Documentation ¶
Index ¶
- func GetCIDRPrefixes(rules api.Rules) []*net.IPNet
- func GetDefaultPrefixLengths() (s6 []int, s4 []int)
- func GetPolicyEnabled() string
- func GetPrefixesFromCIDRSet(rules api.CIDRRuleSlice) []*net.IPNet
- func JSONMarshalRules(rules api.Rules) string
- func JoinPath(a, b string) string
- func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, err error)
- func ProxyID(endpointID uint16, ingress bool, protocol string, port uint16) string
- func ProxyIDFromFilter(endpointID uint16, l4 *L4Filter) string
- func ProxyIDFromKey(endpointID uint16, key Key) string
- func SetPolicyEnabled(val string)
- type CIDRPolicy
- type CIDRPolicyMap
- type CIDRPolicyMapRule
- type CachedSelectionUser
- type CachedSelector
- type CachedSelectorSlice
- type Endpoint
- type EndpointPolicy
- type EndpointSet
- type Key
- type L4Filter
- func (l4 *L4Filter) AllowsAllAtL3() bool
- func (l4 *L4Filter) HasL3DependentL7Rules() bool
- func (l4 *L4Filter) IdentitySelectionUpdated(selector CachedSelector, selections, added, deleted []identity.NumericIdentity)
- func (l4 *L4Filter) IsRedirect() bool
- func (l4 *L4Filter) MarshalIndent() string
- func (l4 *L4Filter) String() string
- func (l4 *L4Filter) ToKeys(direction trafficdirection.TrafficDirection) []Key
- type L4Policy
- func (l4 *L4Policy) AccumulateMapChanges(adds, deletes []identity.NumericIdentity, port uint16, proto uint8, ...)
- func (l4 *L4Policy) Attach()
- func (l4 *L4Policy) Detach(selectorCache *SelectorCache)
- func (l4 *L4Policy) GetModel() *models.L4Policy
- func (l4 *L4Policy) HasRedirect() bool
- func (l4 *L4Policy) RequiresConntrack() bool
- type L4PolicyMap
- func (l4 L4PolicyMap) Attach(l4Policy *L4Policy)
- func (l4 L4PolicyMap) Detach(selectorCache *SelectorCache)
- func (l4 *L4PolicyMap) EgressCoversContext(ctx *SearchContext) api.Decision
- func (l4 L4PolicyMap) HasRedirect() bool
- func (l4 *L4PolicyMap) IngressCoversContext(ctx *SearchContext) api.Decision
- type L7DataMap
- type L7ParserType
- type MapChanges
- type MapState
- type MapStateEntry
- type PolicyCache
- func (cache *PolicyCache) GetSelectorCache() *SelectorCache
- func (cache *PolicyCache) LocalEndpointIdentityAdded(identity *identityPkg.Identity)
- func (cache *PolicyCache) LocalEndpointIdentityRemoved(identity *identityPkg.Identity)
- func (cache *PolicyCache) Lookup(identity *identityPkg.Identity) SelectorPolicy
- func (cache *PolicyCache) UpdatePolicy(identity *identityPkg.Identity) error
- type PolicyOwner
- type Repository
- func (p *Repository) Add(r api.Rule, localRuleConsumers []Endpoint) (uint64, map[uint16]struct{}, error)
- func (p *Repository) AddList(rules api.Rules) (ruleSlice, uint64)
- func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64)
- func (p *Repository) AllowsEgressRLocked(ctx *SearchContext) api.Decision
- func (p *Repository) AllowsIngressRLocked(ctx *SearchContext) api.Decision
- func (p *Repository) BumpRevision()
- func (p *Repository) DeleteByLabels(labels labels.LabelArray) (uint64, int)
- func (p *Repository) DeleteByLabelsLocked(labels labels.LabelArray) (ruleSlice, uint64, int)
- func (p *Repository) Empty() bool
- func (p *Repository) GetJSON() string
- func (p *Repository) GetPolicyCache() *PolicyCache
- func (p *Repository) GetRevision() uint64
- func (p *Repository) GetRulesList() *models.Policy
- func (p *Repository) GetRulesMatching(labels labels.LabelArray) (ingressMatch bool, egressMatch bool)
- func (p *Repository) GetSelectorCache() *SelectorCache
- func (p *Repository) LocalEndpointIdentityAdded(*identity.Identity)
- func (p *Repository) LocalEndpointIdentityRemoved(identity *identity.Identity)
- func (p *Repository) NumRules() int
- func (p *Repository) ResolveL4EgressPolicy(ctx *SearchContext) (L4PolicyMap, error)
- func (p *Repository) ResolveL4IngressPolicy(ctx *SearchContext) (L4PolicyMap, error)
- func (p *Repository) SearchRLocked(labels labels.LabelArray) api.Rules
- func (p *Repository) TranslateRules(translator Translator) (*TranslationResult, error)
- type SearchContext
- func (s *SearchContext) CallDepth() string
- func (s *SearchContext) PolicyTrace(format string, a ...interface{})
- func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})
- func (s *SearchContext) String() string
- func (s *SearchContext) TraceEnabled() bool
- func (s *SearchContext) WithLogger(log io.Writer) *SearchContext
- type SelectorCache
- func (sc *SelectorCache) AddFQDNSelector(user CachedSelectionUser, fqdnSelec api.FQDNSelector) (cachedSelector CachedSelector, added bool)
- func (sc *SelectorCache) AddIdentitySelector(user CachedSelectionUser, selector api.EndpointSelector) (cachedSelector CachedSelector, added bool)
- func (sc *SelectorCache) ChangeUser(selector CachedSelector, from, to CachedSelectionUser)
- func (sc *SelectorCache) FindCachedIdentitySelector(selector api.EndpointSelector) CachedSelector
- func (sc *SelectorCache) GetModel() models.SelectorCache
- func (sc *SelectorCache) RemoveIdentitiesFQDNSelectors(fqdnSels []api.FQDNSelector)
- func (sc *SelectorCache) RemoveSelector(selector CachedSelector, user CachedSelectionUser)
- func (sc *SelectorCache) RemoveSelectors(selectors CachedSelectorSlice, user CachedSelectionUser)
- func (sc *SelectorCache) SetLocalIdentityNotifier(pop identityNotifier)
- func (sc *SelectorCache) UpdateFQDNSelector(fqdnSelec api.FQDNSelector, identities []identity.NumericIdentity)
- func (sc *SelectorCache) UpdateIdentities(added, deleted cache.IdentityCache)
- type SelectorPolicy
- type Tracing
- type TranslationResult
- type Translator
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetCIDRPrefixes ¶ added in v1.5.0
GetCIDRPrefixes runs through the specified 'rules' to find every reference to a CIDR in the rules, and returns a slice containing all of these CIDRs. Multiple rules referring to the same CIDR will result in multiple copies of the CIDR in the returned slice.
Assumes that validation already occurred on 'rules'.
func GetDefaultPrefixLengths ¶ added in v1.5.0
GetDefaultPrefixLengths returns the set of prefix lengths for handling CIDRs that are unconditionally mapped to identities, ie for the reserved identities 'host', 'world'.
func GetPolicyEnabled ¶ added in v1.5.0
func GetPolicyEnabled() string
GetPolicyEnabled returns the policy enablement configuration
func GetPrefixesFromCIDRSet ¶ added in v1.5.0
func GetPrefixesFromCIDRSet(rules api.CIDRRuleSlice) []*net.IPNet
GetPrefixesFromCIDRSet fetches all CIDRs referred to by the specified slice and returns them as regular golang CIDR objects.
Assumes that validation already occurred on 'rules'.
func JSONMarshalRules ¶ added in v0.9.0
JSONMarshalRules returns a slice of policy rules as string in JSON representation
func ParseProxyID ¶ added in v1.5.0
func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, err error)
ParseProxyID parses a proxy ID returned by ProxyID and returns its components.
func ProxyIDFromFilter ¶ added in v1.6.0
ProxyIDFromFilter returns a unique string to identify a proxy mapping.
func ProxyIDFromKey ¶ added in v1.6.0
ProxyIDFromKey returns a unique string to identify a proxy mapping.
func SetPolicyEnabled ¶ added in v1.5.0
func SetPolicyEnabled(val string)
SetPolicyEnabled sets the policy enablement configuration. Valid values are: - endpoint.AlwaysEnforce - endpoint.NeverEnforce - endpoint.DefaultEnforcement
Types ¶
type CIDRPolicy ¶ added in v1.5.0
type CIDRPolicy struct { Ingress CIDRPolicyMap Egress CIDRPolicyMap }
CIDRPolicy contains L3 (CIDR) policy maps for ingress.
This is not used for map entry generation; It has two uses:
- On older kernels, generate the set of CIDR prefix lengths that are necessary to implement an LPM
- Reflect desired state of the CIDR policy in the API.
func NewCIDRPolicy ¶ added in v1.5.0
func NewCIDRPolicy() (policy *CIDRPolicy)
NewCIDRPolicy creates a new CIDRPolicy.
func (*CIDRPolicy) GetModel ¶ added in v1.5.0
func (cp *CIDRPolicy) GetModel() *models.CIDRPolicy
GetModel returns the API model representation of the CIDRPolicy.
func (*CIDRPolicy) ToBPFData ¶ added in v1.5.0
func (cp *CIDRPolicy) ToBPFData() (s6, s4 []int)
ToBPFData converts the ingress and egress cidr map into int slices 's6' (IPv6) and 's4' (IPv4), formatted for insertion into bpf program as prefix lengths.
Note that this will always include the CIDR prefix lengths for host (eg /32 for host), cluster (typically /8 or /64), and world (/0).
FIXME: Move this function out of policy into a datapath specific package
func (*CIDRPolicy) Validate ¶ added in v1.5.0
func (cp *CIDRPolicy) Validate() error
Validate returns error if the CIDR policy might lead to code generation failure
type CIDRPolicyMap ¶ added in v1.5.0
type CIDRPolicyMap struct { Map map[string]*CIDRPolicyMapRule // Allowed L3 (CIDR) prefixes IPv6PrefixCount map[int]int // Count of IPv6 prefixes in 'Map' indexed by prefix length IPv4PrefixCount map[int]int // Count of IPv4 prefixes in 'Map' indexed by prefix length }
CIDRPolicyMap is a list of CIDR filters indexable by address/prefixlen key format: "address/prefixlen", e.g., "10.1.1.0/24" Each prefix struct also includes the rule labels that allowed it.
CIDRPolicyMap does no locking internally, so the user is responsible for synchronizing between multiple threads when applicable.
func (*CIDRPolicyMap) Insert ¶ added in v1.5.0
func (m *CIDRPolicyMap) Insert(cidr string, ruleLabels labels.LabelArray) int
Insert places 'cidr' and its corresponding rule labels into map 'm'. Returns `1` if `cidr` is added to the map, `0` otherwise.
type CIDRPolicyMapRule ¶ added in v1.5.0
type CIDRPolicyMapRule struct { Prefix net.IPNet DerivedFromRules labels.LabelArrayList }
CIDRPolicyMapRule holds a L3 (CIDR) prefix and the rule labels that allow it.
type CachedSelectionUser ¶ added in v1.6.0
type CachedSelectionUser interface { // IdentitySelectionUpdated implementations MUST NOT call back // to selector cache while executing this function! // // The caller is responsible for making sure the same identity is not // present in both 'added' and 'deleted'. IdentitySelectionUpdated(selector CachedSelector, selections, added, deleted []identity.NumericIdentity) }
CachedSelectionUser inserts selectors into the cache and gets update callbacks whenever the set of selected numeric identities change for the CachedSelectors pushed by it.
type CachedSelector ¶ added in v1.6.0
type CachedSelector interface { // GetSelections returns the cached set of numeric identities // selected by the CachedSelector. The retuned slice must NOT // be modified, as it is shared among multiple users. GetSelections() []identity.NumericIdentity // Selects return 'true' if the CachedSelector selects the given // numeric identity. Selects(nid identity.NumericIdentity) bool // IsWildcard returns true if the endpoint selector selects // all endpoints. IsWildcard() bool // String returns the string representation of this selector. // Used as a map key. String() string }
CachedSelector represents an identity selector owned by the selector cache
type CachedSelectorSlice ¶ added in v1.6.0
type CachedSelectorSlice []CachedSelector
CachedSelectorSlice is a slice of CachedSelectors that can be sorted.
func (*CachedSelectorSlice) Insert ¶ added in v1.6.0
func (s *CachedSelectorSlice) Insert(cs CachedSelector) bool
Insert in a sorted order? Returns true if inserted, false if cs was already in
func (CachedSelectorSlice) Len ¶ added in v1.6.0
func (s CachedSelectorSlice) Len() int
func (CachedSelectorSlice) Less ¶ added in v1.6.0
func (s CachedSelectorSlice) Less(i, j int) bool
func (CachedSelectorSlice) SelectsAllEndpoints ¶ added in v1.6.0
func (s CachedSelectorSlice) SelectsAllEndpoints() bool
SelectsAllEndpoints returns whether the CachedSelectorSlice selects all endpoints, which is true if the wildcard endpoint selector is present in the slice.
func (CachedSelectorSlice) Swap ¶ added in v1.6.0
func (s CachedSelectorSlice) Swap(i, j int)
type Endpoint ¶ added in v1.5.0
type Endpoint interface { GetID16() uint16 RLockAlive() error RUnlock() GetSecurityIdentity() *identity.Identity PolicyRevisionBumpEvent(rev uint64) }
Endpoint refers to any structure which has the following properties: * a node-local ID stored as a uint16 * a security identity * a means of incrementing its policy revision
type EndpointPolicy ¶ added in v1.5.0
type EndpointPolicy struct { // PolicyMapState contains the state of this policy as it relates to the // datapath. In the future, this will be factored out of this object to // decouple the policy as it relates to the datapath vs. its userspace // representation. // It maps each Key to the proxy port if proxy redirection is needed. // Proxy port 0 indicates no proxy redirection. // All fields within the Key and the proxy port must be in host byte-order. PolicyMapState MapState // PolicyMapChanges collects pending changes to the PolicyMapState PolicyMapChanges MapChanges // PolicyOwner describes any type which consumes this EndpointPolicy object. PolicyOwner PolicyOwner // contains filtered or unexported fields }
EndpointPolicy is a structure which contains the resolved policy across all layers (L3, L4, and L7), distilled against a set of identities.
func NewEndpointPolicy ¶ added in v1.6.0
func NewEndpointPolicy(repo *Repository) *EndpointPolicy
NewEndpointPolicy returns an empty EndpointPolicy stub.
func (EndpointPolicy) Detach ¶ added in v1.6.0
func (p EndpointPolicy) Detach()
Detach releases resources held by a selectorPolicy to enable successful eventual GC. Note that the selectorPolicy itself if not modified in any way, so that it can be used concurrently.
func (EndpointPolicy) DistillPolicy ¶ added in v1.6.0
func (p EndpointPolicy) DistillPolicy(policyOwner PolicyOwner) *EndpointPolicy
DistillPolicy filters down the specified selectorPolicy (which acts upon selectors) into a set of concrete map entries based on the SelectorCache. These can subsequently be plumbed into the datapath.
Must be performed while holding the Repository lock.
type EndpointSet ¶ added in v1.5.0
type EndpointSet struct {
// contains filtered or unexported fields
}
EndpointSet is used to be able to group together a given set of Endpoints that need to have a specific operation performed upon them (e.g., policy revision updates).
func NewEndpointSet ¶ added in v1.5.0
func NewEndpointSet(m map[Endpoint]struct{}) *EndpointSet
NewEndpointSet returns an EndpointSet with the given Endpoints map
func (*EndpointSet) Delete ¶ added in v1.5.0
func (e *EndpointSet) Delete(ep Endpoint)
Delete removes ep from the EndpointSet.
func (*EndpointSet) ForEachGo ¶ added in v1.6.0
func (e *EndpointSet) ForEachGo(wg *sync.WaitGroup, epFunc func(epp Endpoint))
ForEachGo runs epFunc asynchronously inside a go routine for each endpoint in the EndpointSet. It signals to the provided WaitGroup when epFunc has been executed for each endpoint.
func (*EndpointSet) Insert ¶ added in v1.5.0
func (e *EndpointSet) Insert(ep Endpoint)
Insert adds ep to the EndpointSet.
func (*EndpointSet) Len ¶ added in v1.5.0
func (e *EndpointSet) Len() (nElem int)
Len returns the number of elements in the EndpointSet.
type Key ¶ added in v1.5.0
type Key struct { // Identity is the numeric identity to / from which traffic is allowed. Identity uint32 // DestPort is the port at L4 to / from which traffic is allowed, in // host-byte order. DestPort uint16 // NextHdr is the protocol which is allowed. Nexthdr uint8 // TrafficDirection indicates in which direction Identity is allowed // communication (egress or ingress). TrafficDirection uint8 }
Key is the userspace representation of a policy key in BPF. It is intentionally duplicated from pkg/maps/policymap to avoid pulling in the BPF dependency to this package.
type L4Filter ¶
type L4Filter struct { // Port is the destination port to allow. Port 0 indicates that all traffic // is allowed at L4. Port int `json:"port"` // Protocol is the L4 protocol to allow or NONE Protocol api.L4Proto `json:"protocol"` // U8Proto is the Protocol in numeric format, or 0 for NONE U8Proto u8proto.U8proto `json:"-"` // CachedSelectors limits the labels for allowing traffic (to / from). // This includes selectors for destinations affected by entity-based // and CIDR-based policy. // Holds references to the CachedSelectors, which must be released! CachedSelectors CachedSelectorSlice `json:"-"` // L7Parser specifies the L7 protocol parser (optional). If specified as // an empty string, then means that no L7 proxy redirect is performed. L7Parser L7ParserType `json:"-"` // L7RulesPerEp is a list of L7 rules per endpoint passed to the L7 proxy (optional) L7RulesPerEp L7DataMap `json:"l7-rules,omitempty"` // Ingress is true if filter applies at ingress; false if it applies at egress. Ingress bool `json:"-"` // The rule labels of this Filter DerivedFromRules labels.LabelArrayList `json:"-"` // contains filtered or unexported fields }
L4Filter represents the policy (allowed remote sources / destinations of traffic) that applies at a specific L4 port/protocol combination (including all ports and protocols), at either ingress or egress. The policy here is specified in terms of selectors that are mapped to security identities via the selector cache.
func (*L4Filter) AllowsAllAtL3 ¶ added in v1.5.0
AllowsAllAtL3 returns whether this L4Filter applies to all endpoints at L3.
func (*L4Filter) HasL3DependentL7Rules ¶ added in v1.5.0
HasL3DependentL7Rules returns true if this L4Filter is created from rules that require an L3 match as well as specific L7 rules.
func (*L4Filter) IdentitySelectionUpdated ¶ added in v1.6.0
func (l4 *L4Filter) IdentitySelectionUpdated(selector CachedSelector, selections, added, deleted []identity.NumericIdentity)
IdentitySelectionUpdated implements CachedSelectionUser interface This call is made while holding selector cache lock, must beware of deadlocking!
The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.
func (*L4Filter) IsRedirect ¶
IsRedirect returns true if the L4 filter contains a port redirection
func (*L4Filter) MarshalIndent ¶ added in v0.9.0
MarshalIndent returns the `L4Filter` in indented JSON string.
func (*L4Filter) ToKeys ¶ added in v1.5.0
func (l4 *L4Filter) ToKeys(direction trafficdirection.TrafficDirection) []Key
ToKeys converts filter into a list of Keys.
type L4Policy ¶
type L4Policy struct { Ingress L4PolicyMap Egress L4PolicyMap // Revision is the repository revision used to generate this policy. Revision uint64 // contains filtered or unexported fields }
func (*L4Policy) AccumulateMapChanges ¶ added in v1.6.0
func (l4 *L4Policy) AccumulateMapChanges(adds, deletes []identity.NumericIdentity, port uint16, proto uint8, direction trafficdirection.TrafficDirection)
AccumulateMapChanges distributes the given changes to the registered users.
The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.
func (*L4Policy) Attach ¶ added in v1.6.0
func (l4 *L4Policy) Attach()
Attach makes all the L4Filters to point back to the L4Policy that contains them. This is done before the L4Policy is exposed to concurrent access.
func (*L4Policy) Detach ¶ added in v1.6.0
func (l4 *L4Policy) Detach(selectorCache *SelectorCache)
Detach makes the L4Policy ready for garbage collection, removing circular pointer references. Note that the L4Policy itself is not modified in any way, so that it may still be used concurrently.
func (*L4Policy) HasRedirect ¶
HasRedirect returns true if the L4 policy contains at least one port redirection
func (*L4Policy) RequiresConntrack ¶
RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.
type L4PolicyMap ¶
L4PolicyMap is a list of L4 filters indexable by protocol/port key format: "port/proto"
func (L4PolicyMap) Attach ¶ added in v1.6.0
func (l4 L4PolicyMap) Attach(l4Policy *L4Policy)
Attach makes all the L4Filters to point back to the L4Policy that contains them.
func (L4PolicyMap) Detach ¶ added in v1.6.0
func (l4 L4PolicyMap) Detach(selectorCache *SelectorCache)
Detach removes the cached selectors held by L4PolicyMap from the selectorCache, allowing the map to be garbage collected when there are no more references to it.
func (*L4PolicyMap) EgressCoversContext ¶ added in v1.5.0
func (l4 *L4PolicyMap) EgressCoversContext(ctx *SearchContext) api.Decision
EgressCoversContext checks if the receiver's egress L4Policy contains all `dPorts` and `labels`.
Note: Only used for policy tracing
func (L4PolicyMap) HasRedirect ¶
func (l4 L4PolicyMap) HasRedirect() bool
HasRedirect returns true if at least one L4 filter contains a port redirection
func (*L4PolicyMap) IngressCoversContext ¶ added in v1.5.0
func (l4 *L4PolicyMap) IngressCoversContext(ctx *SearchContext) api.Decision
IngressCoversContext checks if the receiver's ingress L4Policy contains all `dPorts` and `labels`.
Note: Only used for policy tracing
type L7DataMap ¶ added in v1.5.0
type L7DataMap map[CachedSelector]api.L7Rules
L7DataMap contains a map of L7 rules per endpoint where key is a CachedSelector
func (L7DataMap) GetRelevantRulesForKafka ¶ added in v1.6.0
func (l7 L7DataMap) GetRelevantRulesForKafka(nid identity.NumericIdentity) []api.PortRuleKafka
GetRelevantRulesForKafka returns the relevant rules based on the remote numeric identity.
func (L7DataMap) MarshalJSON ¶ added in v1.5.0
type L7ParserType ¶ added in v1.5.0
type L7ParserType string
L7ParserType is the type used to indicate what L7 parser to use. Consts are defined for all well known L7 parsers. Unknown string values are created for key-value pair policies, which are then transparently used in redirect configuration.
const ( // ParserTypeNone represents the case where no parser type is provided. ParserTypeNone L7ParserType = "" // ParserTypeHTTP specifies a HTTP parser type ParserTypeHTTP L7ParserType = "http" // ParserTypeKafka specifies a Kafka parser type ParserTypeKafka L7ParserType = "kafka" // ParserTypeDNS specifies a DNS parser type ParserTypeDNS L7ParserType = "dns" )
func (L7ParserType) String ¶ added in v1.5.0
func (l7 L7ParserType) String() string
type MapChanges ¶ added in v1.6.0
type MapChanges struct {
// contains filtered or unexported fields
}
MapChanges collects updates to the endpoint policy on the granularity of individual mapstate key-value pairs for both adds and deletes. 'mutex' must be held for any access.
func (*MapChanges) AccumulateMapChanges ¶ added in v1.6.0
func (mc *MapChanges) AccumulateMapChanges(adds, deletes []identity.NumericIdentity, port uint16, proto uint8, direction trafficdirection.TrafficDirection)
AccumulateMapChanges accumulates the given changes to the MapChanges, updating both maps for each add and delete, as applicable.
The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'. Accross multiple calls we maintain the adds and deletes within the MapChanges are disjoint in cases where an identity is first added and then deleted, or first deleted and then added.
func (*MapChanges) ConsumeMapChanges ¶ added in v1.6.0
func (mc *MapChanges) ConsumeMapChanges() (adds, deletes MapState)
ConsumeMapChanges transfers the changes from MapChanges to the caller. May return nil maps.
type MapState ¶ added in v1.5.0
type MapState map[Key]MapStateEntry
MapState is a state of a policy map.
func (MapState) AllowAllIdentities ¶ added in v1.5.0
AllowAllIdentities translates all identities in selectorCache to their corresponding Keys in the specified direction (ingress, egress) which allows all at L3.
func (MapState) DetermineAllowLocalhostIngress ¶ added in v1.6.0
DetermineAllowLocalhostIngress determines whether communication should be allowed from the localhost. It inserts the Key corresponding to the localhost in the desiredPolicyKeys if the localhost is allowed to communicate with the endpoint.
type MapStateEntry ¶ added in v1.5.0
type MapStateEntry struct { // The proxy port, in host byte order. // If 0 (default), there is no proxy redirection for the corresponding // Key. ProxyPort uint16 }
MapStateEntry is the configuration associated with a Key in a MapState. This is a minimized version of policymap.PolicyEntry.
type PolicyCache ¶ added in v1.6.0
PolicyCache represents a cache of resolved policies for identities.
func NewPolicyCache ¶ added in v1.6.0
func NewPolicyCache(repo *Repository, subscribe bool) *PolicyCache
NewPolicyCache creates a new cache of SelectorPolicy.
func (*PolicyCache) GetSelectorCache ¶ added in v1.6.0
func (cache *PolicyCache) GetSelectorCache() *SelectorCache
func (*PolicyCache) LocalEndpointIdentityAdded ¶ added in v1.6.0
func (cache *PolicyCache) LocalEndpointIdentityAdded(identity *identityPkg.Identity)
LocalEndpointIdentityAdded creates a SelectorPolicy cache entry for the specified Identity, without calculating any policy for it.
func (*PolicyCache) LocalEndpointIdentityRemoved ¶ added in v1.6.0
func (cache *PolicyCache) LocalEndpointIdentityRemoved(identity *identityPkg.Identity)
LocalEndpointIdentityRemoved deletes the cached SelectorPolicy for the specified Identity.
func (*PolicyCache) Lookup ¶ added in v1.6.0
func (cache *PolicyCache) Lookup(identity *identityPkg.Identity) SelectorPolicy
Lookup attempts to locate the SelectorPolicy corresponding to the specified identity. If policy is not cached for the identity, it returns nil.
func (*PolicyCache) UpdatePolicy ¶ added in v1.6.0
func (cache *PolicyCache) UpdatePolicy(identity *identityPkg.Identity) error
UpdatePolicy resolves the policy for the security identity of the specified endpoint and caches it for future use.
The caller must provide threadsafety for iteration over the policy repository.
type PolicyOwner ¶ added in v1.5.0
type PolicyOwner interface { LookupRedirectPort(l4 *L4Filter) uint16 GetSecurityIdentity() *identity.Identity }
PolicyOwner is anything which consumes a EndpointPolicy.
type Repository ¶ added in v0.9.0
type Repository struct { // Mutex protects the whole policy tree Mutex lock.RWMutex // RepositoryChangeQueue is a queue which serializes changes to the policy // repository. RepositoryChangeQueue *eventqueue.EventQueue // RuleReactionQueue is a queue which serializes the resultant events that // need to occur after updating the state of the policy repository. This // can include queueing endpoint regenerations, policy revision increments // for endpoints, etc. RuleReactionQueue *eventqueue.EventQueue // contains filtered or unexported fields }
Repository is a list of policy rules which in combination form the security policy. A policy repository can be
func NewPolicyRepository ¶ added in v0.9.0
func NewPolicyRepository() *Repository
NewPolicyRepository allocates a new policy repository
func (*Repository) Add ¶ added in v0.9.0
func (p *Repository) Add(r api.Rule, localRuleConsumers []Endpoint) (uint64, map[uint16]struct{}, error)
Add inserts a rule into the policy repository This is just a helper function for unit testing. TODO: this should be in a test_helpers.go file or something similar so we can clearly delineate what helpers are for testing. NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) AddList ¶ added in v0.9.0
func (p *Repository) AddList(rules api.Rules) (ruleSlice, uint64)
AddList inserts a rule into the policy repository. It is used for unit-testing purposes only.
func (*Repository) AddListLocked ¶ added in v0.9.0
func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64)
AddListLocked inserts a rule into the policy repository with the repository already locked Expects that the entire rule list has already been sanitized.
func (*Repository) AllowsEgressRLocked ¶ added in v1.5.0
func (p *Repository) AllowsEgressRLocked(ctx *SearchContext) api.Decision
AllowsEgressRLocked evaluates the policy repository for the provided search context and returns the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.
NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) AllowsIngressRLocked ¶ added in v1.5.0
func (p *Repository) AllowsIngressRLocked(ctx *SearchContext) api.Decision
AllowsIngressRLocked evaluates the policy repository for the provided search context and returns the verdict for ingress. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.
func (*Repository) BumpRevision ¶ added in v1.5.0
func (p *Repository) BumpRevision()
BumpRevision allows forcing policy regeneration
func (*Repository) DeleteByLabels ¶ added in v0.9.0
func (p *Repository) DeleteByLabels(labels labels.LabelArray) (uint64, int)
DeleteByLabels deletes all rules in the policy repository which contain the specified labels
func (*Repository) DeleteByLabelsLocked ¶ added in v0.9.0
func (p *Repository) DeleteByLabelsLocked(labels labels.LabelArray) (ruleSlice, uint64, int)
DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels. Returns the revision of the policy repository after deleting the rules, as well as now many rules were deleted.
func (*Repository) Empty ¶ added in v1.5.0
func (p *Repository) Empty() bool
Empty returns 'true' if repository has no rules, 'false' otherwise.
Must be called without p.Mutex held
func (*Repository) GetJSON ¶ added in v0.9.0
func (p *Repository) GetJSON() string
GetJSON returns all rules of the policy repository as string in JSON representation
func (*Repository) GetPolicyCache ¶ added in v1.6.0
func (p *Repository) GetPolicyCache() *PolicyCache
GetPolicyCache() returns the policy cache used by the Repository
func (*Repository) GetRevision ¶ added in v0.10.0
func (p *Repository) GetRevision() uint64
GetRevision returns the revision of the policy repository
func (*Repository) GetRulesList ¶ added in v1.5.0
func (p *Repository) GetRulesList() *models.Policy
GetRulesList returns the current policy
func (*Repository) GetRulesMatching ¶ added in v0.9.0
func (p *Repository) GetRulesMatching(labels labels.LabelArray) (ingressMatch bool, egressMatch bool)
GetRulesMatching returns whether any of the rules in a repository contain a rule with labels matching the labels in the provided LabelArray.
Must be called with p.Mutex held
func (*Repository) GetSelectorCache ¶ added in v1.6.0
func (p *Repository) GetSelectorCache() *SelectorCache
GetSelectorCache() returns the selector cache used by the Repository
func (*Repository) LocalEndpointIdentityAdded ¶ added in v1.6.0
func (p *Repository) LocalEndpointIdentityAdded(*identity.Identity)
LocalEndpointIdentityAdded handles local identity add events.
func (*Repository) LocalEndpointIdentityRemoved ¶ added in v1.6.0
func (p *Repository) LocalEndpointIdentityRemoved(identity *identity.Identity)
LocalEndpointIdentityRemoved handles local identity removal events to remove references from rules in the repository to the specified identity.
func (*Repository) NumRules ¶ added in v0.9.0
func (p *Repository) NumRules() int
NumRules returns the amount of rules in the policy repository.
Must be called with p.Mutex held
func (*Repository) ResolveL4EgressPolicy ¶ added in v1.5.0
func (p *Repository) ResolveL4EgressPolicy(ctx *SearchContext) (L4PolicyMap, error)
ResolveL4EgressPolicy resolves the L4 egress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.From`. `ctx.To` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.
Caller must release resources by calling Detach() on the returned map!
NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) ResolveL4IngressPolicy ¶ added in v1.5.0
func (p *Repository) ResolveL4IngressPolicy(ctx *SearchContext) (L4PolicyMap, error)
ResolveL4IngressPolicy resolves the L4 ingress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.
TODO: Coalesce l7 rules?
Caller must release resources by calling Detach() on the returned map!
Note: Only used for policy tracing
func (*Repository) SearchRLocked ¶ added in v0.9.0
func (p *Repository) SearchRLocked(labels labels.LabelArray) api.Rules
SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.
func (*Repository) TranslateRules ¶ added in v1.5.0
func (p *Repository) TranslateRules(translator Translator) (*TranslationResult, error)
TranslateRules traverses rules and applies provided translator to rules
Note: Only used by the k8s watcher.
type SearchContext ¶
type SearchContext struct { Trace Tracing Depth int Logging *logging.LogBackend From labels.LabelArray To labels.LabelArray DPorts []*models.Port // contains filtered or unexported fields }
SearchContext defines the context while evaluating policy
func (*SearchContext) CallDepth ¶
func (s *SearchContext) CallDepth() string
func (*SearchContext) PolicyTrace ¶ added in v0.9.0
func (s *SearchContext) PolicyTrace(format string, a ...interface{})
PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.
func (*SearchContext) PolicyTraceVerbose ¶ added in v0.9.0
func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})
PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.
func (*SearchContext) String ¶
func (s *SearchContext) String() string
func (*SearchContext) TraceEnabled ¶ added in v1.6.0
func (s *SearchContext) TraceEnabled() bool
TraceEnabled returns true if the SearchContext requests tracing.
func (*SearchContext) WithLogger ¶ added in v1.6.0
func (s *SearchContext) WithLogger(log io.Writer) *SearchContext
WithLogger returns a shallow copy of the received SearchContext with the logging set to write to 'log'.
type SelectorCache ¶ added in v1.6.0
type SelectorCache struct {
// contains filtered or unexported fields
}
SelectorCache caches identities, identity selectors, and the subsets of identities each selector selects.
func NewSelectorCache ¶ added in v1.6.0
func NewSelectorCache(ids cache.IdentityCache) *SelectorCache
NewSelectorCache creates a new SelectorCache with the given identities.
func (*SelectorCache) AddFQDNSelector ¶ added in v1.6.0
func (sc *SelectorCache) AddFQDNSelector(user CachedSelectionUser, fqdnSelec api.FQDNSelector) (cachedSelector CachedSelector, added bool)
AddFQDNSelector adds the given api.FQDNSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding CachedSelector is returned, otherwise one is created and added to the cache.
func (*SelectorCache) AddIdentitySelector ¶ added in v1.6.0
func (sc *SelectorCache) AddIdentitySelector(user CachedSelectionUser, selector api.EndpointSelector) (cachedSelector CachedSelector, added bool)
AddIdentitySelector adds the given api.EndpointSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding CachedSelector is returned, otherwise one is created and added to the cache.
func (*SelectorCache) ChangeUser ¶ added in v1.6.0
func (sc *SelectorCache) ChangeUser(selector CachedSelector, from, to CachedSelectionUser)
ChangeUser changes the CachedSelectionUser that gets updates on the updates on the cached selector.
func (*SelectorCache) FindCachedIdentitySelector ¶ added in v1.6.0
func (sc *SelectorCache) FindCachedIdentitySelector(selector api.EndpointSelector) CachedSelector
FindCachedIdentitySelector finds the given api.EndpointSelector in the selector cache, returning nil if one can not be found.
func (*SelectorCache) GetModel ¶ added in v1.6.0
func (sc *SelectorCache) GetModel() models.SelectorCache
GetModel returns the API model of the SelectorCache.
func (*SelectorCache) RemoveIdentitiesFQDNSelectors ¶ added in v1.6.0
func (sc *SelectorCache) RemoveIdentitiesFQDNSelectors(fqdnSels []api.FQDNSelector)
RemoveIdentitiesFQDNSelectors removes all identities from being mapped to the set of FQDNSelectors.
func (*SelectorCache) RemoveSelector ¶ added in v1.6.0
func (sc *SelectorCache) RemoveSelector(selector CachedSelector, user CachedSelectionUser)
RemoveSelector removes CachedSelector for the user.
func (*SelectorCache) RemoveSelectors ¶ added in v1.6.0
func (sc *SelectorCache) RemoveSelectors(selectors CachedSelectorSlice, user CachedSelectionUser)
RemoveSelectors removes CachedSelectorSlice for the user.
func (*SelectorCache) SetLocalIdentityNotifier ¶ added in v1.6.0
func (sc *SelectorCache) SetLocalIdentityNotifier(pop identityNotifier)
SetLocalIdentityNotifier injects the provided identityNotifier into the SelectorCache. Currently, this is used to inject the FQDN subsystem into the SelectorCache so the SelectorCache can notify the FQDN subsystem when it should be aware of a given FQDNSelector for which CIDR identities need to be provided upon DNS lookups which corespond to said FQDNSelector.
func (*SelectorCache) UpdateFQDNSelector ¶ added in v1.6.0
func (sc *SelectorCache) UpdateFQDNSelector(fqdnSelec api.FQDNSelector, identities []identity.NumericIdentity)
UpdateFQDNSelector updates the mapping of fqdnKey (the FQDNSelector from a policy rule as a string) to to the provided list of identities. If the contents of the cachedSelections differ from those in the identities slice, all users are notified.
func (*SelectorCache) UpdateIdentities ¶ added in v1.6.0
func (sc *SelectorCache) UpdateIdentities(added, deleted cache.IdentityCache)
UpdateIdentities propagates identity updates to selectors
The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.
type SelectorPolicy ¶ added in v1.6.0
type SelectorPolicy interface { // Consume returns the policy in terms of connectivity to peer // Identities. The callee MUST NOT modify the returned pointer. Consume(owner PolicyOwner) *EndpointPolicy }
SelectorPolicy represents a cached selectorPolicy, previously resolved from the policy repository and ready to be distilled against a set of identities to compute datapath-level policy configuration.
type TranslationResult ¶ added in v1.5.0
type TranslationResult struct { // NumToServicesRules is the number of ToServices rules processed while // translating the rules NumToServicesRules int }
TranslationResult contains the results of the rule translation
type Translator ¶ added in v1.5.0
type Translator interface {
Translate(*api.Rule, *TranslationResult) error
}
Translator is an interface for altering policy rules
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package api defines the API of the Cilium network policy interface +groupName=policy
|
Package api defines the API of the Cilium network policy interface +groupName=policy |
package trafficdirection specifies the directionality of policy in a numeric representation.
|
package trafficdirection specifies the directionality of policy in a numeric representation. |