Documentation ¶
Overview ¶
Package configurator provides some helper functions to helpe you create default Trireme and Monitor configurations.
Index ¶
- Constants
- func NewCompactPKIWithDocker(serverID string, networks []string, resolver trireme.PolicyResolver, ...) (trireme.Trireme, monitor.Monitor)
- func NewDistributedTriremeDocker(serverID string, resolver trireme.PolicyResolver, ...) trireme.Trireme
- func NewHybridCompactPKIWithDocker(serverID string, networks []string, resolver trireme.PolicyResolver, ...) (trireme.Trireme, monitor.Monitor, monitor.Monitor)
- func NewHybridTrireme(serverID string, resolver trireme.PolicyResolver, ...) trireme.Trireme
- func NewLocalTriremeDocker(serverID string, resolver trireme.PolicyResolver, ...) trireme.Trireme
- func NewPKITriremeWithDockerMonitor(serverID string, resolver trireme.PolicyResolver, ...) (trireme.Trireme, monitor.Monitor, enforcer.PublicKeyAdder)
- func NewPSKHybridTriremeWithMonitor(serverID string, networks []string, resolver trireme.PolicyResolver, ...) (trireme.Trireme, monitor.Monitor, monitor.Monitor)
- func NewPSKTriremeWithCNIMonitor(serverID string, resolver trireme.PolicyResolver, ...) (trireme.Trireme, monitor.Monitor)
- func NewPSKTriremeWithDockerMonitor(serverID string, resolver trireme.PolicyResolver, ...) (trireme.Trireme, monitor.Monitor)
- func NewSecretsFromPKI(keyPEM, certPEM, caCertPEM []byte) secrets.Secrets
- func NewSecretsFromPSK(key []byte) secrets.Secrets
- func NewTriremeLinuxProcess(serverID string, resolver trireme.PolicyResolver, ...) trireme.Trireme
- type TriremeOptions
- type TriremeResult
Constants ¶
const ( //DefaultProcMountPoint The default proc mountpoint DefaultProcMountPoint = "/proc" //DefaultAporetoProcMountPoint The aporeto proc mountpoint just in case we are launched with some specific docker config DefaultAporetoProcMountPoint = "/aporetoproc" )
Variables ¶
This section is empty.
Functions ¶
func NewCompactPKIWithDocker ¶
func NewCompactPKIWithDocker( serverID string, networks []string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, syncAtStart bool, keyPEM []byte, certPEM []byte, caCertPEM []byte, token []byte, dockerMetadataExtractor dockermonitor.DockerMetadataExtractor, remoteEnforcer bool, killContainerError bool, ) (trireme.Trireme, monitor.Monitor)
NewCompactPKIWithDocker is an example of configuring Trireme to use the compact PKI secrets method. The calling module must provide a policy engine implementation and private/public key pair and parent certificate and key. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire. This is an example use - certificates must be properly protected
func NewDistributedTriremeDocker ¶
func NewDistributedTriremeDocker(serverID string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, secrets secrets.Secrets, impl constants.ImplementationType) trireme.Trireme
NewDistributedTriremeDocker instantiates Trireme using remote enforcers on the container namespaces
func NewHybridCompactPKIWithDocker ¶
func NewHybridCompactPKIWithDocker( serverID string, networks []string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, syncAtStart bool, keyPEM []byte, certPEM []byte, caCertPEM []byte, token []byte, dockerMetadataExtractor dockermonitor.DockerMetadataExtractor, remoteEnforcer bool, killContainerError bool, ) (trireme.Trireme, monitor.Monitor, monitor.Monitor)
NewHybridCompactPKIWithDocker is an example of configuring Trireme to use the compact PKI secrets method. The calling module must provide a policy engine implementation and private/public key pair and parent certificate and key. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire. This is an example use - certificates must be properly protected
func NewHybridTrireme ¶
func NewHybridTrireme( serverID string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, secrets secrets.Secrets, networks []string, ) trireme.Trireme
NewHybridTrireme instantiates Trireme with both Linux and Docker enforcers. The Docker enforcers are remote
func NewLocalTriremeDocker ¶
func NewLocalTriremeDocker( serverID string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, secrets secrets.Secrets, impl constants.ImplementationType) trireme.Trireme
NewLocalTriremeDocker instantiates Trireme for Docker using enforcement on the main namespace
func NewPKITriremeWithDockerMonitor ¶
func NewPKITriremeWithDockerMonitor( serverID string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, syncAtStart bool, keyPEM []byte, certPEM []byte, caCertPEM []byte, dockerMetadataExtractor dockermonitor.DockerMetadataExtractor, remoteEnforcer bool, killContainerError bool, ) (trireme.Trireme, monitor.Monitor, enforcer.PublicKeyAdder)
NewPKITriremeWithDockerMonitor creates a new network isolator. The calling module must provide a policy engine implementation and private/public key pair and parent certificate. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire
func NewPSKHybridTriremeWithMonitor ¶
func NewPSKHybridTriremeWithMonitor( serverID string, networks []string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, syncAtStart bool, key []byte, dockerMetadataExtractor dockermonitor.DockerMetadataExtractor, killContainerError bool, ) (trireme.Trireme, monitor.Monitor, monitor.Monitor)
NewPSKHybridTriremeWithMonitor creates a new network isolator. The calling module must provide a policy engine implementation and a pre-shared secret. This is for backward compatibility. Will be removed
func NewPSKTriremeWithCNIMonitor ¶ added in v1.0.46
func NewPSKTriremeWithCNIMonitor( serverID string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, key []byte, cniMetadataExtractor rpcmonitor.RPCMetadataExtractor, remoteEnforcer bool, ) (trireme.Trireme, monitor.Monitor)
NewPSKTriremeWithCNIMonitor simple CNI monitor
func NewPSKTriremeWithDockerMonitor ¶
func NewPSKTriremeWithDockerMonitor( serverID string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, syncAtStart bool, key []byte, dockerMetadataExtractor dockermonitor.DockerMetadataExtractor, remoteEnforcer bool, killContainerError bool, ) (trireme.Trireme, monitor.Monitor)
NewPSKTriremeWithDockerMonitor creates a new network isolator. The calling module must provide a policy engine implementation and a pre-shared secret. This is for backward compatibility. Will be removed
func NewSecretsFromPKI ¶
NewSecretsFromPKI creates secrets from a PKI
func NewSecretsFromPSK ¶
NewSecretsFromPSK creates secrets from a pre-shared key
func NewTriremeLinuxProcess ¶
func NewTriremeLinuxProcess( serverID string, resolver trireme.PolicyResolver, processor enforcer.PacketProcessor, eventCollector collector.EventCollector, secrets secrets.Secrets) trireme.Trireme
NewTriremeLinuxProcess instantiates Trireme for a Linux process implementation
Types ¶
type TriremeOptions ¶ added in v1.0.64
type TriremeOptions struct { ServerID string PSK []byte KeyPEM []byte CertPEM []byte CaCertPEM []byte SmartToken []byte TargetNetworks []string Resolver trireme.PolicyResolver EventCollector collector.EventCollector Processor enforcer.PacketProcessor CNIMetadataExtractor rpcmonitor.RPCMetadataExtractor DockerMetadataExtractor dockermonitor.DockerMetadataExtractor DockerSocketType string DockerSocket string Validity time.Duration ExternalIPCacheValidity time.Duration FilterQueue *fqconfig.FilterQueue ModeType constants.ModeType ImplType constants.ImplementationType ProcMountPoint string AporetoProcMountPoint string RemoteArg string RPCAddress string LinuxProcessReleasePath string MutualAuth bool KillContainerError bool SyncAtStart bool PKI bool LocalProcess bool LocalContainer bool RemoteContainer bool CNI bool }
TriremeOptions defines all the possible configuration options for Trireme configurator
func DefaultTriremeOptions ¶ added in v1.0.64
func DefaultTriremeOptions() *TriremeOptions
DefaultTriremeOptions returns a default set of options.
type TriremeResult ¶ added in v1.0.64
type TriremeResult struct { Trireme trireme.Trireme DockerMonitor monitor.Monitor RPCMonitor rpcmonitor.RPCMonitor PublicKeyAdder enforcer.PublicKeyAdder Secret secrets.Secrets }
TriremeResult is the result of the creation of Trireme
func NewTriremeWithOptions ¶ added in v1.0.64
func NewTriremeWithOptions(options *TriremeOptions) (*TriremeResult, error)
NewTriremeWithOptions creates all the Trireme objects based on the option struct