policy

package
v0.0.0-...-a5bca4c Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2017 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// All IDs lesser than this value are reserved
	MinimalNumericIdentity = NumericIdentity(256)
)

Variables

View Source 
var (
	ReservedIdentities = map[string]NumericIdentity{
		labels.ID_NAME_HOST:  ID_HOST,
		labels.ID_NAME_WORLD: ID_WORLD,
	}
	ReservedIdentityNames = map[NumericIdentity]string{
		ID_HOST:  labels.ID_NAME_HOST,
		ID_WORLD: labels.ID_NAME_WORLD,
	}
)
View Source 
var (
	CoverageSHASize = len(fmt.Sprintf("%x", sha512.New512_256().Sum(nil)))
)

Functions

func SplitNodePath 

func SplitNodePath(fullPath string) (string, string)

Types

type AllowL4 

type AllowL4 struct {
	Ingress []L4Filter `json:"in-ports,omitempty"`
	Egress  []L4Filter `json:"out-ports,omitempty"`
}

func (*AllowL4) Merge 

func (l4 *AllowL4) Merge(result *L4Policy)

type AllowRule 

type AllowRule struct {
	Action ConsumableDecision `json:"action,omitempty"`
	Label  labels.Label       `json:"label"`
}

func (*AllowRule) Allows 

func (a *AllowRule) Allows(ctx *SearchContext) ConsumableDecision

func (*AllowRule) String 

func (a *AllowRule) String() string

func (*AllowRule) UnmarshalJSON 

func (a *AllowRule) UnmarshalJSON(data []byte) error

type AuxRule 

type AuxRule struct {
	Expr string `json:"expr"`
}

type Consumable 

type Consumable struct {
	ID           NumericIdentity               `json:"id"`
	Iteration    int                           `json:"-"`
	Labels       *Identity                     `json:"labels"`
	LabelList    []labels.Label                `json:"-"`
	Maps         map[int]*policymap.PolicyMap  `json:"-"`
	Consumers    map[string]*Consumer          `json:"consumers"`
	ReverseRules map[NumericIdentity]*Consumer `json:"-"`
	L4Policy     *L4Policy                     `json:"l4-policy"`
	// contains filtered or unexported fields
}

An entity that is being consumed by a Consumable

func NewConsumable 

func NewConsumable(id NumericIdentity, lbls *Identity, cache *ConsumableCache) *Consumable

func (*Consumable) AddMap 

func (c *Consumable) AddMap(m *policymap.PolicyMap)

func (*Consumable) AllowConsumer 

func (c *Consumable) AllowConsumer(cache *ConsumableCache, id NumericIdentity) *Consumer

func (*Consumable) AllowConsumerAndReverse 

func (c *Consumable) AllowConsumerAndReverse(cache *ConsumableCache, id NumericIdentity)

func (*Consumable) Allows 

func (c *Consumable) Allows(id NumericIdentity) bool

func (*Consumable) BanConsumer 

func (c *Consumable) BanConsumer(id NumericIdentity)

func (*Consumable) DeepCopy 

func (c *Consumable) DeepCopy() *Consumable

func (*Consumable) Delete 

func (c *Consumable) Delete()

func (*Consumable) GetConsumer 

func (c *Consumable) GetConsumer(id NumericIdentity) *Consumer

func (*Consumable) GetModel 

func (c *Consumable) GetModel() *models.EndpointPolicy

func (*Consumable) RemoveMap 

func (c *Consumable) RemoveMap(m *policymap.PolicyMap)

type ConsumableCache 

type ConsumableCache struct {

	// List of consumables representing the reserved identities
	Reserved  []*Consumable
	Iteration int
	// contains filtered or unexported fields
}

func NewConsumableCache 

func NewConsumableCache() *ConsumableCache

func (*ConsumableCache) AddReserved 

func (c *ConsumableCache) AddReserved(elem *Consumable)

func (*ConsumableCache) GetOrCreate 

func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable

func (*ConsumableCache) Lookup 

func (c *ConsumableCache) Lookup(id NumericIdentity) *Consumable

func (*ConsumableCache) Remove 

func (c *ConsumableCache) Remove(elem *Consumable)

type ConsumableDecision 

type ConsumableDecision byte
const (
	UNDECIDED ConsumableDecision = iota
	ACCEPT
	ALWAYS_ACCEPT
	DENY
)

func (ConsumableDecision) MarshalJSON 

func (d ConsumableDecision) MarshalJSON() ([]byte, error)

func (ConsumableDecision) String 

func (d ConsumableDecision) String() string

func (*ConsumableDecision) UnmarshalJSON 

func (d *ConsumableDecision) UnmarshalJSON(b []byte) error

type Consumer 

type Consumer struct {
	ID           NumericIdentity
	Reverse      *Consumer
	DeletionMark bool
	Decision     ConsumableDecision
}

An entity that consumes a Consumable

func NewConsumer 

func NewConsumer(id NumericIdentity) *Consumer

func (*Consumer) DeepCopy 

func (c *Consumer) DeepCopy() *Consumer

func (*Consumer) StringID 

func (c *Consumer) StringID() string

type Identity 

type Identity struct {
	// Identity's ID.
	ID NumericIdentity `json:"id"`
	// Endpoints that have this Identity where their value is the last time they were seen.
	Labels labels.Labels `json:"labels"`
	// Set of labels that belong to this Identity.
	Endpoints map[string]time.Time `json:"containers"`
}

Identity is the representation of the security context for a particular set of labels.

func NewIdentity 

func NewIdentity() *Identity

func NewIdentityFromModel 

func NewIdentityFromModel(base *models.Identity) *Identity

func (*Identity) AssociateEndpoint 

func (s *Identity) AssociateEndpoint(id string)

Associate endpoint with identity

func (*Identity) DeepCopy 

func (s *Identity) DeepCopy() *Identity

func (*Identity) DisassociateEndpoint 

func (s *Identity) DisassociateEndpoint(id string) bool

Disassociate endpoint with identity and return true if successful

func (*Identity) GetModel 

func (id *Identity) GetModel() *models.Identity

func (*Identity) RefCount 

func (s *Identity) RefCount() int

type L4Filter 

type L4Filter struct {
	Port     int       `json:"port,omitempty"`
	Protocol string    `json:"protocol,omitempty"`
	Redirect string    `json:"redirect,omitempty"`
	Rules    []AuxRule `json:"rules,omitempty"`
}

func (*L4Filter) Merge 

func (f *L4Filter) Merge(result *L4Policy, m map[string]L4Filter, proto string)

func (*L4Filter) String 

func (l4 *L4Filter) String() string

func (*L4Filter) UnmarshalJSON 

func (l4 *L4Filter) UnmarshalJSON(data []byte) error

type L4Policy 

type L4Policy struct {
	// key format: "proto:port"
	Ingress L4PolicyMap
	Egress  L4PolicyMap
}

func NewL4Policy 

func NewL4Policy() *L4Policy

func (*L4Policy) DeepCopy 

func (l4 *L4Policy) DeepCopy() *L4Policy

func (*L4Policy) GetModel 

func (l4 *L4Policy) GetModel() *models.L4Policy

type L4PolicyMap 

type L4PolicyMap map[string]L4Filter

type Node 

type Node struct {
	Name     string           `json:"name"`
	Parent   *Node            `json:"-"`
	Rules    []PolicyRule     `json:"rules,omitempty"`
	Children map[string]*Node `json:"children,omitempty"`
	// contains filtered or unexported fields
}

Node to define hierarchy of rules

func NewNode 

func NewNode(name string, parent *Node) *Node

func (*Node) AddChild 

func (pn *Node) AddChild(name string, child *Node) (bool, error)

func (*Node) Allows 

func (p *Node) Allows(ctx *SearchContext) ConsumableDecision

func (*Node) BuildPath 

func (pn *Node) BuildPath() (string, error)

func (*Node) Covers 

func (p *Node) Covers(ctx *SearchContext) bool

func (*Node) DebugString 

func (pn *Node) DebugString(level int) string

func (*Node) GetLabelParent 

func (p *Node) GetLabelParent() labels.LabelAttachment

func (*Node) HasPolicyRule 

func (p *Node) HasPolicyRule(pr PolicyRule) bool

func (*Node) HasRules 

func (n *Node) HasRules() bool

Returns true if a node has any rules attached or at least one child

func (*Node) JSONMarshal 

func (pn *Node) JSONMarshal() string

func (*Node) Merge 

func (pn *Node) Merge(obj *Node) (bool, error)

func (*Node) Path 

func (p *Node) Path() string

func (*Node) ResolveL4Policy 

func (n *Node) ResolveL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy

func (*Node) ResolveTree 

func (pn *Node) ResolveTree() error

func (*Node) UnmarshalJSON 

func (pn *Node) UnmarshalJSON(data []byte) error

type NumericIdentity 

type NumericIdentity uint32

Represents an identity of an entity to which consumer policy can be applied to 

const (
	ID_UNKNOWN NumericIdentity = iota
	ID_HOST
	ID_WORLD
)

func GetReservedID 

func GetReservedID(name string) NumericIdentity

func ParseNumericIdentity 

func ParseNumericIdentity(id string) (NumericIdentity, error)

func (NumericIdentity) String 

func (id NumericIdentity) String() string

func (NumericIdentity) StringID 

func (id NumericIdentity) StringID() string

func (NumericIdentity) Uint32 

func (id NumericIdentity) Uint32() uint32

Normalize ID for use in BPF program

type PolicyRule 

type PolicyRule interface {
	Resolve(node *Node) error
	SHA256Sum() (string, error)
	CoverageSHA256Sum() (string, error)
}

type PolicyRuleConsumers 

type PolicyRuleConsumers struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Allow    []AllowRule    `json:"allow"`
}

Allow the following consumers

func (*PolicyRuleConsumers) Allows 

func (c *PolicyRuleConsumers) Allows(ctx *SearchContext) ConsumableDecision

func (*PolicyRuleConsumers) CoverageSHA256Sum 

func (c *PolicyRuleConsumers) CoverageSHA256Sum() (string, error)

func (*PolicyRuleConsumers) Resolve 

func (c *PolicyRuleConsumers) Resolve(node *Node) error

func (*PolicyRuleConsumers) SHA256Sum 

func (c *PolicyRuleConsumers) SHA256Sum() (string, error)

func (*PolicyRuleConsumers) String 

func (prc *PolicyRuleConsumers) String() string

type PolicyRuleRequires 

type PolicyRuleRequires struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Requires []labels.Label `json:"requires"`
}

Any further consumer requires the specified list of labels in order to consume

func (*PolicyRuleRequires) Allows 

func (r *PolicyRuleRequires) Allows(ctx *SearchContext) ConsumableDecision

A require rule imposes additional label requirements but does not imply access immediately. Hence if the label context is not sufficient access can be denied but fullfillment of the requirement only leads to the decision being UNDECIDED waiting on an explicit allow rule further down the tree

func (*PolicyRuleRequires) CoverageSHA256Sum 

func (c *PolicyRuleRequires) CoverageSHA256Sum() (string, error)

func (*PolicyRuleRequires) Resolve 

func (c *PolicyRuleRequires) Resolve(node *Node) error

func (*PolicyRuleRequires) SHA256Sum 

func (c *PolicyRuleRequires) SHA256Sum() (string, error)

func (*PolicyRuleRequires) String 

func (prr *PolicyRuleRequires) String() string

type Privilege 

type Privilege byte

Available privileges for policy nodes to define 

const (
	ALLOW Privilege = iota
	ALWAYS_ALLOW
	REQUIRES
	L4
)

func (Privilege) MarshalJSON 

func (d Privilege) MarshalJSON() ([]byte, error)

func (Privilege) String 

func (p Privilege) String() string

func (*Privilege) UnmarshalJSON 

func (p *Privilege) UnmarshalJSON(b []byte) error

type RuleL4 

type RuleL4 struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Allow    []AllowL4      `json:"l4"`
}

func (*RuleL4) CoverageSHA256Sum 

func (l4 *RuleL4) CoverageSHA256Sum() (string, error)

func (*RuleL4) GetL4Policy 

func (l4 *RuleL4) GetL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy

func (*RuleL4) Resolve 

func (l4 *RuleL4) Resolve(node *Node) error

func (*RuleL4) SHA256Sum 

func (l4 *RuleL4) SHA256Sum() (string, error)

type SearchContext 

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *logging.LogBackend
	// TODO: Put this as []*Label?
	From []labels.Label
	To   []labels.Label
}

func (*SearchContext) CallDepth 

func (s *SearchContext) CallDepth() string

func (*SearchContext) String 

func (s *SearchContext) String() string

func (*SearchContext) TargetCoveredBy 

func (s *SearchContext) TargetCoveredBy(coverage []labels.Label) bool

type SearchContextReply 

type SearchContextReply struct {
	Logging  []byte
	Decision ConsumableDecision
}

type Tracing 

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

type Tree 

type Tree struct {
	Root  *Node
	Mutex sync.RWMutex
}

Overall policy tree

func (*Tree) Allows 

func (t *Tree) Allows(ctx *SearchContext) ConsumableDecision

func (*Tree) ResolveL4Policy 

func (t *Tree) ResolveL4Policy(ctx *SearchContext) *L4Policy

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.