resolver

package

v0.0.0-...-d3eceb9 Latest Latest Go to latest Published: Aug 31, 2017 License: Apache-2.0 Imports: 15 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/bvandewalle/trireme-kubernetes

Links

Open Source Insights

Documentation ¶

Overview ¶

Package resolver resolves each Container to a specific Trireme policy based on Kubernetes Policy definitions.

Index ¶

Constants
type IngressIsolationPolicy
type KubernetesPolicy
- func NewKubernetesPolicy(kubeconfig string, nodename string, triremeNetworks []string) (*KubernetesPolicy, error)
type NamespaceIngressPolicy
type NamespaceNetworkPolicy
type NamespaceSpec
type NamespaceWatcher
- func NewNamespaceWatcher(namespace string, podStore kubecache.Store, podController kubecache.Controller, ...) *NamespaceWatcher

Constants ¶

View Source

const KubernetesContainerName = "@usr:io.kubernetes.container.name"

KubernetesContainerName is the label used by Docker for the K8S container name.

View Source

const KubernetesInfraContainerName = "POD"

KubernetesInfraContainerName is the name of the infra POD.

View Source

const KubernetesNetworkPolicyAnnotationID = "net.beta.kubernetes.io/network-policy"

KubernetesNetworkPolicyAnnotationID is the string used as an annotation key to define if a namespace should have the networkpolicy framework enabled.

View Source

const KubernetesPodName = "@usr:io.kubernetes.pod.name"

KubernetesPodName is the label used by Docker for the K8S pod name.

View Source

const KubernetesPodNamespace = "@usr:io.kubernetes.pod.namespace"

KubernetesPodNamespace is the label used by Docker for the K8S namespace.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type IngressIsolationPolicy ¶

type IngressIsolationPolicy string

IngressIsolationPolicy type

const (
	// DefaultDeny Deny all ingress traffic to pods in this namespace. Ingress means
	// any incoming traffic to pods, whether that be from other pods within this namespace
	// or any source outside of this namespace.
	DefaultDeny IngressIsolationPolicy = "DefaultDeny"
)

type KubernetesPolicy ¶

type KubernetesPolicy struct {
	KubernetesClient *kubernetes.Client
	// contains filtered or unexported fields
}

KubernetesPolicy represents a Trireme Policer for Kubernetes. It implements the Trireme Resolver interface and implements the policies defined by Kubernetes NetworkPolicy API.

func NewKubernetesPolicy ¶

func NewKubernetesPolicy(kubeconfig string, nodename string, triremeNetworks []string) (*KubernetesPolicy, error)

NewKubernetesPolicy creates a new policy engine for the Trireme package

func (*KubernetesPolicy) HandlePUEvent ¶

func (k *KubernetesPolicy) HandlePUEvent(contextID string, eventType monitor.Event)

HandlePUEvent is called by Trireme for notification that a specific PU got an event.

func (*KubernetesPolicy) ResolvePolicy ¶

func (k *KubernetesPolicy) ResolvePolicy(contextID string, runtimeGetter policy.RuntimeReader) (*policy.PUPolicy, error)

ResolvePolicy generates the Policy for the target PU. The policy for the PU will be based on the defined Kubernetes NetworkPolicies on the Pod to which the PU belongs.

func (*KubernetesPolicy) Run ¶

func (k *KubernetesPolicy) Run()

Run starts the KubernetesPolicer by watching for Namespace Changes. Run is blocking. Use go

func (*KubernetesPolicy) SetPolicyUpdater ¶

func (k *KubernetesPolicy) SetPolicyUpdater(policyUpdater trireme.PolicyUpdater) error

SetPolicyUpdater registers the interface used for updating Policies explicitely.

func (*KubernetesPolicy) Stop ¶

func (k *KubernetesPolicy) Stop()

Stop Stops all the channels

type NamespaceIngressPolicy ¶

type NamespaceIngressPolicy struct {
	// The isolation policy to apply to pods in this namespace.
	// Currently this field only supports "DefaultDeny", but could
	// be extended to support other policies in the future.  When set to DefaultDeny,
	// pods in this namespace are denied ingress traffic by default.  When not defined,
	// the cluster default ingress isolation policy is applied (currently allow all).
	Isolation *IngressIsolationPolicy `json:"isolation,omitempty"`
}

NamespaceIngressPolicy Configuration for ingress to pods within this namespace. For now, this only supports specifying an isolation policy.

type NamespaceNetworkPolicy ¶

type NamespaceNetworkPolicy struct {
	// Ingress configuration for this namespace.  This config is
	// applied to all pods within this namespace. For now, only
	// ingress is supported.  This field is optional - if not
	// defined, then the cluster default for ingress is applied.
	Ingress *NamespaceIngressPolicy `json:"ingress,omitempty"`
}

NamespaceNetworkPolicy type

type NamespaceSpec ¶

type NamespaceSpec struct {
	// This is a pointer so that it can be left undefined.
	NetworkPolicy *NamespaceNetworkPolicy `json:"networkPolicy,omitempty"`
}

NamespaceSpec Standard NamespaceSpec object, modified to include a new NamespaceNetworkPolicy field.

type NamespaceWatcher ¶

type NamespaceWatcher struct {
	// contains filtered or unexported fields
}

NamespaceWatcher implements the policy for a specific Namespace

func NewNamespaceWatcher ¶

func NewNamespaceWatcher(namespace string, podStore kubecache.Store, podController kubecache.Controller, podControllerStop chan struct{},
	policyStore kubecache.Store, policyController kubecache.Controller, policyControllerStop chan struct{}) *NamespaceWatcher

NewNamespaceWatcher initialize a new NamespaceWatcher that watches the Pod and Networkpolicy events on the specific namespace passed in parameter.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL