Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CIDR ¶
type CIDR struct {
// IP specifies the block of IP addresses to allow
//
// Example:
// 10.0.1.0/24
IP string `json:"ip"`
}
CIDR specifies a block of IP addresses
type Decision ¶
type Decision byte
Decision is a reachability policy decision
func (Decision) MarshalJSON ¶
MarshalJSON returns the decision as JSON formatted buffer
func (*Decision) UnmarshalJSON ¶
UnmarshalJSON parses a JSON formatted buffer and returns a decision
type EgressRule ¶
type EgressRule struct {
// ToPorts is a list of destination ports identified by port number and
// protocol which the endpoint subject to the rule is allowed to
// connect to.
//
// Example:
// Any endpoint with the label "role=frontend" is allowed to initiate
// connections to destination port 8080/tcp
//
// +optional
ToPorts []PortRule `json:"toPorts,omitempty"`
// ToCIDR is a list of IP blocks which the endpoint subject to the rule
// is allowed to initiate connections to in addition to connections
// which are allowed via FromEndpoints. This will match on the
// destination IP address of outgoing connections.
//
// Example:
// Any endpoint with the label "app=database-proxy" is allowed to
// initiate connections to 10.2.3.0/24
//
// +optional
ToCIDR []CIDR `json:"toCIDR,omitempty"`
}
EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector.
- All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.
- All members of this structure are evaluated independently, i.e. L4 ports allowed with ToPorts do not depend on a match of the FromCIDR in the same EgressRule.
func (EgressRule) Validate ¶
func (e EgressRule) Validate() error
Validate validates an egress policy rule
type EndpointSelector ¶
type EndpointSelector struct {
*metav1.LabelSelector
}
EndpointSelector is a wrapper for k8s LabelSelector.
func NewESFromK8sLabelSelector ¶
func NewESFromK8sLabelSelector(srcPrefix string, ls *metav1.LabelSelector) EndpointSelector
NewESFromK8sLabelSelector returns a new endpoint selector from the label where it the given srcPrefix will be encoded in the label's keys.
func NewESFromLabels ¶
func NewESFromLabels(lbls ...*labels.Label) EndpointSelector
NewESFromLabels creates a new endpoint selector from the given labels.
func (EndpointSelector) HasKeyPrefix ¶
func (n EndpointSelector) HasKeyPrefix(prefix string) bool
HasKeyPrefix checks if the endpoint selector contains the given key prefix in its MatchLabels map and MatchExpressions slice.
func (EndpointSelector) MarshalJSON ¶
func (n EndpointSelector) MarshalJSON() ([]byte, error)
MarshalJSON returns a JSON representation of the byte array.
func (*EndpointSelector) Matches ¶
func (n *EndpointSelector) Matches(lblsToMatch k8sLbls.Labels) bool
Matches returns true if the endpoint selector Matches the `lblsToMatch`. Returns always true if the endpoint selector contains the reserved label for "all".
func (EndpointSelector) String ¶
func (n EndpointSelector) String() string
String returns a string representation of EndpointSelector.
func (*EndpointSelector) UnmarshalJSON ¶
func (n *EndpointSelector) UnmarshalJSON(b []byte) error
UnmarshalJSON unmarshals the endpoint selector from the byte array.
type IngressRule ¶
type IngressRule struct {
// FromEndpoints is a list of endpoints identified by an
// EndpointSelector which are allowed to communicate with the endpoint
// subject to the rule.
//
// Example:
// Any endpoint with the label "role=backend" can be consumed by any
// endpoint carrying the label "role=frontend".
//
// +optional
FromEndpoints []EndpointSelector `json:"fromEndpoints,omitempty"`
// FromRequires is a list of additional constraints which must be met
// in order for the selected endpoints to be reachable. These
// additional constraints do no by itself grant access privileges and
// must always be accompanied with at least one matching FromEndpoints.
//
// Example:
// Any Endpoint with the label "team=A" requires consuming endpoint
// to also carry the label "team=A".
//
// +optional
FromRequires []EndpointSelector `json:"fromRequires,omitempty"`
// ToPorts is a list of destination ports identified by port number and
// protocol which the endpoint subject to the rule is allowed to
// receive connections on.
//
// Example:
// Any endpoint with the label "app=httpd" can only accept incoming
// connections on port 80/tcp.
//
// +optional
ToPorts []PortRule `json:"toPorts,omitempty"`
// FromCIDR is a list of IP blocks which the endpoint subject to the
// rule is allowed to receive connections from in addition to FromEndpoints.
// This will match on the source IP address of incoming connections.
//
// Example:
// Any endpoint with the label "app=my-legacy-pet" is allowed to receive
// connections from 10.3.9.1
//
// +optional
FromCIDR []CIDR `json:"fromCIDR,omitempty"`
}
IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector.
- All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.
- All members of this structure are evaluated independently, i.e. L4 ports allowed with ToPorts do not depend on a match of the FromEndpoints in the same IngressRule.
func (IngressRule) Validate ¶
func (i IngressRule) Validate() error
Validate validates an ingress policy rule
type L7Rules ¶
type L7Rules struct {
// HTTP specific rules.
//
// +optional
HTTP []PortRuleHTTP `json:"http,omitempty"`
}
L7Rules is a union of port level rule types. Mixing of different port level rule types is disallowed, so exactly one of the following must be set. If none are specified, then no additional port level rules are applied.
type PortProtocol ¶
type PortProtocol struct {
// Port is an L4 port number. For now the string will be strictly
// parsed as a single uint16. In the future, this field may support
// ranges in the form "1024-2048
Port string `json:"port"`
// Protocol is the L4 protocol. If omitted or empty, any protocol
// matches. Accepted values: "tcp", "udp", ""/"any"
//
// Matching on ICMP is not supported.
//
// +optional
Protocol string `json:"protocol,omitempty"`
}
PortProtocol specifies an L4 port with an optional transport protocol
func (PortProtocol) Validate ¶
func (pp PortProtocol) Validate() error
Validate validates a port/protocol pair
type PortRule ¶
type PortRule struct {
// Ports is a list of L4 port/protocol
//
// If omitted or empty but RedirectPort is set, then all ports of the
// endpoint subject to either the ingress or egress rule are being
// redirected.
//
// +optional
Ports []PortProtocol `json:"ports,omitempty"`
// RedirectPort is the L4 port which, if set, all traffic matching the
// Ports is being redirected to. Whatever listener behind that port
// becomes responsible to enforce the port rules and is also
// responsible to reinject all traffic back and ensure it reaches its
// original destination.
RedirectPort int `json:"redirectPort,omitempty"`
// Rules is a list of additional port level rules which must be met in
// order for the PortRule to allow the traffic. If omitted or empty,
// no layer 7 rules are enforced.
//
// +optional
Rules *L7Rules `json:"rules,omitempty"`
}
PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.
type PortRuleHTTP ¶
type PortRuleHTTP struct {
// Path is an extended POSIX regex matched against the path of a
// request. Currently it can contain characters disallowed from the
// conventional "path" part of a URL as defined by RFC 3986. Paths must
// begin with a '/'.
//
// If omitted or empty, all paths are all allowed.
//
// +optional
Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`
// Method is an extended POSIX regex matched against the method of a
// request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ...
//
// If omitted or empty, all methods are allowed.
//
// +optional
Method string `json:"method,omitempty" protobuf:"bytes,1,opt,name=method"`
// Host is an extended POSIX regex matched against the host header of a
// request, e.g. "foo.com"
//
// If omitted or empty, the value of the host header is ignored.
//
// +optional
Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=method"`
// Headers is a list of HTTP headers which must be present in the
// request. If omitted or empty, requests are allowed regardless of
// headers present.
//
// +optional
Headers []string `json:"headers,omitempty"`
}
PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.
All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986.
type Rule ¶
type Rule struct {
// EndpointSelector selects all endpoints which should be subject to
// this rule. Cannot be empty.
EndpointSelector EndpointSelector `json:"endpointSelector"`
// Ingress is a list of IngressRule which are enforced at ingress.
// If omitted or empty, this rule does not apply at ingress.
//
// +optional
Ingress []IngressRule `json:"ingress,omitempty"`
// Egress is a list of EgressRule which are enforced at egress.
// If omitted or empty, this rule does not apply at egress.
//
// +optional
Egress []EgressRule `json:"egress,omitempty"`
// Labels is a list of optional strings which can be used to
// re-identify the rule or to store metadata. It is possible to lookup
// or delete strings based on labels. Labels are not required to be
// unique, multiple rules can have overlapping or identical labels.
//
// +optional
Labels labels.LabelArray `json:"labels,omitempty"`
// Description is a free form string, it can be used by the creator of
// the rule to store human readable explanation of the purpose of this
// rule. Rules cannot be identified by comment.
//
// +optional
Description string `json:"description,omitempty"`
}
Rule is a policy rule which must be applied to all endpoints which match the labels contained in the endpointSelector
Each rule is split into an ingress section which contains all rules applicable at ingress, and an egress section applicable at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both ingress and egress, both ingress and egress side have to either specifically allow the connection or one side has to be omitted.
Either ingress, egress, or both can be provided. If both ingress and egress are omitted, the rule has no effect.
Source Files