configurator

package
v2.4.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 10, 2017 License: GPL-2.0 Imports: 19 Imported by: 0

Documentation

Overview

Package configurator provides some helper functions to helpe you create default Trireme and Monitor configurations.

Index

Constants

View Source
const (
	//DefaultProcMountPoint The default proc mountpoint
	DefaultProcMountPoint = "/proc"
	//DefaultAporetoProcMountPoint The aporeto proc mountpoint just in case we are launched with some specific docker config
	DefaultAporetoProcMountPoint = "/aporetoproc"
)

Variables

This section is empty.

Functions

func NewCompactPKIWithDocker

func NewCompactPKIWithDocker(
	serverID string,
	networks []string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	syncAtStart bool,
	keyPEM []byte,
	certPEM []byte,
	caCertPEM []byte,
	token []byte,
	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
	remoteEnforcer bool,
	killContainerError bool,
) (trireme.Trireme, monitor.Monitor)

NewCompactPKIWithDocker is an example of configuring Trireme to use the compact PKI secrets method. The calling module must provide a policy engine implementation and private/public key pair and parent certificate and key. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire. This is an example use - certificates must be properly protected

func NewDistributedTriremeDocker

func NewDistributedTriremeDocker(serverID string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	secrets secrets.Secrets,
	impl constants.ImplementationType) trireme.Trireme

NewDistributedTriremeDocker instantiates Trireme using remote enforcers on the container namespaces

func NewHybridCompactPKIWithDocker

func NewHybridCompactPKIWithDocker(
	serverID string,
	networks []string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	syncAtStart bool,
	keyPEM []byte,
	certPEM []byte,
	caCertPEM []byte,
	token []byte,
	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
	remoteEnforcer bool,
	killContainerError bool,
) (trireme.Trireme, monitor.Monitor, monitor.Monitor)

NewHybridCompactPKIWithDocker is an example of configuring Trireme to use the compact PKI secrets method. The calling module must provide a policy engine implementation and private/public key pair and parent certificate and key. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire. This is an example use - certificates must be properly protected

func NewHybridTrireme

func NewHybridTrireme(
	serverID string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	secrets secrets.Secrets,
	networks []string,
) trireme.Trireme

NewHybridTrireme instantiates Trireme with both Linux and Docker enforcers. The Docker enforcers are remote

func NewLocalTriremeDocker

func NewLocalTriremeDocker(
	serverID string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	secrets secrets.Secrets,
	impl constants.ImplementationType) trireme.Trireme

NewLocalTriremeDocker instantiates Trireme for Docker using enforcement on the main namespace

func NewPKITriremeWithDockerMonitor

func NewPKITriremeWithDockerMonitor(
	serverID string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	syncAtStart bool,
	keyPEM []byte,
	certPEM []byte,
	caCertPEM []byte,
	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
	remoteEnforcer bool,
	killContainerError bool,
) (trireme.Trireme, monitor.Monitor, enforcer.PublicKeyAdder)

NewPKITriremeWithDockerMonitor creates a new network isolator. The calling module must provide a policy engine implementation and private/public key pair and parent certificate. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire

func NewPSKHybridTriremeWithMonitor

func NewPSKHybridTriremeWithMonitor(
	serverID string,
	networks []string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	syncAtStart bool,
	key []byte,
	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
	killContainerError bool,
) (trireme.Trireme, monitor.Monitor, monitor.Monitor)

NewPSKHybridTriremeWithMonitor creates a new network isolator. The calling module must provide a policy engine implementation and a pre-shared secret. This is for backward compatibility. Will be removed

func NewPSKTriremeWithCNIMonitor added in v1.0.46

func NewPSKTriremeWithCNIMonitor(
	serverID string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	key []byte,
	cniMetadataExtractor rpcmonitor.RPCMetadataExtractor,
	remoteEnforcer bool,
) (trireme.Trireme, monitor.Monitor)

NewPSKTriremeWithCNIMonitor simple CNI monitor

func NewPSKTriremeWithDockerMonitor

func NewPSKTriremeWithDockerMonitor(
	serverID string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	syncAtStart bool,
	key []byte,
	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
	remoteEnforcer bool,
	killContainerError bool,
) (trireme.Trireme, monitor.Monitor)

NewPSKTriremeWithDockerMonitor creates a new network isolator. The calling module must provide a policy engine implementation and a pre-shared secret. This is for backward compatibility. Will be removed

func NewSecretsFromPKI

func NewSecretsFromPKI(keyPEM, certPEM, caCertPEM []byte) secrets.Secrets

NewSecretsFromPKI creates secrets from a PKI

func NewSecretsFromPSK

func NewSecretsFromPSK(key []byte) secrets.Secrets

NewSecretsFromPSK creates secrets from a pre-shared key

func NewTriremeLinuxProcess

func NewTriremeLinuxProcess(
	serverID string,
	resolver trireme.PolicyResolver,
	processor enforcer.PacketProcessor,
	eventCollector collector.EventCollector,
	secrets secrets.Secrets) trireme.Trireme

NewTriremeLinuxProcess instantiates Trireme for a Linux process implementation

Types

type TriremeOptions added in v1.0.64

type TriremeOptions struct {
	ServerID string

	PSK []byte

	KeyPEM     []byte
	CertPEM    []byte
	CaCertPEM  []byte
	SmartToken []byte

	TargetNetworks []string

	Resolver       trireme.PolicyResolver
	EventCollector collector.EventCollector
	Processor      enforcer.PacketProcessor

	CNIMetadataExtractor    rpcmonitor.RPCMetadataExtractor
	DockerMetadataExtractor dockermonitor.DockerMetadataExtractor

	DockerSocketType string
	DockerSocket     string

	Validity                time.Duration
	ExternalIPCacheValidity time.Duration

	FilterQueue *fqconfig.FilterQueue

	ModeType constants.ModeType
	ImplType constants.ImplementationType

	ProcMountPoint        string
	AporetoProcMountPoint string

	RemoteArg string

	RPCAddress              string
	LinuxProcessReleasePath string

	MutualAuth bool

	KillContainerError bool
	SyncAtStart        bool

	PKI bool

	LocalProcess    bool
	LocalContainer  bool
	RemoteContainer bool
	CNI             bool
}

TriremeOptions defines all the possible configuration options for Trireme configurator

func DefaultTriremeOptions added in v1.0.64

func DefaultTriremeOptions() *TriremeOptions

DefaultTriremeOptions returns a default set of options.

type TriremeResult added in v1.0.64

type TriremeResult struct {
	Trireme        trireme.Trireme
	DockerMonitor  monitor.Monitor
	RPCMonitor     rpcmonitor.RPCMonitor
	PublicKeyAdder enforcer.PublicKeyAdder
	Secret         secrets.Secrets
}

TriremeResult is the result of the creation of Trireme

func NewTriremeWithOptions added in v1.0.64

func NewTriremeWithOptions(options *TriremeOptions) (*TriremeResult, error)

NewTriremeWithOptions creates all the Trireme objects based on the option struct

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL