node. There is always exactly one global table installed (per node). The global table may contain an empty set of rules (meaning ALLOW-ALL).
func NewContivRuleTable ¶
func NewContivRuleTable(tableType TableType) *ContivRuleTable
NewContivRuleTable is a constructor for ContivRuleTable.
func (*ContivRuleTable) DiffRules ¶
func (crt *ContivRuleTable) DiffRules(crt2 *ContivRuleTable) (notIn2, notInThis []*renderer.ContivRule)
DiffRules calculates diff in terms of rules between this and the other table.
func (*ContivRuleTable) GetID ¶
func (crt *ContivRuleTable) GetID() string
GetID returns table ID that will be the same between tables of the same type and with the same content, otherwise highly likely different.
func (*ContivRuleTable) HasRule ¶
func (crt *ContivRuleTable) HasRule(rule *renderer.ContivRule) bool
HasRule returns true if the given rule is included in the table.
func (*ContivRuleTable) InsertRule ¶
func (crt *ContivRuleTable) InsertRule(rule *renderer.ContivRule) bool
InsertRule inserts the rule into the table at the right order. Returns *true* if the rule was inserted, *false* if the same rule is already in the cache.
func (*ContivRuleTable) RemoveByPredicate ¶
func (crt *ContivRuleTable) RemoveByPredicate(predicate func(rule *renderer.ContivRule) bool) int
RemoveByPredicate removes all rules from the table that satisfy a given predicate. Number of removed rules is returned.
func (*ContivRuleTable) RemoveRuleByIdx ¶
func (crt *ContivRuleTable) RemoveRuleByIdx(idx int) bool
RemoveRuleByIdx removes rule under a given index from the table. Returns *true* if the index is valid and the rule was removed.
func (*ContivRuleTable) String ¶
func (crt *ContivRuleTable) String() string
String converts ContivRuleTable (pointer) into a human-readable string representation.
type LocalTables ¶
LocalTables is an ordered list of all cached local tables. It has efficient operations: apart from Remove() and RemoveByPredicate(), all with logarithmic or constant complexity.
API:
Insert(table) Remove(table) RemoveByIdx(idx) RemoveByPredicate(func(table) -> bool) LookupByID(ID) -> table LookupByRules() -> table LookupByPod(pod) -> table AssignPod(table, podID) UnassignPod(table/nil=all, podID) GetIsolatedPods() -> pods
func NewLocalTables ¶
func NewLocalTables(logger logging.Logger) *LocalTables
NewLocalTables is a constructor for LocalTables.
func (*LocalTables) AssignPod ¶
func (lts *LocalTables) AssignPod(table *ContivRuleTable, podID podmodel.ID)
AssignPod creates association between the pod and the table.
func (*LocalTables) GetIsolatedPods ¶
func (lts *LocalTables) GetIsolatedPods() PodSet
GetIsolatedPods returns the set of IDs of all pods that have a (non-empty) local table assigned. The term "isolated" is borrowed from K8s, pods become isolated by having a NetworkPolicy that selects them.
func (*LocalTables) Insert ¶
func (lts *LocalTables) Insert(table *ContivRuleTable) bool
Insert local table into the list.
func (*LocalTables) LookupByID ¶
func (lts *LocalTables) LookupByID(id string) *ContivRuleTable
LookupByID searches for table by ID.
func (*LocalTables) LookupByPod ¶
func (lts *LocalTables) LookupByPod(podID podmodel.ID) *ContivRuleTable
LookupByPod searches for table by an assigned pod.
func (*LocalTables) LookupByRules ¶
func (lts *LocalTables) LookupByRules(rules []*renderer.ContivRule) *ContivRuleTable
LookupByRules searches for table by rules. If there are multiple tables with this list of rules, the one with the smallest index in the list of tables is returned.
func (*LocalTables) Remove ¶
func (lts *LocalTables) Remove(table *ContivRuleTable) bool
Remove local table from the list (by pointer).
func (*LocalTables) RemoveByIdx ¶
func (lts *LocalTables) RemoveByIdx(idx int) bool
RemoveByIdx removes local table under a given index from the list. Returns *true* if the index is valid and the table was removed.
func (*LocalTables) RemoveByPredicate ¶
func (lts *LocalTables) RemoveByPredicate(predicate func(table *ContivRuleTable) bool) int
RemoveByPredicate removes all local tables that satisfy a given predicate. Number of removed tables is returned.
func (*LocalTables) String ¶
func (lts *LocalTables) String() string
String converts LocalTables (pointer) into a human-readable string representation.
func (*LocalTables) UnassignPod ¶
func (lts *LocalTables) UnassignPod(table *ContivRuleTable, podID podmodel.ID)
UnassignPod removes association between the pod and the table. <table> may be nil to match any local table.
type Orientation ¶
type Orientation int
Orientation is either "IngressOrientation" or "EgressOrientation". It is selected during the cache initialization to specify whether the rule matching algorithm in the destination network stack runs against the ingress or the egress traffic (from the vswitch point of view).
const ( // IngressOrientation means that rules are applied on the traffic *arriving* // from the interfaces into the vswitch. IngressOrientation Orientation = iota // EgressOrientation means that rules are applied on the traffic *leaving* // the vswitch through the interfaces. EgressOrientation )
type PodConfig ¶
type PodConfig struct { PodIP *net.IPNet Ingress []*renderer.ContivRule Egress []*renderer.ContivRule Removed bool /* false can only be inside the transaction; removed pods are no longer tracked by the cache */ }
PodConfig encapsulates pod configuration (passed through RendererCacheTxn.Update()).
type PodSet ¶
PodSet is a set of pods.
type Ports ¶
type Ports map[uint16]struct{}
Ports is a set of port numbers.
func (Ports) HasExplicit ¶
HasExplicit returns true if the given port is in the set regardless of AnyPort presence.
func (Ports) Intersection ¶
Intersection returns the set of ports which are both in this set and in <p2>.
func (Ports) IsSubsetOf ¶
IsSubsetOf returns true if this set is a subset of <p2>.
type RendererCache ¶
type RendererCache struct { Deps // contains filtered or unexported fields }
RendererCache implements RendererCacheAPI.
func (*RendererCache) Flush ¶
func (rc *RendererCache) Flush()
Flush completely wipes out the cache content.
func (*RendererCache) GetAllPods ¶
func (rc *RendererCache) GetAllPods() PodSet
GetAllPods returns the set of all pods currently tracked by the cache.
func (*RendererCache) GetGlobalTable ¶
func (rc *RendererCache) GetGlobalTable() *ContivRuleTable
GetGlobalTable returns the global table. The function never returns nil but may return table with empty set of rules (meaning ALLOW-ALL).
func (*RendererCache) GetIsolatedPods ¶
func (rc *RendererCache) GetIsolatedPods() PodSet
GetIsolatedPods returns the set of IDs of all pods that have a local table assigned. The term "isolated" is borrowed from K8s, pods become isolated by having a NetworkPolicy that selects them.
func (*RendererCache) GetLocalTableByPod ¶
func (rc *RendererCache) GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable
GetLocalTableByPod returns the local table assigned to a given pod. Returns nil if the pod has no table assigned (non-isolated).
func (*RendererCache) GetPodConfig ¶
func (rc *RendererCache) GetPodConfig(pod podmodel.ID) *PodConfig
GetPodConfig returns the current configuration of a given pod (as passed through the Txn.Update() method). Method returns nil if the given pod is not tracked by the cache.
func (*RendererCache) Init ¶
func (rc *RendererCache) Init(orientation Orientation)
Init initializes the cache. The caller selects the orientation of the traffic at which the rules are applied in the destination network stack.
func (*RendererCache) NewTxn ¶
func (rc *RendererCache) NewTxn() Txn
NewTxn starts a new transaction. The changes are reflected in the cache only after Commit() is called.
func (*RendererCache) Resync ¶
func (rc *RendererCache) Resync(tables []*ContivRuleTable) error
Resync completely replaces the existing cache content with the supplied data.
type RendererCacheAPI ¶
type RendererCacheAPI interface { View // Init initializes the cache. // The caller selects the orientation of the traffic at which the rules are applied // in the destination network stack. Init(orientation Orientation) // Flush completely wipes out the cache content. Flush() // NewTxn starts a new transaction. The changes are reflected in the cache // only after Commit() is called. NewTxn() Txn // Resync completely replaces the existing cache content with the supplied // data. // The configuration cannot be fully reconstructed however, only the set // of all tracked pods. Do not use GetPodConfig() immediately after Resync(), // instead follow the resync with a transaction that updates the configuration // of still present pods and removes the rest (Cache.GetAllPods() \ Txn.GetUpdatedPods()). Resync(tables []*ContivRuleTable) error }
RendererCacheAPI defines API of a cache used to store Contiv rules. The cache allows renderer to easily calculate the minimal set of changes that need to be applied in a given transaction.
The rules are grouped into the tables (ContivRuleTable) and the configuration is represented as a list of local tables, applied on the ingress or the egress side of pods, and a single global table, applied on the interfaces connecting the node with the rest of the cluster. The list of local tables is minimalistic in the sense that pods with the same set of rules will share the same local table. Whether shared tables are installed in one instance or as separate copies for each associated pod is up to the renderer (usually determined by the capabilities of the destination network stack).
All tables match only one side of the traffic - either ingress or egress, depending on the cache orientation as selected in the Init method. The cache combines the received ingress and egress Contiv rules into the single chosen direction in a way that maintains the original semantic (the global table is introduced to accomplish the task). For IngressOrientation, the local table rules have source IP address and port always ANYADDR/ANYPORT. For EgressOrientation, the local table rules have destination IP address and port always ANYADDR/ANYPORT.
type RendererCacheTxn ¶
type RendererCacheTxn struct {
// contains filtered or unexported fields
}
RendererCacheTxn represents a single transaction of RendererCache.
func (*RendererCacheTxn) Commit ¶
func (rct *RendererCacheTxn) Commit() error
Commit applies the changes into the underlying cache.
func (*RendererCacheTxn) GetAllPods ¶
func (rct *RendererCacheTxn) GetAllPods() PodSet
GetAllPods returns the set of all pods that will have configuration tracked by the cache if the transaction is committed without any additional changes.
func (*RendererCacheTxn) GetChanges ¶
func (rct *RendererCacheTxn) GetChanges() (changes []*TxnChange)
GetChanges calculates a minimalistic set of changes prepared in the transaction up to this point. Must be run before Commit().
func (*RendererCacheTxn) GetGlobalTable ¶
func (rct *RendererCacheTxn) GetGlobalTable() *ContivRuleTable
GetGlobalTable returns the global table that will be installed if the transaction is committed without any additional changes
func (*RendererCacheTxn) GetIsolatedPods ¶
func (rct *RendererCacheTxn) GetIsolatedPods() PodSet
GetIsolatedPods returns the set of IDs of pods that will have a local table assigned if the transaction is committed without any additional changes.
func (*RendererCacheTxn) GetLocalTableByPod ¶
func (rct *RendererCacheTxn) GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable
GetLocalTableByPod returns the local table that will be assigned to a given pod if the transaction is committed without any additional changes. Returns nil if the pod will be non-isolated.
func (*RendererCacheTxn) GetPodConfig ¶
func (rct *RendererCacheTxn) GetPodConfig(pod podmodel.ID) *PodConfig
GetPodConfig returns the configuration of a given pod either pending in the transaction or taken from the cache if the pod was not updated.
func (*RendererCacheTxn) GetRemovedPods ¶
func (rct *RendererCacheTxn) GetRemovedPods() PodSet
GetRemovedPods returns the set of all pods that will be removed by the transaction.
func (*RendererCacheTxn) GetUpdatedPods ¶
func (rct *RendererCacheTxn) GetUpdatedPods() PodSet
GetUpdatedPods returns the set of all pods included in the transaction.
type TableType ¶
type TableType int
TableType is either "Local" or "Global".
const ( // Local table is applied to match against traffic leaving (IngressOrientation) // or entering (EgressOrientation) a selected subset of pods. // Every pod has at most one local table installed at any given time. Local TableType = iota // Global table is applied to match against traffic entering (IngressOrientation) // or leaving (EgressOrientation) the node. There is always exactly one global // table installed (per node). Global )
type Txn ¶
type Txn interface { // View allows to view the cache as it will look like if the transaction // is committed without any additional changes. // Should be used only before Commit() (afterwards use View from the cache itself). View // Update changes the configuration of Contiv rules for a given pod. // The change is applied into the cache during the commit. // Run GetChanges() before Commit() to learn the set of pending updates (merged // to a minimal diff). // If *podConfig.removed* is true, the pod will be removed from the cache // when the transaction is committed. Update(pod podmodel.ID, podConfig *PodConfig) // GetUpdatedPods returns the set of all pods included in the transaction. GetUpdatedPods() PodSet // GetRemovedPods returns the set of all pods that will be removed by the transaction. GetRemovedPods() PodSet // GetChanges calculates a minimalistic set of changes prepared in the // transaction up to this point. // Changes are presented from the tables point of view (i.e. what tables have been // changed, created, removed). // Alternatively, GetLocalTableByPod() and GetGlobalTable() from View // interface can be used to get the updated configuration from the pods point of view. // GetChanges() must be run before Commit(). GetChanges() (changes []*TxnChange) // Commit applies the changes into the underlying cache. Commit() error }
Txn defines API of RendererCache transaction.
type TxnChange ¶
type TxnChange struct { // Table that has been been affected by the transaction. // Possible changes: // - new table // - removed table // - changed assignment of pods for a local table // - change in the set of rules for the global table Table *ContivRuleTable // Set of pods previously assigned to the table. // Empty for the global table or a newly added local table. PreviousPods PodSet }
TxnChange represents change in the RendererCache to be performed by a transaction.
type View ¶
type View interface { // GetPodConfig returns the current configuration of a given pod // (as passed through the Txn.Update() method). // Method returns nil if the given pod is not tracked by the cache. GetPodConfig(pod podmodel.ID) *PodConfig // GetAllPods returns the set of all pods currently tracked by the cache. GetAllPods() PodSet // GetIsolatedPods returns the set of IDs of all pods that have a local table assigned. // The term "isolated" is borrowed from K8s, pods become isolated by having // a NetworkPolicy that selects them. GetIsolatedPods() PodSet // GetLocalTableByPod returns the local table assigned to a given pod. // Returns nil if the pod has no table assigned (non-isolated). GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable // GetGlobalTable returns the global table. // The function never returns nil but may return table with empty set of rules // (meaning ALLOW-ALL). GetGlobalTable() *ContivRuleTable }
View allows to read the cache content