netpol

package
v0.0.0-...-18d89d2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 12, 2020 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// FamillyInet IPV4.
	FamillyInet = "inet"
	// FamillyInet6 IPV6.
	FamillyInet6 = "inet6"

	// DefaultMaxElem Default OptionMaxElem value.
	DefaultMaxElem = "65536"
	// DefaultHasSize Defaul OptionHashSize value.
	DefaultHasSize = "1024"

	// TypeHashIP The hash:ip set type uses a hash to store IP host addresses (default) or network addresses. Zero valued IP address cannot be stored in a hash:ip type of set.
	TypeHashIP = "hash:ip"
	// TypeHashMac The hash:mac set type uses a hash to store MAC addresses. Zero valued MAC addresses cannot be stored in a hash:mac type of set.
	TypeHashMac = "hash:mac"
	// TypeHashNet The hash:net set type uses a hash to store different sized IP network addresses. Network address with zero prefix size cannot be stored in this type of sets.
	TypeHashNet = "hash:net"
	// TypeHashNetNet The hash:net,net set type uses a hash to store pairs of different sized IP network addresses. Bear in mind that the first parameter has precedence over the second, so a nomatch entry could be potentially be ineffective if a more specific first parameter existed with a suitable second parameter. Network address with zero prefix size cannot be stored in this type of set.
	TypeHashNetNet = "hash:net,net"
	// TypeHashIPPort The hash:ip,port set type uses a hash to store IP address and port number pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.
	TypeHashIPPort = "hash:ip,port"
	// TypeHashNetPort The hash:net,port set type uses a hash to store different sized IP network address and port pairs. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size is not accepted either.
	TypeHashNetPort = "hash:net,port"
	// TypeHashIPPortIP The hash:ip,port,ip set type uses a hash to store IP address, port number and a second IP address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used.
	TypeHashIPPortIP = "hash:ip,port,ip"
	// TypeHashIPPortNet The hash:ip,port,net set type uses a hash to store IP address, port number and IP network address triples. The port number is interpreted together with a protocol (default TCP) and zero protocol number cannot be used. Network address with zero prefix size cannot be stored either.
	TypeHashIPPortNet = "hash:ip,port,net"
	// TypeHashIPMark The hash:ip,mark set type uses a hash to store IP address and packet mark pairs.
	TypeHashIPMark = "hash:ip,mark"
	// TypeHashIPNetPortNet The hash:net,port,net set type behaves similarly to hash:ip,port,net but accepts a cidr value for both the first and last parameter. Either subnet is permitted to be a /0 should you wish to match port between all destinations.
	TypeHashIPNetPortNet = "hash:net,port,net"
	// TypeHashNetIface The hash:net,iface set type uses a hash to store different sized IP network address and interface name pairs.
	TypeHashNetIface = "hash:net,iface"
	// TypeListSet The list:set type uses a simple list in which you can store set names.
	TypeListSet = "list:set"

	// OptionTimeout All set types supports the optional timeout parameter when creating a set and adding entries. The value of the timeout parameter for the create command means the default timeout value (in seconds) for new entries. If a set is created with timeout support, then the same timeout option can be used to specify non-default timeout values when adding entries. Zero timeout value means the entry is added permanent to the set. The timeout value of already added elements can be changed by readding the element using the -exist option. When listing the set, the number of entries printed in the header might be larger than the listed number of entries for sets with the timeout extensions: the number of entries in the set is updated when elements added/deleted to the set and periodically when the garbage colletor evicts the timed out entries.`
	OptionTimeout = "timeout"
	// OptionCounters All set types support the optional counters option when creating a set. If the option is specified then the set is created with packet and byte counters per element support. The packet and byte counters are initialized to zero when the elements are (re-)added to the set, unless the packet and byte counter values are explicitly specified by the packets and bytes options. An example when an element is added to a set with non-zero counter values.
	OptionCounters = "counters"
	// OptionPackets All set types support the optional counters option when creating a set. If the option is specified then the set is created with packet and byte counters per element support. The packet and byte counters are initialized to zero when the elements are (re-)added to the set, unless the packet and byte counter values are explicitly specified by the packets and bytes options. An example when an element is added to a set with non-zero counter values.
	OptionPackets = "packets"
	// OptionBytes All set types support the optional counters option when creating a set. If the option is specified then the set is created with packet and byte counters per element support. The packet and byte counters are initialized to zero when the elements are (re-)added to the set, unless the packet and byte counter values are explicitly specified by the packets and bytes options. An example when an element is added to a set with non-zero counter values.
	OptionBytes = "bytes"
	// OptionComment All set types support the optional comment extension. Enabling this extension on an ipset enables you to annotate an ipset entry with an arbitrary string. This string is completely ignored by both the kernel and ipset itself and is purely for providing a convenient means to document the reason for an entry's existence. Comments must not contain any quotation marks and the usual escape character (\) has no meaning
	OptionComment = "comment"
	// OptionSkbinfo All set types support the optional skbinfo extension. This extension allow to store the metainfo (firewall mark, tc class and hardware queue) with every entry and map it to packets by usage of SET netfilter target with --map-set option. skbmark option format: MARK or MARK/MASK, where MARK and MASK are 32bit hex numbers with 0x prefix. If only mark is specified mask 0xffffffff are used. skbprio option has tc class format: MAJOR:MINOR, where major and minor numbers are hex without 0x prefix. skbqueue option is just decimal number.
	OptionSkbinfo = "skbinfo"
	// OptionSkbmark All set types support the optional skbinfo extension. This extension allow to store the metainfo (firewall mark, tc class and hardware queue) with every entry and map it to packets by usage of SET netfilter target with --map-set option. skbmark option format: MARK or MARK/MASK, where MARK and MASK are 32bit hex numbers with 0x prefix. If only mark is specified mask 0xffffffff are used. skbprio option has tc class format: MAJOR:MINOR, where major and minor numbers are hex without 0x prefix. skbqueue option is just decimal number.
	OptionSkbmark = "skbmark"
	// OptionSkbprio All set types support the optional skbinfo extension. This extension allow to store the metainfo (firewall mark, tc class and hardware queue) with every entry and map it to packets by usage of SET netfilter target with --map-set option. skbmark option format: MARK or MARK/MASK, where MARK and MASK are 32bit hex numbers with 0x prefix. If only mark is specified mask 0xffffffff are used. skbprio option has tc class format: MAJOR:MINOR, where major and minor numbers are hex without 0x prefix. skbqueue option is just decimal number.
	OptionSkbprio = "skbprio"
	// OptionSkbqueue All set types support the optional skbinfo extension. This extension allow to store the metainfo (firewall mark, tc class and hardware queue) with every entry and map it to packets by usage of SET netfilter target with --map-set option. skbmark option format: MARK or MARK/MASK, where MARK and MASK are 32bit hex numbers with 0x prefix. If only mark is specified mask 0xffffffff are used. skbprio option has tc class format: MAJOR:MINOR, where major and minor numbers are hex without 0x prefix. skbqueue option is just decimal number.
	OptionSkbqueue = "skbqueue"
	// OptionHashSize This parameter is valid for the create command of all hash type sets. It defines the initial hash size for the set, default is 1024. The hash size must be a power of two, the kernel automatically rounds up non power of two hash sizes to the first correct value.
	OptionHashSize = "hashsize"
	// OptionMaxElem This parameter is valid for the create command of all hash type sets. It does define the maximal number of elements which can be stored in the set, default 65536.
	OptionMaxElem = "maxelem"
	// OptionFamilly This parameter is valid for the create command of all hash type sets except for hash:mac. It defines the protocol family of the IP addresses to be stored in the set. The default is inet, i.e IPv4.
	OptionFamilly = "family"
	// OptionNoMatch The hash set types which can store net type of data (i.e. hash:*net*) support the optional nomatch option when adding entries. When matching elements in the set, entries marked as nomatch are skipped as if those were not added to the set, which makes possible to build up sets with exceptions. See the example at hash type hash:net below. When elements are tested by ipset, the nomatch flags are taken into account. If one wants to test the existence of an element marked with nomatch in a set, then the flag must be specified too.
	OptionNoMatch = "nomatch"
	// OptionForceAdd All hash set types support the optional forceadd parameter when creating a set. When sets created with this option become full the next addition to the set may succeed and evict a random entry from the set.
	OptionForceAdd = "forceadd"
)

Variables

This section is empty.

Functions

func GetNodeIP

func GetNodeIP(node *apiv1.Node) (net.IP, error)

GetNodeIP returns the most valid external facing IP address for a node. Order of preference: 1. NodeInternalIP 2. NodeExternalIP (Only set on cloud providers usually)

func Run

func Run(ctx context.Context, nodeConfig *config.Node) error

Types

type Entry

type Entry struct {
	Set     *Set
	Options []string
}

Entry of ipset Set.

func (*Entry) Del

func (entry *Entry) Del() error

Del an entry from a set. If the -exist option is specified and the entry is not in the set (maybe already expired), then the command is ignored.

type IPSet

type IPSet struct {
	Sets map[string]*Set
	// contains filtered or unexported fields
}

IPSet represent ipset sets managed by.

func NewSavedIPSet

func NewSavedIPSet(isIpv6 bool) (*IPSet, error)

NewSavedIPSet create a new IPSet with ipSetPath initialized.

func (*IPSet) Add

func (ipset *IPSet) Add(set *Set) error

Adds a given Set to an IPSet

func (*IPSet) Create

func (ipset *IPSet) Create(setName string, createOptions ...string) (*Set, error)

Create a set identified with setname and specified type. The type may require type specific options. Does not create set on the system if it already exists by the same name.

func (*IPSet) Destroy

func (ipset *IPSet) Destroy(setName string) error

Destroy the specified set by name. If the set has got reference(s), nothing is done and no set destroyed. If the IPSet does not contain the named set then Destroy is a no-op.

