Documentation ¶
Overview ¶
Package policy describes a generic interface for retrieving policies. Different implementations are possible for environments such as Kubernetes, Mesos or other custom environments. An implementation has to provide a method for retrieving policy based on the metadata associated with the container and deleting the policy when the container dies. It is up to the implementation to decide how to generate the policy. The package also defines the basic data structure for communicating policy information. The implementations are responsible for providing all the necessary data.
Index ¶
- Constants
- func DefaultLogPrefix(contextID string) string
- func EncodedStringToAction(e string) (ActionType, ObserveActionType, error)
- type ActionType
- type ApplicationService
- type ApplicationServicesList
- type DNSRule
- type DNSRuleList
- type ExtendedMap
- type FlowPolicy
- type HTTPRule
- type IPRule
- type IPRuleList
- type KeyValueOperator
- type ObserveActionType
- type Operator
- type OptionsType
- type PUAction
- type PUInfo
- type PUPolicy
- func (p *PUPolicy) AddIdentityTag(k, v string)
- func (p *PUPolicy) AddReceiverRules(t TagSelector)
- func (p *PUPolicy) AddTransmitterRules(t TagSelector)
- func (p *PUPolicy) Annotations() *TagStore
- func (p *PUPolicy) ApplicationACLs() IPRuleList
- func (p *PUPolicy) Clone() *PUPolicy
- func (p *PUPolicy) DNSNameACLs() DNSRuleList
- func (p *PUPolicy) DependentServices() ApplicationServicesList
- func (p *PUPolicy) ExcludedNetworks() []string
- func (p *PUPolicy) ExposedServices() ApplicationServicesList
- func (p *PUPolicy) IPAddresses() ExtendedMap
- func (p *PUPolicy) Identity() *TagStore
- func (p *PUPolicy) IsServiceCertificateExpired() bool
- func (p *PUPolicy) ManagementID() string
- func (p *PUPolicy) NetworkACLs() IPRuleList
- func (p *PUPolicy) ReceiverRules() TagSelectorList
- func (p *PUPolicy) Scopes() []string
- func (p *PUPolicy) ServiceCertificates() (string, string, string)
- func (p *PUPolicy) SetIPAddresses(l ExtendedMap)
- func (p *PUPolicy) SetTriremeAction(action PUAction)
- func (p *PUPolicy) ToPublicPolicy() *PUPolicyPublic
- func (p *PUPolicy) TransmitterRules() TagSelectorList
- func (p *PUPolicy) TriremeAction() PUAction
- func (p *PUPolicy) TriremeNetworks() []string
- func (p *PUPolicy) UDPNetworks() []string
- func (p *PUPolicy) UpdateDNSNetworks(networks DNSRuleList)
- func (p *PUPolicy) UpdateExcludedNetworks(networks []string)
- func (p *PUPolicy) UpdateServiceCertificates(cert, key string)
- func (p *PUPolicy) UpdateTriremeNetworks(networks []string)
- type PUPolicyPublic
- type PURuntime
- func (r *PURuntime) Clone() *PURuntime
- func (r *PURuntime) IPAddresses() ExtendedMap
- func (r *PURuntime) MarshalJSON() ([]byte, error)
- func (r *PURuntime) NSPath() string
- func (r *PURuntime) Name() string
- func (r *PURuntime) Options() OptionsType
- func (r *PURuntime) PUType() common.PUType
- func (r *PURuntime) Pid() int
- func (r *PURuntime) PortMap() map[nat.Port][]string
- func (r *PURuntime) SetIPAddresses(ipa ExtendedMap)
- func (r *PURuntime) SetNSPath(nsPath string)
- func (r *PURuntime) SetOptions(options OptionsType)
- func (r *PURuntime) SetPUType(puType common.PUType)
- func (r *PURuntime) SetPid(pid int)
- func (r *PURuntime) SetServices(services []common.Service)
- func (r *PURuntime) SetTags(t *TagStore)
- func (r *PURuntime) Tag(key string) (string, bool)
- func (r *PURuntime) Tags() *TagStore
- func (r *PURuntime) UnmarshalJSON(param []byte) error
- type PURuntimeJSON
- type Resolver
- type RuntimeError
- type RuntimeReader
- type ServiceType
- type TagSelector
- type TagSelectorList
- type TagStore
- type UserAuthorizationTypeValues
Constants ¶
const ( // AllowAll allows everything for the specific PU. AllowAll = 0x1 // Police filters on the PU based on the PolicyRules. Police = 0x2 )
const ( // Equal is the equal operator Equal = "=" // NotEqual is the not equal operator NotEqual = "=!" // KeyExists is the key=* operator KeyExists = "*" // KeyNotExists means that the key doesnt exist in the incoming tags KeyNotExists = "!*" )
const (
// DefaultNamespace is the default namespace for applying policy
DefaultNamespace = "bridge"
)
Variables ¶
This section is empty.
Functions ¶
func DefaultLogPrefix ¶
DefaultLogPrefix return the prefix used in nf-log action for default rule.
func EncodedStringToAction ¶
func EncodedStringToAction(e string) (ActionType, ObserveActionType, error)
EncodedStringToAction returns action and observed action from encoded string.
Types ¶
type ActionType ¶ added in v1.0.24
type ActionType byte
ActionType is the action that can be applied to a flow.
const ( // Accept is the accept action Accept ActionType = 0x1 // Reject is the reject action Reject ActionType = 0x2 // Encrypt instructs data to be encrypted Encrypt ActionType = 0x4 // Log instructs the datapath to log the IP addresses Log ActionType = 0x8 // Observe instructs the datapath to observe policy results Observe ActionType = 0x10 )
func (ActionType) Accepted ¶ added in v1.0.24
func (f ActionType) Accepted() bool
Accepted returns if the action mask contains the Accepted mask.
func (ActionType) ActionString ¶ added in v1.0.24
func (f ActionType) ActionString() string
ActionString returns if the action if accepted of rejected as a long string.
func (ActionType) Encrypted ¶ added in v1.0.24
func (f ActionType) Encrypted() bool
Encrypted returns if the action mask contains the Encrypted mask.
func (ActionType) Logged ¶ added in v1.0.24
func (f ActionType) Logged() bool
Logged returns if the action mask contains the Logged mask.
func (ActionType) Observed ¶
func (f ActionType) Observed() bool
Observed returns if the action mask contains the Observed mask.
func (ActionType) Rejected ¶ added in v1.0.24
func (f ActionType) Rejected() bool
Rejected returns if the action mask contains the Rejected mask.
func (ActionType) String ¶ added in v1.0.24
func (f ActionType) String() string
type ApplicationService ¶
type ApplicationService struct { // ID is the id of the service ID string // NetworkInfo provides the network information (addresses/ports) of the service. // This is the public facing network information, or how the service can be // accessed. In the case of Load Balancers for example, this would be the // IP/port of the load balancer. NetworkInfo *common.Service // PrivateNetworkInfo captures the network service definition of an application // as seen by the application. For example the port that the application is // listening to. This is needed in the case of port mappings. PrivateNetworkInfo *common.Service // PublicNetworkInfo provides the network information where the enforcer // should listen for incoming connections of the service. This can be // different than the PrivateNetworkInfo where the application is listening // and it essentially allows users to create Virtual IPs and Virtual Ports // for the new exposed TLS services. So, if an application is listening // on port 80, users do not need to access the application from external // network through TLS on port 80, that looks weird. They can instead create // a PublicNetworkInfo and have the trireme listen on port 443, while the // application is still listening on port 80. PublicNetworkInfo *common.Service // Type is the type of the service. Type ServiceType // HTTPRules are only valid for HTTP Services and capture the list of APIs // exposed by the service. HTTPRules []*HTTPRule // Tags are the tags of the service. Tags *TagStore // UserAuthorizationType is the type of user authorization that must be used. UserAuthorizationType UserAuthorizationTypeValues // UserAuthorizationHandler is the token handler for validating user tokens. UserAuthorizationHandler usertokens.Verifier // UserTokenToHTTPMappings is a map of mappings between JWT claims arriving in // a user request and outgoing HTTP headers towards an application. It // is used to allow operators to map claims to HTTP headers that downstream // applications can understand. UserTokenToHTTPMappings map[string]string // UserRedirectOnAuthorizationFail is the URL that the user can be redirected // if there is an authorization failure. This allows the display of a custom // message. UserRedirectOnAuthorizationFail string // External indicates if this is an external service. For external services // access control is implemented at the ingress. External bool // CACert is the certificate of the CA of external services. This allows TLS to // work with external services that use private CAs. CACert []byte // AuthToken is the authentication token for any external API service calls. It is // used for example by the secrets proxy. AuthToken string // MutualTLSTrustedRoots is the CA that must be used for mutual TLS authentication. MutualTLSTrustedRoots []byte // PublicServiceCertificate is a publically signed certificate that can be used // by the service to expose TLS to users without a Trireme client PublicServiceCertificate []byte // PublicServiceCertificateKey is the corresponding private key. PublicServiceCertificateKey []byte // PublicServiceNoTLS indicates that TLS will not be enabled in the public application // ports. This is useful for health checks. It should not be used for API access. PublicServiceNoTLS bool }
ApplicationService is the type of service that this PU exposes.
type ApplicationServicesList ¶
type ApplicationServicesList []*ApplicationService
ApplicationServicesList is a list of ApplicationServices.
type DNSRule ¶
type DNSRule struct { Name string Port string Protocol string Policy *FlowPolicy }
DNSRule holds the dns names and the assicated ports
type DNSRuleList ¶
type DNSRuleList []DNSRule
DNSRuleList is a list of DNS rules
func (DNSRuleList) Copy ¶
func (l DNSRuleList) Copy() DNSRuleList
Copy creates a clone of DNS rule list
type ExtendedMap ¶ added in v1.0.10
ExtendedMap is a common map with additional functions
func (ExtendedMap) Copy ¶ added in v1.0.10
func (s ExtendedMap) Copy() ExtendedMap
Copy copies an ExtendedMap
type FlowPolicy ¶ added in v1.0.24
type FlowPolicy struct { ObserveAction ObserveActionType Action ActionType ServiceID string PolicyID string Labels []string }
FlowPolicy captures the policy for a particular flow
func (*FlowPolicy) EncodedActionString ¶
func (f *FlowPolicy) EncodedActionString() string
EncodedActionString is used to encode observed action as well as action
func (*FlowPolicy) LogPrefix ¶
func (f *FlowPolicy) LogPrefix(contextID string) string
LogPrefix is the prefix used in nf-log action. It must be less than
type HTTPRule ¶
type HTTPRule struct { // URIs is a list of regular expressions that describe the URIs that // a service is exposing. URIs []string // Methods is a list of the allowed verbs for the given list of URIs. Methods []string // Scopes is a list of scopes associated with this rule. Clients // must present one of these scopes in order to get access to this // API. The scopes are presented either in the Trireme identity or the // JWT of HTTP Authorization header. Scopes []string // Public indicates that this is a public API and anyone can access it. // No authorization will be performed on public APIs. Public bool }
HTTPRule holds a rule for a particular HTTPService. The rule relates a set of URIs defined as regular expressions with associated verbs. The * VERB indicates all actions.
type IPRule ¶
type IPRule struct { Addresses []string Ports []string Protocols []string Policy *FlowPolicy }
IPRule holds IP rules to external services
type IPRuleList ¶
type IPRuleList []IPRule
IPRuleList is a list of IP rules
func (IPRuleList) Copy ¶ added in v1.0.10
func (l IPRuleList) Copy() IPRuleList
Copy creates a clone of the IP rule list
type KeyValueOperator ¶
KeyValueOperator describes an individual matching rule
type ObserveActionType ¶
type ObserveActionType byte
ObserveActionType is the action that can be applied to a flow for an observation rule.
const ( // ObserveNone specifies if any observation was made or not. ObserveNone ObserveActionType = 0x0 // ObserveContinue is used to not take any action on packet and is deferred to // an actual rule with accept or deny action. ObserveContinue ObserveActionType = 0x1 // ObserveApply is used to apply action to packets hitting this rule. ObserveApply ObserveActionType = 0x2 )
Observe actions are used in conjunction with action.
func (ObserveActionType) ObserveApply ¶
func (f ObserveActionType) ObserveApply() bool
ObserveApply returns if the action of observation rule is allow.
func (ObserveActionType) ObserveContinue ¶
func (f ObserveActionType) ObserveContinue() bool
ObserveContinue returns if the action of observation rule is continue.
func (ObserveActionType) Observed ¶
func (f ObserveActionType) Observed() bool
Observed returns true if any observed action was found.
func (ObserveActionType) String ¶
func (f ObserveActionType) String() string
type OptionsType ¶ added in v1.0.63
type OptionsType struct { // CgroupName is the name of the cgroup CgroupName string // CgroupMark is the tag of the cgroup CgroupMark string // UserID is the user ID if it exists UserID string // AutoPort option is set if auto port is enabled AutoPort bool // Services is the list of services of interest Services []common.Service // ProxyPort is the port on which the proxy listens ProxyPort string // PolicyExtensions is policy resolution extensions PolicyExtensions interface{} // PortMap maps container port -> host ports. PortMap map[nat.Port][]string }
OptionsType is a set of options that can be passed with a policy request
type PUAction ¶
type PUAction int
PUAction defines the action types that applies for a specific PU as a whole.
type PUInfo ¶
type PUInfo struct { // ContextID is the ID of the container that the policy applies to ContextID string // Policy is an instantiation of the container policy Policy *PUPolicy // RunTime captures all data that are captured from the container Runtime *PURuntime }
PUInfo captures all policy information related to a connection as well as runtime. It makes passing data around simpler.
type PUPolicy ¶
type PUPolicy struct { // dnsACLs is the list of DNS names and the associated ports that the container is // allowed to talk to outside the data center DNSACLs DNSRuleList sync.Mutex // contains filtered or unexported fields }
PUPolicy captures all policy information related ot the container
func NewPUPolicy ¶
func NewPUPolicy( id string, action PUAction, appACLs IPRuleList, netACLs IPRuleList, dnsACLs DNSRuleList, txtags TagSelectorList, rxtags TagSelectorList, identity *TagStore, annotations *TagStore, ips ExtendedMap, triremeNetworks []string, triremeUDPNetworks []string, excludedNetworks []string, exposedServices ApplicationServicesList, dependentServices ApplicationServicesList, scopes []string, ) *PUPolicy
NewPUPolicy generates a new ContainerPolicyInfo appACLs are the ACLs for packet coming from the Application/PU to the Network. netACLs are the ACLs for packet coming from the Network to the Application/PU.
func NewPUPolicyWithDefaults ¶
func NewPUPolicyWithDefaults() *PUPolicy
NewPUPolicyWithDefaults sets up a PU policy with defaults
func (*PUPolicy) AddIdentityTag ¶
AddIdentityTag adds a policy tag
func (*PUPolicy) AddReceiverRules ¶
func (p *PUPolicy) AddReceiverRules(t TagSelector)
AddReceiverRules adds a receiver rule
func (*PUPolicy) AddTransmitterRules ¶
func (p *PUPolicy) AddTransmitterRules(t TagSelector)
AddTransmitterRules adds a transmitter rule
func (*PUPolicy) Annotations ¶
Annotations returns a copy of the annotations
func (*PUPolicy) ApplicationACLs ¶
func (p *PUPolicy) ApplicationACLs() IPRuleList
ApplicationACLs returns a copy of IPRuleList
func (*PUPolicy) DNSNameACLs ¶
func (p *PUPolicy) DNSNameACLs() DNSRuleList
DNSNameACLs returns a copy of DNSRuleList
func (*PUPolicy) DependentServices ¶
func (p *PUPolicy) DependentServices() ApplicationServicesList
DependentServices returns the external services.
func (*PUPolicy) ExcludedNetworks ¶
ExcludedNetworks returns the list of excluded networks.
func (*PUPolicy) ExposedServices ¶
func (p *PUPolicy) ExposedServices() ApplicationServicesList
ExposedServices returns the exposed services
func (*PUPolicy) IPAddresses ¶
func (p *PUPolicy) IPAddresses() ExtendedMap
IPAddresses returns all the IP addresses for the processing unit
func (*PUPolicy) IsServiceCertificateExpired ¶
IsServiceCertificateExpired will return true of the service certificate is expired.
func (*PUPolicy) ManagementID ¶
ManagementID returns the management ID
func (*PUPolicy) NetworkACLs ¶
func (p *PUPolicy) NetworkACLs() IPRuleList
NetworkACLs returns a copy of IPRuleList
func (*PUPolicy) ReceiverRules ¶
func (p *PUPolicy) ReceiverRules() TagSelectorList
ReceiverRules returns a copy of TagSelectorList
func (*PUPolicy) ServiceCertificates ¶
ServiceCertificates returns the service certificate.
func (*PUPolicy) SetIPAddresses ¶
func (p *PUPolicy) SetIPAddresses(l ExtendedMap)
SetIPAddresses sets the IP addresses for the processing unit
func (*PUPolicy) SetTriremeAction ¶ added in v1.0.10
SetTriremeAction returns the TriremeAction
func (*PUPolicy) ToPublicPolicy ¶
func (p *PUPolicy) ToPublicPolicy() *PUPolicyPublic
ToPublicPolicy converts the object to a marshallable object.
func (*PUPolicy) TransmitterRules ¶
func (p *PUPolicy) TransmitterRules() TagSelectorList
TransmitterRules returns a copy of TagSelectorList
func (*PUPolicy) TriremeAction ¶
TriremeAction returns the TriremeAction
func (*PUPolicy) TriremeNetworks ¶
TriremeNetworks returns the list of networks that Trireme must be applied
func (*PUPolicy) UDPNetworks ¶
UDPNetworks returns the UDP networks
func (*PUPolicy) UpdateDNSNetworks ¶
func (p *PUPolicy) UpdateDNSNetworks(networks DNSRuleList)
UpdateDNSNetworks updates the set of FQDN names allowed by the policy
func (*PUPolicy) UpdateExcludedNetworks ¶
UpdateExcludedNetworks updates the list of excluded networks.
func (*PUPolicy) UpdateServiceCertificates ¶
UpdateServiceCertificates updates the certificate and private key of the policy
func (*PUPolicy) UpdateTriremeNetworks ¶
UpdateTriremeNetworks updates the set of networks for trireme
type PUPolicyPublic ¶
type PUPolicyPublic struct { ManagementID string `json:"managementID,omitempty"` TriremeAction PUAction `json:"triremeAction,omitempty"` ApplicationACLs IPRuleList `json:"applicationACLs,omitempty"` NetworkACLs IPRuleList `json:"networkACLs,omitempty"` DNSACLs DNSRuleList `json:"dnsACLs,omitempty"` Identity *TagStore `json:"identity,omitempty"` Annotations *TagStore `json:"annotations,omitempty"` TransmitterRules TagSelectorList `json:"transmitterRules,omitempty"` ReceiverRules TagSelectorList `json:"receiverRules,omitempty"` IPs ExtendedMap `json:"IPs,omitempty"` TriremeNetworks []string `json:"triremeNetworks,omitempty"` TriremeUDPNetworks []string `json:"triremeUDPNetworks,omitempty"` ExcludedNetworks []string `json:"excludedNetworks,omitempty"` ExposedServices ApplicationServicesList `json:"exposedServices,omitempty"` DependentServices ApplicationServicesList `json:"dependentServices,omitempty"` ServicesCertificate string `json:"servicesCertificate,omitempty"` ServicesPrivateKey string `json:"servicesPrivateKey,omitempty"` ServicesCA string `json:"servicesCA,omitempty"` Scopes []string `json:"scopes,omitempty"` }
PUPolicyPublic captures all policy information related ot the processing unit in an object that can be marshalled and transmitted over the RPC interface.
func (*PUPolicyPublic) ToPrivatePolicy ¶
func (p *PUPolicyPublic) ToPrivatePolicy(convert bool) *PUPolicy
ToPrivatePolicy converts the object to a private object.
type PURuntime ¶
PURuntime holds all data related to the status of the container run time
func NewPURuntime ¶
func NewPURuntime(name string, pid int, nsPath string, tags *TagStore, ips ExtendedMap, puType common.PUType, options *OptionsType) *PURuntime
NewPURuntime Generate a new RuntimeInfo
func NewPURuntimeWithDefaults ¶
func NewPURuntimeWithDefaults() *PURuntime
NewPURuntimeWithDefaults sets up PURuntime with defaults
func (*PURuntime) IPAddresses ¶
func (r *PURuntime) IPAddresses() ExtendedMap
IPAddresses returns all the IP addresses for the processing unit
func (*PURuntime) MarshalJSON ¶
MarshalJSON Marshals this struct.
func (*PURuntime) Options ¶
func (r *PURuntime) Options() OptionsType
Options returns tags for the processing unit
func (*PURuntime) SetIPAddresses ¶
func (r *PURuntime) SetIPAddresses(ipa ExtendedMap)
SetIPAddresses sets up all the IP addresses for the processing unit
func (*PURuntime) SetOptions ¶
func (r *PURuntime) SetOptions(options OptionsType)
SetOptions sets the Options
func (*PURuntime) SetServices ¶
SetServices updates the services of the runtime.
func (*PURuntime) UnmarshalJSON ¶
UnmarshalJSON Unmarshals this struct.
type PURuntimeJSON ¶
type PURuntimeJSON struct { // PUType is the type of the PU PUType common.PUType // Pid holds the value of the first process of the container Pid int // NSPath is the path to the networking namespace for this PURuntime if applicable. NSPath string // Name is the name of the container Name string // IPAddress is the IP Address of the container IPAddresses ExtendedMap // Tags is a map of the metadata of the container Tags *TagStore // Options is a map of the options of the container Options *OptionsType }
PURuntimeJSON is a Json representation of PURuntime
type Resolver ¶
type Resolver interface { // HandlePUEvent is called by all monitors when a PU event is generated. The implementer // is responsible to update all components by explicitly adding a new PU. HandlePUEvent(ctx context.Context, puID string, event common.Event, runtime RuntimeReader) error }
A Resolver must be implemnted by a policy engine that receives monitor events.
type RuntimeError ¶
RuntimeError is an error detected by the TriremeController that has to be returned at a later time to the policy engine to take action.
type RuntimeReader ¶
type RuntimeReader interface { // Pid returns the Pid of the Runtime. Pid() int // Name returns the process name of the Runtime. Name() string // NSPath returns the path to the namespace of the PU, if applicable NSPath() string // Tag returns the value of the given tag. Tag(string) (string, bool) // Tags returns a copy of the list of the tags. Tags() *TagStore // Options returns a copy of the list of options. Options() OptionsType // IPAddresses returns a copy of all the IP addresses. IPAddresses() ExtendedMap // Returns the PUType for the PU PUType() common.PUType // SetServices sets the services of the runtime. SetServices(services []common.Service) // PortMap returns portmap (container port -> host port) PortMap() map[nat.Port][]string }
A RuntimeReader allows to get the specific parameters stored in the Runtime
type ServiceType ¶
type ServiceType int
ServiceType are the types of services that can are suported.
const ( ServiceL3 ServiceType = iota ServiceHTTP ServiceTCP ServiceSecretsProxy )
Values of ServiceType
type TagSelector ¶
type TagSelector struct { Clause []KeyValueOperator Policy *FlowPolicy }
TagSelector info describes a tag selector key Operator value
type TagSelectorList ¶
type TagSelectorList []TagSelector
TagSelectorList defines a list of TagSelectors
func (TagSelectorList) Copy ¶ added in v1.0.10
func (t TagSelectorList) Copy() TagSelectorList
Copy returns a copy of the TagSelectorList
type TagStore ¶ added in v1.0.10
type TagStore struct {
Tags []string
}
TagStore stores the tags - it allows duplicate key values
func NewTagStoreFromMap ¶ added in v1.0.10
NewTagStoreFromMap creates a tag store from an input map
func NewTagStoreFromSlice ¶
NewTagStoreFromSlice creates a new tag store from a slice.
func (*TagStore) AppendKeyValue ¶ added in v1.0.10
AppendKeyValue appends a key and value to the tag store
type UserAuthorizationTypeValues ¶
type UserAuthorizationTypeValues int
UserAuthorizationTypeValues is the types of user authorization methods that are supported.
const ( UserAuthorizationNone UserAuthorizationTypeValues = iota UserAuthorizationMutualTLS UserAuthorizationJWT UserAuthorizationOIDC )
Values of UserAuthorizationTypeValues
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package mockpolicy is a generated GoMock package.
|
Package mockpolicy is a generated GoMock package. |