cache

package
v0.0.0-...-2d08fe4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 20, 2023 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source
const AnyPort uint16 = 0

AnyPort is a constant that represents any port.

View Source
const GlobalTableID = "NODE-GLOBAL"

GlobalTableID is the ID of the global table.

Variables

This section is empty.

Functions

This section is empty.

Types

type AllocatedIDs

type AllocatedIDs map[string]struct{}

AllocatedIDs represents a set of all allocated IDs.

type Config

type Config map[podmodel.ID]*PodConfig

Config is used to store snapshot of the configuration as received through RendererCacheTxn.Update().

type ContivRuleTable

type ContivRuleTable struct {
	// Type is used to differentiate the global table from the local ones.
	Type TableType

	// Set of all pods that have this table assigned.
	// Empty for the global table and a removed local table.
	Pods PodSet

	// Rules applied on the ingress or the egress side for one or multiple pods
	// (local) or globally for the node (global).
	// The rules are in the order such that if rule *r1* matches subset
	// of the traffic matched by *r2*, then r1 precedes r2 in the list.
	// It is the order at which the rules should by applied by the rule
	// matching algorithm in the destination network stack (otherwise the more
	// specific rules could be overshadowed and never matched).
	// First *NumOfRules* entries are filled with rules, the rest are nils.
	Rules []*renderer.ContivRule

	// NumOfRules is the number of rules inserted in the table (remaining entries
	// in *Rules* are nils).
	NumOfRules int

	// Private can be used by renderer to store the configuration of the table
	// in the format used by the destination network stack.
	Private interface{}
	// contains filtered or unexported fields
}

ContivRuleTable is a table consisting of Contiv Rules, ordered such that if rule *r1* matches subset of the traffic matched by *r2*, then r1 precedes r2 in the list. It is the order at which the rules should by applied by the rule matching algorithm in the destination network stack (otherwise the more specific rules could be overshadowed and never matched). There are two types of tables distinguished:

  1. Local table: should be applied to match against traffic leaving (IngressOrientation) or entering (EgressOrientation) a selected subset of pods. Every pod has at most one local table installed at any given time. For local table, the set of rules is immutable. Different content is treated as a new local table (and the original table may get unassigned from some or all originally associated pods). Local table has always at least one rule, otherwise it is simply not tracked and returned by the cache.
  2. Global table: should be applied to match against traffic entering (IngressOrientation) or leaving (EgressOrientation) the node. There is always exactly one global table installed (per node). The global table may contain an empty set of rules (meaning ALLOW-ALL).

func NewContivRuleTable

func NewContivRuleTable(tableType TableType) *ContivRuleTable

NewContivRuleTable is a constructor for ContivRuleTable.

func (*ContivRuleTable) DiffRules

func (crt *ContivRuleTable) DiffRules(crt2 *ContivRuleTable) (notIn2, notInThis []*renderer.ContivRule)

DiffRules calculates diff in terms of rules between this and the other table.

func (*ContivRuleTable) GetID

func (crt *ContivRuleTable) GetID() string

GetID returns table ID that will be the same between tables of the same type and with the same content, otherwise highly likely different.

func (*ContivRuleTable) HasRule

func (crt *ContivRuleTable) HasRule(rule *renderer.ContivRule) bool

HasRule returns true if the given rule is included in the table.

func (*ContivRuleTable) InsertRule

func (crt *ContivRuleTable) InsertRule(rule *renderer.ContivRule) bool

InsertRule inserts the rule into the table at the right order. Returns *true* if the rule was inserted, *false* if the same rule is already in the cache.

func (*ContivRuleTable) RemoveByPredicate

func (crt *ContivRuleTable) RemoveByPredicate(predicate func(rule *renderer.ContivRule) bool) int

RemoveByPredicate removes all rules from the table that satisfy a given predicate. Number of removed rules is returned.

func (*ContivRuleTable) RemoveRuleByIdx

func (crt *ContivRuleTable) RemoveRuleByIdx(idx int) bool

RemoveRuleByIdx removes rule under a given index from the table. Returns *true* if the index is valid and the rule was removed.

func (*ContivRuleTable) String

func (crt *ContivRuleTable) String() string

String converts ContivRuleTable (pointer) into a human-readable string representation.

type Deps

type Deps struct {
	Log logging.Logger
}

Deps lists dependencies of RendererCache.

type LocalTables

type LocalTables struct {
	Log logging.Logger
	// contains filtered or unexported fields
}

LocalTables is an ordered list of all cached local tables. It has efficient operations: apart from Remove() and RemoveByPredicate(), all with logarithmic or constant complexity.

API:

Insert(table)
Remove(table)
RemoveByIdx(idx)
RemoveByPredicate(func(table) -> bool)
LookupByID(ID) -> table
LookupByRules() -> table
LookupByPod(pod) -> table
AssignPod(table, podID)
UnassignPod(table/nil=all, podID)
GetIsolatedPods() -> pods

func NewLocalTables

func NewLocalTables(logger logging.Logger) *LocalTables

NewLocalTables is a constructor for LocalTables.

func (*LocalTables) AssignPod

func (lts *LocalTables) AssignPod(table *ContivRuleTable, podID podmodel.ID)

AssignPod creates association between the pod and the table.

func (*LocalTables) GetIsolatedPods

func (lts *LocalTables) GetIsolatedPods() PodSet

GetIsolatedPods returns the set of IDs of all pods that have a (non-empty) local table assigned. The term "isolated" is borrowed from K8s, pods become isolated by having a NetworkPolicy that selects them.

func (*LocalTables) Insert

func (lts *LocalTables) Insert(table *ContivRuleTable) bool

Insert local table into the list.

func (*LocalTables) LookupByID

func (lts *LocalTables) LookupByID(id string) *ContivRuleTable

LookupByID searches for table by ID.

func (*LocalTables) LookupByPod

func (lts *LocalTables) LookupByPod(podID podmodel.ID) *ContivRuleTable

LookupByPod searches for table by an assigned pod.

func (*LocalTables) LookupByRules

func (lts *LocalTables) LookupByRules(rules []*renderer.ContivRule) *ContivRuleTable

LookupByRules searches for table by rules. If there are multiple tables with this list of rules, the one with the smallest index in the list of tables is returned.

func (*LocalTables) Remove

func (lts *LocalTables) Remove(table *ContivRuleTable) bool

Remove local table from the list (by pointer).

func (*LocalTables) RemoveByIdx

func (lts *LocalTables) RemoveByIdx(idx int) bool

RemoveByIdx removes local table under a given index from the list. Returns *true* if the index is valid and the table was removed.

func (*LocalTables) RemoveByPredicate

func (lts *LocalTables) RemoveByPredicate(predicate func(table *ContivRuleTable) bool) int

RemoveByPredicate removes all local tables that satisfy a given predicate. Number of removed tables is returned.

func (*LocalTables) String

func (lts *LocalTables) String() string

String converts LocalTables (pointer) into a human-readable string representation.

func (*LocalTables) UnassignPod

func (lts *LocalTables) UnassignPod(table *ContivRuleTable, podID podmodel.ID)

UnassignPod removes association between the pod and the table. <table> may be nil to match any local table.

type Orientation

type Orientation int

Orientation is either "IngressOrientation" or "EgressOrientation". It is selected during the cache initialization to specify whether the rule matching algorithm in the destination network stack runs against the ingress or the egress traffic (from the vswitch point of view).

const (
	// IngressOrientation means that rules are applied on the traffic *arriving*
	// from the interfaces into the vswitch.
	IngressOrientation Orientation = iota

	// EgressOrientation means that rules are applied on the traffic *leaving*
	// the vswitch through the interfaces.
	EgressOrientation
)

type PodConfig

type PodConfig struct {
	PodIP   *net.IPNet
	Ingress []*renderer.ContivRule
	Egress  []*renderer.ContivRule
	Removed bool /* false can only be inside the transaction; removed pods are no longer tracked by the cache */
}

PodConfig encapsulates pod configuration (passed through RendererCacheTxn.Update()).

func (*PodConfig) String

func (p *PodConfig) String() string

type PodSet

type PodSet map[podmodel.ID]struct{}

PodSet is a set of pods.

func NewPodSet

func NewPodSet(podIDs ...podmodel.ID) PodSet

NewPodSet is a constructor for PodSet

func (PodSet) Add

func (set PodSet) Add(podID podmodel.ID)

Add adds new pod ID into the set.

func (PodSet) Copy

func (set PodSet) Copy() PodSet

Copy returns deep copy of the set.

func (PodSet) Equals

func (set PodSet) Equals(set2 PodSet) bool

Equals compares two sets for equality.

func (PodSet) Has

func (set PodSet) Has(podID podmodel.ID) bool

Has returns true if the set contains given pod ID.

func (PodSet) Join

func (set PodSet) Join(set2 PodSet) PodSet

Join merges <set2> into this set.

func (PodSet) Remove

func (set PodSet) Remove(podID podmodel.ID) bool

Remove removes pod ID from the set if it is there.

func (PodSet) String

func (set PodSet) String() string

String returns a human-readable string representation of the set.

func (PodSet) SymDiff

func (set PodSet) SymDiff(set2 PodSet) PodSet

SymDiff returns a new set that is symmetric difference of the sets.

type Ports

type Ports map[uint16]struct{}

Ports is a set of port numbers.

func NewPorts

func NewPorts(portNums ...uint16) Ports

NewPorts is a constructor for Ports.

func (Ports) Add

func (p Ports) Add(port uint16)

Add port number into the set

func (Ports) Has

func (p Ports) Has(port uint16) bool

Has returns true if the given port is in the set.

func (Ports) HasExplicit

func (p Ports) HasExplicit(port uint16) bool

HasExplicit returns true if the given port is in the set regardless of AnyPort presence.

func (Ports) Intersection

func (p Ports) Intersection(p2 Ports) Ports

Intersection returns the set of ports which are both in this set and in <p2>.

func (Ports) IsSubsetOf

func (p Ports) IsSubsetOf(p2 Ports) bool

IsSubsetOf returns true if this set is a subset of <p2>.

func (Ports) String

func (p Ports) String() string

String converts Ports into a human-readable string representation.

type RendererCache

type RendererCache struct {
	Deps
	// contains filtered or unexported fields
}

RendererCache implements RendererCacheAPI.

func (*RendererCache) Flush

func (rc *RendererCache) Flush()

Flush completely wipes out the cache content.

func (*RendererCache) GetAllPods

func (rc *RendererCache) GetAllPods() PodSet

GetAllPods returns the set of all pods currently tracked by the cache.

func (*RendererCache) GetGlobalTable

func (rc *RendererCache) GetGlobalTable() *ContivRuleTable

GetGlobalTable returns the global table. The function never returns nil but may return table with empty set of rules (meaning ALLOW-ALL).

func (*RendererCache) GetIsolatedPods

func (rc *RendererCache) GetIsolatedPods() PodSet

GetIsolatedPods returns the set of IDs of all pods that have a local table assigned. The term "isolated" is borrowed from K8s, pods become isolated by having a NetworkPolicy that selects them.

func (*RendererCache) GetLocalTableByPod

func (rc *RendererCache) GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable

GetLocalTableByPod returns the local table assigned to a given pod. Returns nil if the pod has no table assigned (non-isolated).

func (*RendererCache) GetPodConfig

func (rc *RendererCache) GetPodConfig(pod podmodel.ID) *PodConfig

GetPodConfig returns the current configuration of a given pod (as passed through the Txn.Update() method). Method returns nil if the given pod is not tracked by the cache.

func (*RendererCache) Init

func (rc *RendererCache) Init(orientation Orientation)

Init initializes the cache. The caller selects the orientation of the traffic at which the rules are applied in the destination network stack.

func (*RendererCache) NewTxn

func (rc *RendererCache) NewTxn() Txn

NewTxn starts a new transaction. The changes are reflected in the cache only after Commit() is called.

func (*RendererCache) Resync

func (rc *RendererCache) Resync(tables []*ContivRuleTable) error

Resync completely replaces the existing cache content with the supplied data.

type RendererCacheAPI

type RendererCacheAPI interface {
	View

	// Init initializes the cache.
	// The caller selects the orientation of the traffic at which the rules are applied
	// in the destination network stack.
	Init(orientation Orientation)

	// Flush completely wipes out the cache content.
	Flush()

	// NewTxn starts a new transaction. The changes are reflected in the cache
	// only after Commit() is called.
	NewTxn() Txn

	// Resync completely replaces the existing cache content with the supplied
	// data.
	// The configuration cannot be fully reconstructed however, only the set
	// of all tracked pods. Do not use GetPodConfig() immediately after Resync(),
	// instead follow the resync with a transaction that updates the configuration
	// of still present pods and removes the rest (Cache.GetAllPods() \ Txn.GetUpdatedPods()).
	Resync(tables []*ContivRuleTable) error
}

RendererCacheAPI defines API of a cache used to store Contiv rules. The cache allows renderer to easily calculate the minimal set of changes that need to be applied in a given transaction.

The rules are grouped into the tables (ContivRuleTable) and the configuration is represented as a list of local tables, applied on the ingress or the egress side of pods, and a single global table, applied on the interfaces connecting the node with the rest of the cluster. The list of local tables is minimalistic in the sense that pods with the same set of rules will share the same local table. Whether shared tables are installed in one instance or as separate copies for each associated pod is up to the renderer (usually determined by the capabilities of the destination network stack).

All tables match only one side of the traffic - either ingress or egress, depending on the cache orientation as selected in the Init method. The cache combines the received ingress and egress Contiv rules into the single chosen direction in a way that maintains the original semantic (the global table is introduced to accomplish the task). For IngressOrientation, the local table rules have source IP address and port always ANYADDR/ANYPORT. For EgressOrientation, the local table rules have destination IP address and port always ANYADDR/ANYPORT.

type RendererCacheTxn

type RendererCacheTxn struct {
	// contains filtered or unexported fields
}

RendererCacheTxn represents a single transaction of RendererCache.

func (*RendererCacheTxn) Commit

func (rct *RendererCacheTxn) Commit() error

Commit applies the changes into the underlying cache.

func (*RendererCacheTxn) GetAllPods

func (rct *RendererCacheTxn) GetAllPods() PodSet

GetAllPods returns the set of all pods that will have configuration tracked by the cache if the transaction is committed without any additional changes.

func (*RendererCacheTxn) GetChanges

func (rct *RendererCacheTxn) GetChanges() (changes []*TxnChange)

GetChanges calculates a minimalistic set of changes prepared in the transaction up to this point. Must be run before Commit().

func (*RendererCacheTxn) GetGlobalTable

func (rct *RendererCacheTxn) GetGlobalTable() *ContivRuleTable

GetGlobalTable returns the global table that will be installed if the transaction is committed without any additional changes

func (*RendererCacheTxn) GetIsolatedPods

func (rct *RendererCacheTxn) GetIsolatedPods() PodSet

GetIsolatedPods returns the set of IDs of pods that will have a local table assigned if the transaction is committed without any additional changes.

func (*RendererCacheTxn) GetLocalTableByPod

func (rct *RendererCacheTxn) GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable

GetLocalTableByPod returns the local table that will be assigned to a given pod if the transaction is committed without any additional changes. Returns nil if the pod will be non-isolated.

func (*RendererCacheTxn) GetPodConfig

func (rct *RendererCacheTxn) GetPodConfig(pod podmodel.ID) *PodConfig

GetPodConfig returns the configuration of a given pod either pending in the transaction or taken from the cache if the pod was not updated.

func (*RendererCacheTxn) GetRemovedPods

func (rct *RendererCacheTxn) GetRemovedPods() PodSet

GetRemovedPods returns the set of all pods that will be removed by the transaction.

func (*RendererCacheTxn) GetUpdatedPods

func (rct *RendererCacheTxn) GetUpdatedPods() PodSet

GetUpdatedPods returns the set of all pods included in the transaction.

func (*RendererCacheTxn) Update

func (rct *RendererCacheTxn) Update(pod podmodel.ID, podConfig *PodConfig)

Update changes the configuration of Contiv rules for a given pod.

type TableType

type TableType int

TableType is either "Local" or "Global".

const (
	// Local table is applied to match against traffic leaving (IngressOrientation)
	// or entering (EgressOrientation) a selected subset of pods.
	// Every pod has at most one local table installed at any given time.
	Local TableType = iota

	// Global table is applied to match against traffic entering (IngressOrientation)
	// or leaving (EgressOrientation) the node. There is always exactly one global
	// table installed (per node).
	Global
)

func (TableType) String

func (tt TableType) String() string

String converts TableType into a human-readable string.

type Txn

type Txn interface {
	// View allows to view the cache as it will look like if the transaction
	// is committed without any additional changes.
	// Should be used only before Commit() (afterwards use View from the cache itself).
	View

	// Update changes the configuration of Contiv rules for a given pod.
	// The change is applied into the cache during the commit.
	// Run GetChanges() before Commit() to learn the set of pending updates (merged
	// to a minimal diff).
	// If *podConfig.removed* is true, the pod will be removed from the cache
	// when the transaction is committed.
	Update(pod podmodel.ID, podConfig *PodConfig)

	// GetUpdatedPods returns the set of all pods included in the transaction.
	GetUpdatedPods() PodSet

	// GetRemovedPods returns the set of all pods that will be removed by the transaction.
	GetRemovedPods() PodSet

	// GetChanges calculates a minimalistic set of changes prepared in the
	// transaction up to this point.
	// Changes are presented from the tables point of view (i.e. what tables have been
	// changed, created, removed).
	// Alternatively, GetLocalTableByPod() and GetGlobalTable() from View
	// interface can be used to get the updated configuration from the pods point of view.
	// GetChanges() must be run before Commit().
	GetChanges() (changes []*TxnChange)

	// Commit applies the changes into the underlying cache.
	Commit() error
}

Txn defines API of RendererCache transaction.

type TxnChange

type TxnChange struct {
	// Table that has been been affected by the transaction.
	// Possible changes:
	//   - new table
	//   - removed table
	//   - changed assignment of pods for a local table
	//   - change in the set of rules for the global table
	Table *ContivRuleTable

	// Set of pods previously assigned to the table.
	// Empty for the global table or a newly added local table.
	PreviousPods PodSet
}

TxnChange represents change in the RendererCache to be performed by a transaction.

func (*TxnChange) String

func (tch *TxnChange) String() string

String converts TxnChange (pointer) into a human-readable string representation.

type View

type View interface {
	// GetPodConfig returns the current configuration of a given pod
	// (as passed through the Txn.Update() method).
	// Method returns nil if the given pod is not tracked by the cache.
	GetPodConfig(pod podmodel.ID) *PodConfig

	// GetAllPods returns the set of all pods currently tracked by the cache.
	GetAllPods() PodSet

	// GetIsolatedPods returns the set of IDs of all pods that have a local table assigned.
	// The term "isolated" is borrowed from K8s, pods become isolated by having
	// a NetworkPolicy that selects them.
	GetIsolatedPods() PodSet

	// GetLocalTableByPod returns the local table assigned to a given pod.
	// Returns nil if the pod has no table assigned (non-isolated).
	GetLocalTableByPod(pod podmodel.ID) *ContivRuleTable

	// GetGlobalTable returns the global table.
	// The function never returns nil but may return table with empty set of rules
	// (meaning ALLOW-ALL).
	GetGlobalTable() *ContivRuleTable
}

View allows to read the cache content

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL