Documentation ¶
Overview ¶
Package policy describes a generic interface for retrieving policies. Different implementations are possible for environments such as Kubernetes, Mesos or other custom environments. An implementation has to provide a method for retrieving policy based on the metadata associated with the container and deleting the policy when the container dies. It is up to the implementation to decide how to generate the policy. The package also defines the basic data structure for communicating policy information. The implementations are responsible for providing all the necessary data.
Index ¶
- Constants
- func ConvertServicesToPortList(services []Service) string
- func DefaultLogPrefix(contextID string) string
- func EncodedStringToAction(e string) (ActionType, ObserveActionType, error)
- type ActionType
- type ExtendedMap
- type FlowPolicy
- type IPRule
- type IPRuleList
- type KeyValueOperator
- type ObserveActionType
- type Operator
- type OptionsType
- type PUAction
- type PUInfo
- type PUPolicy
- func (p *PUPolicy) AddIdentityTag(k, v string)
- func (p *PUPolicy) AddReceiverRules(t TagSelector)
- func (p *PUPolicy) AddTransmitterRules(t TagSelector)
- func (p *PUPolicy) Annotations() *TagStore
- func (p *PUPolicy) ApplicationACLs() IPRuleList
- func (p *PUPolicy) Clone() *PUPolicy
- func (p *PUPolicy) DefaultIPAddress() (string, bool)
- func (p *PUPolicy) ExcludedNetworks() []string
- func (p *PUPolicy) IPAddresses() ExtendedMap
- func (p *PUPolicy) Identity() *TagStore
- func (p *PUPolicy) ManagementID() string
- func (p *PUPolicy) NetworkACLs() IPRuleList
- func (p *PUPolicy) ProxiedServices() *ProxiedServicesInfo
- func (p *PUPolicy) ReceiverRules() TagSelectorList
- func (p *PUPolicy) SetIPAddresses(l ExtendedMap)
- func (p *PUPolicy) SetTriremeAction(action PUAction)
- func (p *PUPolicy) TransmitterRules() TagSelectorList
- func (p *PUPolicy) TriremeAction() PUAction
- func (p *PUPolicy) TriremeNetworks() []string
- func (p *PUPolicy) UpdateExcludedNetworks(networks []string)
- func (p *PUPolicy) UpdateTriremeNetworks(networks []string)
- type PURuntime
- func (r *PURuntime) Clone() *PURuntime
- func (r *PURuntime) DefaultIPAddress() (string, bool)
- func (r *PURuntime) IPAddresses() ExtendedMap
- func (r *PURuntime) MarshalJSON() ([]byte, error)
- func (r *PURuntime) NSPath() string
- func (r *PURuntime) Name() string
- func (r *PURuntime) Options() OptionsType
- func (r *PURuntime) PUType() constants.PUType
- func (r *PURuntime) Pid() int
- func (r *PURuntime) SetIPAddresses(ipa ExtendedMap)
- func (r *PURuntime) SetNSPath(nsPath string)
- func (r *PURuntime) SetOptions(options OptionsType)
- func (r *PURuntime) SetPUType(puType constants.PUType)
- func (r *PURuntime) SetPid(pid int)
- func (r *PURuntime) SetTags(t *TagStore)
- func (r *PURuntime) Tag(key string) (string, bool)
- func (r *PURuntime) Tags() *TagStore
- func (r *PURuntime) UnmarshalJSON(param []byte) error
- type PURuntimeJSON
- type ProxiedServicesInfo
- type RuntimeReader
- type Service
- type TagSelector
- type TagSelectorList
- type TagStore
Constants ¶
const ( // AllowAll allows everything for the specific PU. AllowAll = 0x1 // Police filters on the PU based on the PolicyRules. Police = 0x2 )
const ( // Equal is the equal operator Equal = "=" // NotEqual is the not equal operator NotEqual = "=!" // KeyExists is the key=* operator KeyExists = "*" // KeyNotExists means that the key doesnt exist in the incoming tags KeyNotExists = "!*" )
const (
// DefaultNamespace is the default namespace for applying policy
DefaultNamespace = "bridge"
)
Variables ¶
This section is empty.
Functions ¶
func ConvertServicesToPortList ¶ added in v1.0.63
ConvertServicesToPortList converts an array of services to a port list
func DefaultLogPrefix ¶
DefaultLogPrefix return the prefix used in nf-log action for default rule.
func EncodedStringToAction ¶
func EncodedStringToAction(e string) (ActionType, ObserveActionType, error)
EncodedStringToAction returns action and observed action from encoded string.
Types ¶
type ActionType ¶ added in v1.0.24
type ActionType byte
ActionType is the action that can be applied to a flow.
const ( // Accept is the accept action Accept ActionType = 0x1 // Reject is the reject action Reject ActionType = 0x2 // Encrypt instructs data to be encrypted Encrypt ActionType = 0x4 // Log instructs the datapath to log the IP addresses Log ActionType = 0x8 // Observe instructs the datapath to observe policy results Observe ActionType = 0x10 )
func (ActionType) Accepted ¶ added in v1.0.24
func (f ActionType) Accepted() bool
Accepted returns if the action mask contains the Accepted mask.
func (ActionType) ActionString ¶ added in v1.0.24
func (f ActionType) ActionString() string
ActionString returns if the action if accepted of rejected as a long string.
func (ActionType) Encrypted ¶ added in v1.0.24
func (f ActionType) Encrypted() bool
Encrypted returns if the action mask contains the Encrypted mask.
func (ActionType) Logged ¶ added in v1.0.24
func (f ActionType) Logged() bool
Logged returns if the action mask contains the Logged mask.
func (ActionType) Observed ¶
func (f ActionType) Observed() bool
Observed returns if the action mask contains the Observed mask.
func (ActionType) Rejected ¶ added in v1.0.24
func (f ActionType) Rejected() bool
Rejected returns if the action mask contains the Rejected mask.
func (ActionType) String ¶ added in v1.0.24
func (f ActionType) String() string
type ExtendedMap ¶ added in v1.0.10
ExtendedMap is a common map with additional functions
func (ExtendedMap) Copy ¶ added in v1.0.10
func (s ExtendedMap) Copy() ExtendedMap
Copy copies an ExtendedMap
type FlowPolicy ¶ added in v1.0.24
type FlowPolicy struct { ObserveAction ObserveActionType Action ActionType ServiceID string PolicyID string }
FlowPolicy captures the policy for a particular flow
func (*FlowPolicy) EncodedActionString ¶
func (f *FlowPolicy) EncodedActionString() string
EncodedActionString is used to encode observed action as well as action
func (*FlowPolicy) LogPrefix ¶
func (f *FlowPolicy) LogPrefix(contextID string) string
LogPrefix is the prefix used in nf-log action. It must be less than
type IPRule ¶
type IPRule struct { Address string Port string Protocol string Policy *FlowPolicy }
IPRule holds IP rules to external services
type IPRuleList ¶
type IPRuleList []IPRule
IPRuleList is a list of IP rules
func (IPRuleList) Copy ¶ added in v1.0.10
func (l IPRuleList) Copy() IPRuleList
Copy creates a clone of the IP rule list
type KeyValueOperator ¶
KeyValueOperator describes an individual matching rule
type ObserveActionType ¶
type ObserveActionType byte
ObserveActionType is the action that can be applied to a flow for an observation rule.
const ( // ObserveNone specifies if any observation was made or not. ObserveNone ObserveActionType = 0x0 // ObserveContinue is used to not take any action on packet and is deferred to // an actual rule with accept or deny action. ObserveContinue ObserveActionType = 0x1 // ObserveApply is used to apply action to packets hitting this rule. ObserveApply ObserveActionType = 0x2 )
Observe actions are used in conjunction with action.
func (ObserveActionType) ObserveApply ¶
func (f ObserveActionType) ObserveApply() bool
ObserveApply returns if the action of observation rule is allow.
func (ObserveActionType) ObserveContinue ¶
func (f ObserveActionType) ObserveContinue() bool
ObserveContinue returns if the action of observation rule is continue.
func (ObserveActionType) Observed ¶
func (f ObserveActionType) Observed() bool
Observed returns true if any observed action was found.
func (ObserveActionType) String ¶
func (f ObserveActionType) String() string
type OptionsType ¶ added in v1.0.63
type OptionsType struct { // CgroupName is the name of the cgroup CgroupName string // CgroupMark is the tag of the cgroup CgroupMark string // UserID is the user ID if it exists UserID string // Services is the list of services of interest Services []Service // ProxyPort is the port on which the proxy listens ProxyPort string // PolicyExtensions is policy resolution extensions PolicyExtensions interface{} }
OptionsType is a set of options that can be passed with a policy request
type PUAction ¶
type PUAction int
PUAction defines the action types that applies for a specific PU as a whole.
type PUInfo ¶
type PUInfo struct { // ContextID is the ID of the container that the policy applies to ContextID string // Policy is an instantiation of the container policy Policy *PUPolicy // RunTime captures all data that are captured from the container Runtime *PURuntime }
PUInfo captures all policy information related to a connection
type PUPolicy ¶
PUPolicy captures all policy information related ot the container
func NewPUPolicy ¶
func NewPUPolicy( id string, action PUAction, appACLs IPRuleList, netACLs IPRuleList, txtags TagSelectorList, rxtags TagSelectorList, identity *TagStore, annotations *TagStore, ips ExtendedMap, triremeNetworks []string, excludedNetworks []string, proxiedServices *ProxiedServicesInfo, ) *PUPolicy
NewPUPolicy generates a new ContainerPolicyInfo appACLs are the ACLs for packet coming from the Application/PU to the Network. netACLs are the ACLs for packet coming from the Network to the Application/PU.
func NewPUPolicyWithDefaults ¶
func NewPUPolicyWithDefaults() *PUPolicy
NewPUPolicyWithDefaults sets up a PU policy with defaults
func (*PUPolicy) AddIdentityTag ¶
AddIdentityTag adds a policy tag
func (*PUPolicy) AddReceiverRules ¶
func (p *PUPolicy) AddReceiverRules(t TagSelector)
AddReceiverRules adds a receiver rule
func (*PUPolicy) AddTransmitterRules ¶
func (p *PUPolicy) AddTransmitterRules(t TagSelector)
AddTransmitterRules adds a transmitter rule
func (*PUPolicy) Annotations ¶
Annotations returns a copy of the annotations
func (*PUPolicy) ApplicationACLs ¶
func (p *PUPolicy) ApplicationACLs() IPRuleList
ApplicationACLs returns a copy of IPRuleList
func (*PUPolicy) DefaultIPAddress ¶
DefaultIPAddress returns the default IP address for the processing unit
func (*PUPolicy) ExcludedNetworks ¶
ExcludedNetworks returns the list of excluded networks.
func (*PUPolicy) IPAddresses ¶
func (p *PUPolicy) IPAddresses() ExtendedMap
IPAddresses returns all the IP addresses for the processing unit
func (*PUPolicy) ManagementID ¶
ManagementID returns the management ID
func (*PUPolicy) NetworkACLs ¶
func (p *PUPolicy) NetworkACLs() IPRuleList
NetworkACLs returns a copy of IPRuleList
func (*PUPolicy) ProxiedServices ¶
func (p *PUPolicy) ProxiedServices() *ProxiedServicesInfo
ProxiedServices returns the list of networks that Trireme must be applied
func (*PUPolicy) ReceiverRules ¶
func (p *PUPolicy) ReceiverRules() TagSelectorList
ReceiverRules returns a copy of TagSelectorList
func (*PUPolicy) SetIPAddresses ¶
func (p *PUPolicy) SetIPAddresses(l ExtendedMap)
SetIPAddresses sets the IP addresses for the processing unit
func (*PUPolicy) SetTriremeAction ¶ added in v1.0.10
SetTriremeAction returns the TriremeAction
func (*PUPolicy) TransmitterRules ¶
func (p *PUPolicy) TransmitterRules() TagSelectorList
TransmitterRules returns a copy of TagSelectorList
func (*PUPolicy) TriremeAction ¶
TriremeAction returns the TriremeAction
func (*PUPolicy) TriremeNetworks ¶
TriremeNetworks returns the list of networks that Trireme must be applied
func (*PUPolicy) UpdateExcludedNetworks ¶
UpdateExcludedNetworks updates the list of excluded networks.
func (*PUPolicy) UpdateTriremeNetworks ¶
UpdateTriremeNetworks updates the set of networks for trireme
type PURuntime ¶
type PURuntime struct { // GlobalLock is used by Trireme to make sure that two operations do not // get interleaved for the same container. GlobalLock *sync.Mutex sync.Mutex // contains filtered or unexported fields }
PURuntime holds all data related to the status of the container run time
func NewPURuntime ¶
func NewPURuntime(name string, pid int, nsPath string, tags *TagStore, ips ExtendedMap, puType constants.PUType, options *OptionsType) *PURuntime
NewPURuntime Generate a new RuntimeInfo
func NewPURuntimeWithDefaults ¶
func NewPURuntimeWithDefaults() *PURuntime
NewPURuntimeWithDefaults sets up PURuntime with defaults
func (*PURuntime) DefaultIPAddress ¶
DefaultIPAddress returns the default IP address for the processing unit
func (*PURuntime) IPAddresses ¶
func (r *PURuntime) IPAddresses() ExtendedMap
IPAddresses returns all the IP addresses for the processing unit
func (*PURuntime) MarshalJSON ¶
MarshalJSON Marshals this struct.
func (*PURuntime) Options ¶
func (r *PURuntime) Options() OptionsType
Options returns tags for the processing unit
func (*PURuntime) SetIPAddresses ¶
func (r *PURuntime) SetIPAddresses(ipa ExtendedMap)
SetIPAddresses sets up all the IP addresses for the processing unit
func (*PURuntime) SetOptions ¶
func (r *PURuntime) SetOptions(options OptionsType)
SetOptions sets the Options
func (*PURuntime) UnmarshalJSON ¶
UnmarshalJSON Unmarshals this struct.
type PURuntimeJSON ¶
type PURuntimeJSON struct { // PUType is the type of the PU PUType constants.PUType // Pid holds the value of the first process of the container Pid int // NSPath is the path to the networking namespace for this PURuntime if applicable. NSPath string // Name is the name of the container Name string // IPAddress is the IP Address of the container IPAddresses ExtendedMap // Tags is a map of the metadata of the container Tags *TagStore // Options is a map of the options of the container Options *OptionsType }
PURuntimeJSON is a Json representation of PURuntime
type ProxiedServicesInfo ¶
type ProxiedServicesInfo struct { // PublicIPPortPair is an array public ip,port of load balancer or passthrough object per pu PublicIPPortPair []string // PrivateIPPortPair is an array of private ip,port of load balancer or passthrough object per pu PrivateIPPortPair []string }
ProxiedServicesInfo holds the info for a proxied service.
func (*ProxiedServicesInfo) AddPrivateIPPortPair ¶
func (p *ProxiedServicesInfo) AddPrivateIPPortPair(ipportpair string)
AddPrivateIPPortPair adds a private ip port pair
func (*ProxiedServicesInfo) AddPublicIPPortPair ¶
func (p *ProxiedServicesInfo) AddPublicIPPortPair(ipportpair string)
AddPublicIPPortPair add a ip port pair to proxied services
type RuntimeReader ¶
type RuntimeReader interface { // Pid returns the Pid of the Runtime. Pid() int // Name returns the process name of the Runtime. Name() string // Tag returns the value of the given tag. Tag(string) (string, bool) // Tags returns a copy of the list of the tags. Tags() *TagStore // Options returns a copy of the list of options. Options() OptionsType // DefaultIPAddress retutns the default IP address. DefaultIPAddress() (string, bool) // IPAddresses returns a copy of all the IP addresses. IPAddresses() ExtendedMap // Returns the PUType for the PU PUType() constants.PUType }
A RuntimeReader allows to get the specific parameters stored in the Runtime
type Service ¶ added in v1.0.63
type Service struct { // Protocol is the protocol number Protocol uint8 // Port is the target port Port uint16 }
Service is a protocol/port service of interest - used to pass user requests
type TagSelector ¶
type TagSelector struct { Clause []KeyValueOperator Policy *FlowPolicy }
TagSelector info describes a tag selector key Operator value
type TagSelectorList ¶
type TagSelectorList []TagSelector
TagSelectorList defines a list of TagSelectors
func (TagSelectorList) Copy ¶ added in v1.0.10
func (t TagSelectorList) Copy() TagSelectorList
Copy returns a copy of the TagSelectorList
type TagStore ¶ added in v1.0.10
type TagStore struct {
Tags []string
}
TagStore stores the tags - it allows duplicate key values
func NewTagStoreFromMap ¶ added in v1.0.10
NewTagStoreFromMap creates a tag store from an input map
func (*TagStore) AppendKeyValue ¶ added in v1.0.10
AppendKeyValue appends a key and value to the tag store