func (*IPSet) DestroyAllWithin

func (ipset *IPSet) DestroyAllWithin() error

DestroyAllWithin destroys all sets contained within the IPSet's Sets.

func (*IPSet) Flush

func (ipset *IPSet) Flush() error

Flush all entries from the specified set or flush all sets if none is given.

func (*IPSet) Get

func (ipset *IPSet) Get(setName string) *Set

Get Set by Name.

func (*IPSet) Restore

func (ipset *IPSet) Restore() error

Restore a saved session generated by save. The saved session can be fed from stdin or the option -file can be used to specify a filename instead of stdin. Please note, existing sets and elements are not erased by restore unless specified so in the restore file. All commands are allowed in restore mode except list, help, version, interactive mode and restore itself. Send formated ipset.sets into stdin of "ipset restore" command.

func (*IPSet) Save

func (ipset *IPSet) Save() error

Save the given set, or all sets if none is given to stdout in a format that restore can read. The option -file can be used to specify a filename instead of stdout. save "ipset save" command output to ipset.sets.

type NetworkPolicyController

type NetworkPolicyController struct {
	MetricsEnabled bool

	PodEventHandler           cache.ResourceEventHandler
	NamespaceEventHandler     cache.ResourceEventHandler
	NetworkPolicyEventHandler cache.ResourceEventHandler
	// contains filtered or unexported fields
}

NetworkPolicyController struct to hold information required by NetworkPolicyController

func NewNetworkPolicyController

func NewNetworkPolicyController(
	stopCh <-chan struct{},
	clientset kubernetes.Interface,
	ipTablesSyncPeriod time.Duration,
	hostnameOverride string) (*NetworkPolicyController, error)

NewNetworkPolicyController returns new NetworkPolicyController object

func (*NetworkPolicyController) Cleanup

func (npc *NetworkPolicyController) Cleanup()

Cleanup cleanup configurations done

func (*NetworkPolicyController) ListNamespaceByLabels

func (npc *NetworkPolicyController) ListNamespaceByLabels(set labels.Set) ([]*api.Namespace, error)

func (*NetworkPolicyController) ListPodsByNamespaceAndLabels

func (npc *NetworkPolicyController) ListPodsByNamespaceAndLabels(namespace string, labelsToMatch labels.Set) (ret []*api.Pod, err error)

func (*NetworkPolicyController) OnNamespaceUpdate

func (npc *NetworkPolicyController) OnNamespaceUpdate(obj interface{})

OnNamespaceUpdate handles updates to namespace from kubernetes api server

func (*NetworkPolicyController) OnNetworkPolicyUpdate

func (npc *NetworkPolicyController) OnNetworkPolicyUpdate(obj interface{})

OnNetworkPolicyUpdate handles updates to network policy from the kubernetes api server

func (*NetworkPolicyController) OnPodUpdate

func (npc *NetworkPolicyController) OnPodUpdate(obj interface{})

OnPodUpdate handles updates to pods from the Kubernetes api server

func (*NetworkPolicyController) Run

func (npc *NetworkPolicyController) Run(stopCh <-chan struct{})

Run runs forever till we receive notification on stopCh

func (*NetworkPolicyController) Sync

func (npc *NetworkPolicyController) Sync() error

Sync synchronizes iptables to desired state of network policies

type Set

type Set struct {
	Parent  *IPSet
	Name    string
	Entries []*Entry
	Options []string
}

Set reprensent a ipset set entry.

func (*Set) Add

func (set *Set) Add(addOptions ...string) (*Entry, error)

Add a given entry to the set. If the -exist option is specified, ipset ignores if the entry already added to the set.

func (*Set) Destroy

func (set *Set) Destroy() error

Destroy the specified set or all the sets if none is given. If the set has got reference(s), nothing is done and no set destroyed.

func (*Set) Flush

func (set *Set) Flush() error

Flush all entries from the specified set or flush all sets if none is given.

func (*Set) IsActive

func (set *Set) IsActive() (bool, error)

IsActive checks if a set exists on the system with the same name.

func (*Set) Refresh

func (set *Set) Refresh(entries []string, extraOptions ...string) error

Refresh a Set with new entries.

func (*Set) RefreshWithBuiltinOptions

func (set *Set) RefreshWithBuiltinOptions(entries [][]string) error

Refresh a Set with new entries with built-in options.

func (*Set) Rename

func (set *Set) Rename(newName string) error

Rename a set. Set identified by SETNAME-TO must not exist.

func (*Set) Swap

func (set *Set) Swap(setTo *Set) error

Swap the content of two sets, or in another words, exchange the name of two sets. The referred sets must exist and compatible type of sets can be swapped only.

func (*Set) Test

func (set *Set) Test(testOptions ...string) (bool, error)

Test wether an entry is in a set or not. Exit status number is zero if the tested entry is in the set and nonzero if it is missing from the set.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL