policysets

package
v3.6.5+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 9, 2019 License: Apache-2.0 Imports: 7 Imported by: 0

Documentation

Rendered for windows/amd64

Index

Constants

View Source
const (

	// prefix to use for all policy names
	PolicyNamePrefix string = "policy-"
	// prefix to use for all profile names
	ProfileNamePrefix string = "profile-"
)

Variables

View Source
var (
	SkipRule   = errors.New("Rule skipped")
	MissingSet = errors.New("Missing IPSet")
)

Functions

This section is empty.

Types

type PolicySetMetadata

type PolicySetMetadata struct {
	SetId string
	Type  PolicySetType
}

PolicySetMetadata contains the metadata for a particular Policy set, such as its name and type.

type PolicySetType

type PolicySetType string

PolicySetType constants for the different kinds of Policy set.

const (
	PolicySetTypePolicy  PolicySetType = "policy"
	PolicySetTypeProfile PolicySetType = "profile"
)

func (PolicySetType) SetType

func (t PolicySetType) SetType() string

type PolicySets

type PolicySets struct {
	IpSets []*ipsets.IPSets
	// contains filtered or unexported fields
}

PolicySets manages a whole plane of policies/profiles

func NewPolicySets

func NewPolicySets(ipsets []*ipsets.IPSets) *PolicySets

func (*PolicySets) AddOrReplacePolicySet

func (s *PolicySets) AddOrReplacePolicySet(setId string, policy interface{})

AddOrReplacePolicySet is responsible for the creation (or replacement) of a Policy set and it is capable of processing either Profiles or Policies from the datastore.

func (*PolicySets) GetPolicySetRules

func (s *PolicySets) GetPolicySetRules(setIds []string, isInbound bool) (rules []*hns.ACLPolicy)

GetPolicySetRules receives a list of Policy set ids and it computes the complete set of resultant hns rules which are needed to enforce all of the Policy sets for the specified direction. As the Policy sets are processed, we increment a priority number and assign it to each rule from the current set. By incremening the rule priority for each set, we ensure that all of the sets will be enforced and considered by the dataplane in the order intended by felix. Once all rules are gathered, we add a final pair of rules to default deny any traffic which has not matched any rules from any Policy sets.

func (*PolicySets) NewHostRule

func (s *PolicySets) NewHostRule(isInbound bool) *hns.ACLPolicy

NewHostRule returns a new hns rule object scoped to the host.

func (*PolicySets) NewRule

func (s *PolicySets) NewRule(isInbound bool, priority uint16) *hns.ACLPolicy

NewRule returns a new hns switch rule object instantiated with default values.

func (*PolicySets) ProcessIpSetUpdate

func (s *PolicySets) ProcessIpSetUpdate(ipSetId string) []string

ProcessIpSetUpdate locates any Policy set(s) which reference the provided IP set, and causes those Policy sets to be recomputed (to ensure any rule address conditions are using the latest addres values from the IP set). A list of the Policy sets which were found and recomputed are is returned to the caller.

func (*PolicySets) RemovePolicySet

func (s *PolicySets) RemovePolicySet(setId string)

RemovePolicySet is responsible for the removal of a Policy set

type PolicySetsDataplane

type PolicySetsDataplane interface {
	AddOrReplacePolicySet(setId string, policy interface{})
	RemovePolicySet(setId string)
	NewRule(isInbound bool, priority uint16) *hns.ACLPolicy
	GetPolicySetRules(setIds []string, isInbound bool) (rules []*hns.ACLPolicy)
	ProcessIpSetUpdate(ipSetId string) []string
}

PolicySetsDataplane is a interface for managing a plane of policySet objects

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL