Documentation ¶
Overview ¶
Package policy describes a generic interface for retrieving policies. Different implementations are possible for environments such as Kubernetes, Mesos or other custom environments. An implementation has to provide a method for retrieving policy based on the metadata associated with the container and deleting the policy when the container dies. It is up to the implementation to decide how to generate the policy. The package also defines the basic data structure for communicating policy information. The implementations are responsible for providing all the necessary data.
Index ¶
- Constants
- type FlowAction
- type IPMap
- type IPRule
- type IPRuleList
- type InfoInteractor
- type KeyValueOperator
- type Operator
- type PUAction
- type PUInfo
- type PUPolicy
- func (p *PUPolicy) AddIdentityTag(k, v string)
- func (p *PUPolicy) AddReceiverRules(t *TagSelector)
- func (p *PUPolicy) AddTransmitterRules(t *TagSelector)
- func (p *PUPolicy) Annotations() *TagsMap
- func (p *PUPolicy) ApplicationACLs() *IPRuleList
- func (p *PUPolicy) Clone() *PUPolicy
- func (p *PUPolicy) DefaultIPAddress() (string, bool)
- func (p *PUPolicy) ExcludedNetworks() []string
- func (p *PUPolicy) IPAddresses() *IPMap
- func (p *PUPolicy) Identity() *TagsMap
- func (p *PUPolicy) NetworkACLs() *IPRuleList
- func (p *PUPolicy) ReceiverRules() *TagSelectorList
- func (p *PUPolicy) SetIPAddresses(l *IPMap)
- func (p *PUPolicy) TransmitterRules() *TagSelectorList
- func (p *PUPolicy) TriremeNetworks() []string
- func (p *PUPolicy) UpdateExcludedNetworks(networks []string)
- func (p *PUPolicy) UpdateTriremeNetworks(networks []string)
- type PURuntime
- func (r *PURuntime) Clone() *PURuntime
- func (r *PURuntime) DefaultIPAddress() (string, bool)
- func (r *PURuntime) IPAddresses() *IPMap
- func (r *PURuntime) MarshalJSON() ([]byte, error)
- func (r *PURuntime) Name() string
- func (r *PURuntime) Options() *TagsMap
- func (r *PURuntime) PUType() constants.PUType
- func (r *PURuntime) Pid() int
- func (r *PURuntime) SetIPAddresses(ipa *IPMap)
- func (r *PURuntime) SetOptions(options *TagsMap)
- func (r *PURuntime) SetPUType(puType constants.PUType)
- func (r *PURuntime) SetPid(pid int)
- func (r *PURuntime) Tag(key string) (string, bool)
- func (r *PURuntime) Tags() *TagsMap
- func (r *PURuntime) UnmarshalJSON(param []byte) error
- type PURuntimeJSON
- type RuntimeReader
- type TagSelector
- type TagSelectorList
- type TagsMap
Constants ¶
const ( // Equal is the equal operator Equal = "=" // NotEqual is the not equal operator NotEqual = "=!" // KeyExists is the key=* operator KeyExists = "*" // KeyNotExists means that the key doesnt exist in the incoming tags KeyNotExists = "!*" )
const ( // AllowAll allows everything for the specific PU. AllowAll = 0x1 // Police filters on the PU based on the PolicyRules. Police = 0x2 )
const (
// DefaultNamespace is the default namespace for applying policy
DefaultNamespace = "bridge"
)
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type FlowAction ¶
type FlowAction int
FlowAction is the action that can be applied to a flow.
const ( // Accept is the accept action Accept FlowAction = 0x1 // Reject is the reject action Reject FlowAction = 0x2 // Log intstructs the data to log informat Log FlowAction = 0x4 // Encrypt instructs data to be encrypted Encrypt FlowAction = 0x8 )
type IPMap ¶
An IPMap is a map of Key:Values used for IP Addresses.
type IPRule ¶
type IPRule struct { Address string Port string Protocol string Action FlowAction }
IPRule holds IP rules to external services
type IPRuleList ¶
type IPRuleList struct {
Rules []IPRule
}
IPRuleList is a list of IP rules
func NewIPRuleList ¶
func NewIPRuleList(rules []IPRule) *IPRuleList
NewIPRuleList returns a new IP rule list
func (*IPRuleList) Clone ¶
func (l *IPRuleList) Clone() *IPRuleList
Clone creates a clone of the IP rule list
type InfoInteractor ¶
type InfoInteractor interface { // Clone returns a copy of the policy Clone() *PUPolicy // ApplicationACLs returns a copy of IPRuleList ApplicationACLs() *IPRuleList // NetworkACLs returns a copy of IPRuleList NetworkACLs() *IPRuleList // ReceiverRules returns a copy of TagSelectorList ReceiverRules() *TagSelectorList // TransmitterRules returns a copy of TagSelectorList TransmitterRules() *TagSelectorList // Identity returns a copy of the identity Indentity() *TagsMap // Annotations returns a copy of the Annotations Annotations() *TagsMap // DefaultIPAddress returns the default IP address for the processing unit DefaultIPAddress() (string, bool) }
InfoInteractor is the interface for setting up policy before providing to trireme
type KeyValueOperator ¶
KeyValueOperator describes an individual matching rule
func NewKeyValueOperator ¶
func NewKeyValueOperator(k string, o Operator, kvos []string) *KeyValueOperator
NewKeyValueOperator returns an empty KeyValueOperator
func (*KeyValueOperator) Clone ¶
func (k *KeyValueOperator) Clone() *KeyValueOperator
Clone returns a copy of the KeyValueOperator
type PUAction ¶
type PUAction int
PUAction defines the action types that applies for a specific PU as a whole.
type PUInfo ¶
type PUInfo struct { // ContextID is the ID of the container that the policy applies to ContextID string // Policy is an instantiation of the container policy Policy *PUPolicy // RunTime captures all data that are captured from the container Runtime *PURuntime }
PUInfo captures all policy information related to a connection
type PUPolicy ¶
type PUPolicy struct { // ManagementID is provided for the policy implementations as a means of // holding a policy identifier related to the implementation ManagementID string //TriremeAction defines what level of policy should be applied to that container. TriremeAction PUAction // Extensions is an interface to a data structure that allows the policy supervisor // to pass additional instructions to a plugin. Plugin and policy must be // coordinated to implement the interface Extensions interface{} // contains filtered or unexported fields }
PUPolicy captures all policy information related ot the container
func NewPUPolicy ¶
func NewPUPolicy( id string, action PUAction, appACLs, netACLs *IPRuleList, txtags, rxtags *TagSelectorList, identity, annotations *TagsMap, ips *IPMap, triremeNetworks []string, excludedNetworks []string, e interface{}) *PUPolicy
NewPUPolicy generates a new ContainerPolicyInfo appACLs are the ACLs for packet coming from the Application/PU to the Network. netACLs are the ACLs for packet coming from the Network to the Application/PU.
func NewPUPolicyWithDefaults ¶
func NewPUPolicyWithDefaults() *PUPolicy
NewPUPolicyWithDefaults sets up a PU policy with defaults
func (*PUPolicy) AddIdentityTag ¶
AddIdentityTag adds a policy tag
func (*PUPolicy) AddReceiverRules ¶
func (p *PUPolicy) AddReceiverRules(t *TagSelector)
AddReceiverRules adds a receiver rule
func (*PUPolicy) AddTransmitterRules ¶
func (p *PUPolicy) AddTransmitterRules(t *TagSelector)
AddTransmitterRules adds a transmitter rule
func (*PUPolicy) Annotations ¶
Annotations returns a copy of the annotations
func (*PUPolicy) ApplicationACLs ¶
func (p *PUPolicy) ApplicationACLs() *IPRuleList
ApplicationACLs returns a copy of IPRuleList
func (*PUPolicy) DefaultIPAddress ¶
DefaultIPAddress returns the default IP address for the processing unit
func (*PUPolicy) ExcludedNetworks ¶
ExcludedNetworks returns the list of excluded networks.
func (*PUPolicy) IPAddresses ¶
IPAddresses returns all the IP addresses for the processing unit
func (*PUPolicy) NetworkACLs ¶
func (p *PUPolicy) NetworkACLs() *IPRuleList
NetworkACLs returns a copy of IPRuleList
func (*PUPolicy) ReceiverRules ¶
func (p *PUPolicy) ReceiverRules() *TagSelectorList
ReceiverRules returns a copy of TagSelectorList
func (*PUPolicy) SetIPAddresses ¶
SetIPAddresses sets the IP addresses for the processing unit
func (*PUPolicy) TransmitterRules ¶
func (p *PUPolicy) TransmitterRules() *TagSelectorList
TransmitterRules returns a copy of TagSelectorList
func (*PUPolicy) TriremeNetworks ¶
TriremeNetworks returns the list of networks that Trireme must be applied
func (*PUPolicy) UpdateExcludedNetworks ¶
UpdateExcludedNetworks updates the list of excluded networks.
func (*PUPolicy) UpdateTriremeNetworks ¶
UpdateTriremeNetworks updates the set of networks for trireme
type PURuntime ¶
type PURuntime struct {
// contains filtered or unexported fields
}
PURuntime holds all data related to the status of the container run time
func NewPURuntime ¶
func NewPURuntime(name string, pid int, tags *TagsMap, ips *IPMap, puType constants.PUType, options *TagsMap) *PURuntime
NewPURuntime Generate a new RuntimeInfo
func NewPURuntimeWithDefaults ¶
func NewPURuntimeWithDefaults() *PURuntime
NewPURuntimeWithDefaults sets up PURuntime with defaults
func (*PURuntime) DefaultIPAddress ¶
DefaultIPAddress returns the default IP address for the processing unit
func (*PURuntime) IPAddresses ¶
IPAddresses returns all the IP addresses for the processing unit
func (*PURuntime) MarshalJSON ¶
MarshalJSON Marshals this struct.
func (*PURuntime) SetIPAddresses ¶
SetIPAddresses sets up all the IP addresses for the processing unit
func (*PURuntime) SetOptions ¶
SetOptions sets the Options
func (*PURuntime) UnmarshalJSON ¶
UnmarshalJSON Unmarshals this struct.
type PURuntimeJSON ¶
type PURuntimeJSON struct { // PUType is the type of the PU PUType constants.PUType // Pid holds the value of the first process of the container Pid int // Name is the name of the container Name string // IPAddress is the IP Address of the container IPAddresses *IPMap // Tags is a map of the metadata of the container Tags *TagsMap // Options is a map of the options of the container Options *TagsMap }
PURuntimeJSON is a Json representation of PURuntime
type RuntimeReader ¶
type RuntimeReader interface { // Pid returns the Pid of the Runtime. Pid() int // Name returns the process name of the Runtime. Name() string // Tag returns the value of the given tag. Tag(string) (string, bool) // Tags returns a copy of the list of the tags. Tags() *TagsMap // Options returns a copy of the list of options. Options() *TagsMap // DefaultIPAddress retutns the default IP address. DefaultIPAddress() (string, bool) // IPAddresses returns a copy of all the IP addresses. IPAddresses() *IPMap //Returns the PUType for the PU PUType() constants.PUType }
A RuntimeReader allows to get the specific parameters stored in the Runtime
type TagSelector ¶
type TagSelector struct { Clause []KeyValueOperator Action FlowAction }
TagSelector info describes a tag selector key Operator value
func NewTagSelector ¶
func NewTagSelector(clauses []KeyValueOperator, a FlowAction) *TagSelector
NewTagSelector return a new TagSelector
func (*TagSelector) Clone ¶
func (t *TagSelector) Clone() *TagSelector
Clone returns a copy of the TagSelector
type TagSelectorList ¶
type TagSelectorList struct {
TagSelectors []TagSelector
}
TagSelectorList defines a list of TagSelector
func NewTagSelectorList ¶
func NewTagSelectorList(tss []TagSelector) *TagSelectorList
NewTagSelectorList return a new TagSelectorList
func (*TagSelectorList) Clone ¶
func (t *TagSelectorList) Clone() *TagSelectorList
Clone returns a copy of the TagSelectorList
type TagsMap ¶
A TagsMap is a map of Key:Values used as tags.
func NewTagsMap ¶
NewTagsMap returns a new instance of TagsMap