policy

package
v1.5.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 11, 2019 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func GetCIDRPrefixes added in v1.5.0

func GetCIDRPrefixes(rules api.Rules) []*net.IPNet

GetCIDRPrefixes runs through the specified 'rules' to find every reference to a CIDR in the rules, and returns a slice containing all of these CIDRs. Multiple rules referring to the same CIDR will result in multiple copies of the CIDR in the returned slice.

Assumes that validation already occurred on 'rules'.

func GetDefaultPrefixLengths added in v1.5.0

func GetDefaultPrefixLengths() (s6 []int, s4 []int)

GetDefaultPrefixLengths returns the set of prefix lengths for handling CIDRs that are unconditionally mapped to identities, ie for the reserved identities 'host', 'world'.

func GetPolicyEnabled added in v1.5.0

func GetPolicyEnabled() string

GetPolicyEnabled returns the policy enablement configuration

func GetPrefixesFromCIDRSet added in v1.5.0

func GetPrefixesFromCIDRSet(rules api.CIDRRuleSlice) []*net.IPNet

GetPrefixesFromCIDRSet fetches all CIDRs referred to by the specified slice and returns them as regular golang CIDR objects.

Assumes that validation already occurred on 'rules'.

func JSONMarshalRules added in v0.9.0

func JSONMarshalRules(rules api.Rules) string

JSONMarshalRules returns a slice of policy rules as string in JSON representation

func JoinPath

func JoinPath(a, b string) string

JoinPath returns a joined path from a and b.

func ParseProxyID added in v1.5.0

func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, err error)

ParseProxyID parses a proxy ID returned by ProxyID and returns its components.

func ProxyID added in v1.5.0

func ProxyID(endpointID uint16, ingress bool, protocol string, port uint16) string

ProxyID returns a unique string to identify a proxy mapping.

func SetPolicyEnabled added in v1.5.0

func SetPolicyEnabled(val string)

SetPolicyEnabled sets the policy enablement configuration. Valid values are: - endpoint.AlwaysEnforce - endpoint.NeverEnforce - endpoint.DefaultEnforcement

Types

type CIDRPolicy added in v1.5.0

type CIDRPolicy struct {
	Ingress CIDRPolicyMap
	Egress  CIDRPolicyMap
}

CIDRPolicy contains L3 (CIDR) policy maps for ingress.

This is not used for map entry generation; It has two uses:

  • On older kernels, generate the set of CIDR prefix lengths that are necessary to implement an LPM
  • Reflect desired state of the CIDR policy in the API.

func NewCIDRPolicy added in v1.5.0

func NewCIDRPolicy() (policy *CIDRPolicy)

NewCIDRPolicy creates a new CIDRPolicy.

func (*CIDRPolicy) GetModel added in v1.5.0

func (cp *CIDRPolicy) GetModel() *models.CIDRPolicy

GetModel returns the API model representation of the CIDRPolicy.

func (*CIDRPolicy) ToBPFData added in v1.5.0

func (cp *CIDRPolicy) ToBPFData() (s6, s4 []int)

ToBPFData converts the ingress and egress cidr map into int slices 's6' (IPv6) and 's4' (IPv4), formatted for insertion into bpf program as prefix lengths.

Note that this will always include the CIDR prefix lengths for host (eg /32 for host), cluster (typically /8 or /64), and world (/0).

FIXME: Move this function out of policy into a datapath specific package

func (*CIDRPolicy) Validate added in v1.5.0

func (cp *CIDRPolicy) Validate() error

Validate returns error if the CIDR policy might lead to code generation failure

type CIDRPolicyMap added in v1.5.0

type CIDRPolicyMap struct {
	Map map[string]*CIDRPolicyMapRule // Allowed L3 (CIDR) prefixes

	IPv6PrefixCount map[int]int // Count of IPv6 prefixes in 'Map' indexed by prefix length
	IPv4PrefixCount map[int]int // Count of IPv4 prefixes in 'Map' indexed by prefix length
}

CIDRPolicyMap is a list of CIDR filters indexable by address/prefixlen key format: "address/prefixlen", e.g., "10.1.1.0/24" Each prefix struct also includes the rule labels that allowed it.

CIDRPolicyMap does no locking internally, so the user is responsible for synchronizing between multiple threads when applicable.

func (*CIDRPolicyMap) Insert added in v1.5.0

func (m *CIDRPolicyMap) Insert(cidr string, ruleLabels labels.LabelArray) int

Insert places 'cidr' and its corresponding rule labels into map 'm'. Returns `1` if `cidr` is added to the map, `0` otherwise.

type CIDRPolicyMapRule added in v1.5.0

type CIDRPolicyMapRule struct {
	Prefix           net.IPNet
	DerivedFromRules labels.LabelArrayList
}

CIDRPolicyMapRule holds a L3 (CIDR) prefix and the rule labels that allow it.

type Endpoint added in v1.5.0

type Endpoint interface {
	GetID16() uint16
	RLockAlive() error
	RUnlock()
	GetSecurityIdentity() *identity.Identity
	PolicyRevisionBumpEvent(rev uint64)
}

Endpoint refers to any structure which has the following properties: * a node-local ID stored as a uint16 * a security identity * a means of incrementing its policy revision

type EndpointPolicy added in v1.5.0

type EndpointPolicy struct {
	// ID is the node-local identifier of this EndpointPolicy.
	ID uint16

	// L4Policy contains the computed L4 and L7 policy.
	L4Policy *L4Policy

	// CIDRPolicy contains the L3 (not L4) CIDR-based policy.
	CIDRPolicy *CIDRPolicy

	// IngressPolicyEnabled specifies whether this policy contains any policy
	// at ingress.
	IngressPolicyEnabled bool

	// EgressPolicyEnabled specifies whether this policy contains any policy
	// at egress.
	EgressPolicyEnabled bool

	// PolicyMapState contains the state of this policy as it relates to the
	// datapath. In the future, this will be factored out of this object to
	// decouple the policy as it relates to the datapath vs. its userspace
	// representation.
	// It maps each Key to the proxy port if proxy redirection is needed.
	// Proxy port 0 indicates no proxy redirection.
	// All fields within the Key and the proxy port must be in host byte-order.
	PolicyMapState MapState

	// PolicyOwner describes any type which consumes this EndpointPolicy object.
	PolicyOwner PolicyOwner

	// DeniedIngressIdentities is the set of identities which are not allowed
	// by policy on ingress. This field is populated when an identity does not
	// meet restraints set forth in FromRequires.
	DeniedIngressIdentities cache.IdentityCache

	// DeniedEgressIdentities is the set of identities which are not allowed
	// by policy on egress. This field is populated when an identity does not
	// meet restraints set forth in ToRequires.
	DeniedEgressIdentities cache.IdentityCache
}

EndpointPolicy is a structure which contains the resolved policy across all layers (L3, L4, and L7).

func (*EndpointPolicy) Realizes added in v1.5.0

func (p *EndpointPolicy) Realizes(desired *EndpointPolicy)

Realizes copies the fields from desired into p. It assumes that the fields in desired are not modified after this function is called.

type EndpointSet added in v1.5.0

type EndpointSet struct {
	// contains filtered or unexported fields
}

EndpointSet is used to be able to group together a given set of Endpoints that need to have a specific operation performed upon them (e.g., policy revision updates).

func NewEndpointSet added in v1.5.0

func NewEndpointSet(capacity int) *EndpointSet

NewEndpointSet returns an EndpointSet with the Endpoints map allocated with the specified capacity.

func (*EndpointSet) Delete added in v1.5.0

func (e *EndpointSet) Delete(ep Endpoint)

Delete removes ep from the EndpointSet.

func (*EndpointSet) ForEach added in v1.5.0

func (e *EndpointSet) ForEach(wg *sync.WaitGroup, epFunc func(epp Endpoint))

ForEach runs epFunc asynchronously for all endpoints in the EndpointSet. It signals to the provided WaitGroup when epFunc has been executed for each endpoint.

func (*EndpointSet) Insert added in v1.5.0

func (e *EndpointSet) Insert(ep Endpoint)

Insert adds ep to the EndpointSet.

func (*EndpointSet) Len added in v1.5.0

func (e *EndpointSet) Len() int

Len returns the number of elements in the EndpointSet.

type IDSet added in v1.5.0

type IDSet struct {
	Mutex lock.RWMutex
	IDs   map[uint16]struct{}
}

IDSet is a wrapper type around a set of unsigned 16-bit integers, with a mutex for protecting access.

func NewIDSet added in v1.5.0

func NewIDSet() *IDSet

NewIDSet returns a new instance of an IDSet.

type Key added in v1.5.0

type Key struct {
	// Identity is the numeric identity to / from which traffic is allowed.
	Identity uint32
	// DestPort is the port at L4 to / from which traffic is allowed, in
	// host-byte order.
	DestPort uint16
	// NextHdr is the protocol which is allowed.
	Nexthdr uint8
	// TrafficDirection indicates in which direction Identity is allowed
	// communication (egress or ingress).
	TrafficDirection uint8
}

Key is the userspace representation of a policy key in BPF. It is intentionally duplicated from pkg/maps/policymap to avoid pulling in the BPF dependency to this package.

func (Key) IsEgress added in v1.5.0

func (k Key) IsEgress() bool

IsEgress returns true if the key refers to an egress policy key

func (Key) IsIngress added in v1.5.0

func (k Key) IsIngress() bool

IsIngress returns true if the key refers to an ingress policy key

type L4Filter

type L4Filter struct {
	// Port is the destination port to allow
	Port int `json:"port"`
	// Protocol is the L4 protocol to allow or NONE
	Protocol api.L4Proto `json:"protocol"`
	// U8Proto is the Protocol in numeric format, or 0 for NONE
	U8Proto u8proto.U8proto `json:"-"`

	// Endpoints limits the labels for allowing traffic (to / from).
	// This includes selectors for destinations affected by entity-based
	// and CIDR-based policy.
	Endpoints api.EndpointSelectorSlice `json:"-"`
	// L7Parser specifies the L7 protocol parser (optional). If specified as
	// an empty string, then means that no L7 proxy redirect is performed.
	L7Parser L7ParserType `json:"-"`
	// L7RulesPerEp is a list of L7 rules per endpoint passed to the L7 proxy (optional)
	L7RulesPerEp L7DataMap `json:"l7-rules,omitempty"`
	// Ingress is true if filter applies at ingress; false if it applies at egress.
	Ingress bool `json:"-"`
	// The rule labels of this Filter
	DerivedFromRules labels.LabelArrayList `json:"-"`
	// contains filtered or unexported fields
}

func CreateL4EgressFilter added in v1.5.0

func CreateL4EgressFilter(toEndpoints api.EndpointSelectorSlice, rule api.PortRule, port api.PortProtocol,
	protocol api.L4Proto, ruleLabels labels.LabelArray) L4Filter

CreateL4EgressFilter creates a filter for L4 policy that applies to the specified endpoints and port/protocol for egress traffic, with reference to the original rules that the filter is derived from. This filter may be associated with a series of L7 rules via the `rule` parameter.

func CreateL4Filter added in v0.9.0

func CreateL4Filter(peerEndpoints api.EndpointSelectorSlice, rule api.PortRule, port api.PortProtocol,
	protocol api.L4Proto, ruleLabels labels.LabelArray, ingress bool) L4Filter

CreateL4Filter creates a filter for L4 policy that applies to the specified endpoints and port/protocol, with reference to the original rules that the filter is derived from. This filter may be associated with a series of L7 rules via the `rule` parameter.

func CreateL4IngressFilter added in v1.5.0

func CreateL4IngressFilter(fromEndpoints api.EndpointSelectorSlice, endpointsWithL3Override []api.EndpointSelector, rule api.PortRule, port api.PortProtocol,
	protocol api.L4Proto, ruleLabels labels.LabelArray) L4Filter

CreateL4IngressFilter creates a filter for L4 policy that applies to the specified endpoints and port/protocol for ingress traffic, with reference to the original rules that the filter is derived from. This filter may be associated with a series of L7 rules via the `rule` parameter.

endpointsWithL3Override determines selectors for which L7 rules should be wildcarded (eg, host / world in the relevant daemon modes).

func (*L4Filter) AllowsAllAtL3 added in v1.5.0

func (l4 *L4Filter) AllowsAllAtL3() bool

AllowsAllAtL3 returns whether this L4Filter applies to all endpoints at L3.

func (*L4Filter) HasL3DependentL7Rules added in v1.5.0

func (l4 *L4Filter) HasL3DependentL7Rules() bool

HasL3DependentL7Rules returns true if this L4Filter is created from rules that require an L3 match as well as specific L7 rules.

func (*L4Filter) IsRedirect

func (l4 *L4Filter) IsRedirect() bool

IsRedirect returns true if the L4 filter contains a port redirection

func (*L4Filter) MarshalIndent added in v0.9.0

func (l4 *L4Filter) MarshalIndent() string

MarshalIndent returns the `L4Filter` in indented JSON string.

func (L4Filter) String

func (l4 L4Filter) String() string

String returns the `L4Filter` in a human-readable string.

func (*L4Filter) ToKeys added in v1.5.0

func (l4 *L4Filter) ToKeys(direction trafficdirection.TrafficDirection, identityCache cache.IdentityCache, deniedIdentities cache.IdentityCache) []Key

ToKeys converts filter into a list of Keys.

type L4Policy

type L4Policy struct {
	Ingress L4PolicyMap
	Egress  L4PolicyMap

	// Revision is the repository revision used to generate this policy.
	Revision uint64
}

func NewL4Policy

func NewL4Policy() *L4Policy

func (*L4Policy) GetModel

func (l4 *L4Policy) GetModel() *models.L4Policy

func (*L4Policy) HasRedirect

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

func (*L4Policy) RequiresConntrack

func (l4 *L4Policy) RequiresConntrack() bool

RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.

type L4PolicyMap

type L4PolicyMap map[string]L4Filter

L4PolicyMap is a list of L4 filters indexable by protocol/port key format: "port/proto"

func (*L4PolicyMap) EgressCoversContext added in v1.5.0

func (l4 *L4PolicyMap) EgressCoversContext(ctx *SearchContext) api.Decision

EgressCoversContext checks if the receiver's egress L4Policy contains all `dPorts` and `labels`.

func (L4PolicyMap) HasRedirect

func (l4 L4PolicyMap) HasRedirect() bool

HasRedirect returns true if at least one L4 filter contains a port redirection

func (*L4PolicyMap) IngressCoversContext added in v1.5.0

func (l4 *L4PolicyMap) IngressCoversContext(ctx *SearchContext) api.Decision

IngressCoversContext checks if the receiver's ingress L4Policy contains all `dPorts` and `labels`.

type L7DataMap added in v1.5.0

type L7DataMap map[api.EndpointSelector]api.L7Rules

L7DataMap contains a map of L7 rules per endpoint where key is a hash of EndpointSelector

func (L7DataMap) GetRelevantRules added in v1.5.0

func (l7 L7DataMap) GetRelevantRules(identity *identity.Identity) api.L7Rules

GetRelevantRules returns the relevant rules based on the source and destination addressing/identity information.

func (L7DataMap) MarshalJSON added in v1.5.0

func (l7 L7DataMap) MarshalJSON() ([]byte, error)

type L7ParserType added in v1.5.0

type L7ParserType string

L7ParserType is the type used to indicate what L7 parser to use. Consts are defined for all well known L7 parsers. Unknown string values are created for key-value pair policies, which are then transparently used in redirect configuration.

const (
	// ParserTypeNone represents the case where no parser type is provided.
	ParserTypeNone L7ParserType = ""
	// ParserTypeHTTP specifies a HTTP parser type
	ParserTypeHTTP L7ParserType = "http"
	// ParserTypeKafka specifies a Kafka parser type
	ParserTypeKafka L7ParserType = "kafka"
	// ParserTypeDNS specifies a DNS parser type
	ParserTypeDNS L7ParserType = "dns"
)

func (L7ParserType) String added in v1.5.0

func (l7 L7ParserType) String() string

type MapState added in v1.5.0

type MapState map[Key]MapStateEntry

MapState is a state of a policy map.

func (MapState) AllowAllIdentities added in v1.5.0

func (keys MapState) AllowAllIdentities(identityCache cache.IdentityCache, direction trafficdirection.TrafficDirection)

AllowAllIdentities translates all identities in identityCache to their corresponding Key in the specified direction (ingress, egress) which allows all at L3.

func (MapState) DetermineAllowLocalhost added in v1.5.0

func (keys MapState) DetermineAllowLocalhost(l4Policy *L4Policy)

DetermineAllowLocalhost determines whether communication should be allowed to the localhost. It inserts the Key corresponding to the localhost in the desiredPolicyKeys if the endpoint is allowed to communicate with the localhost.

type MapStateEntry added in v1.5.0

type MapStateEntry struct {
	// The proxy port, in host byte order.
	// If 0 (default), there is no proxy redirection for the corresponding
	// Key.
	ProxyPort uint16
}

MapStateEntry is the configuration associated with a Key in a MapState. This is a minimized version of policymap.PolicyEntry.

type PolicyOwner added in v1.5.0

type PolicyOwner interface {
	LookupRedirectPort(l4 *L4Filter) uint16
}

PolicyOwner is anything which consumes a EndpointPolicy.

type Repository added in v0.9.0

type Repository struct {
	// Mutex protects the whole policy tree
	Mutex lock.RWMutex

	// RepositoryChangeQueue is a queue which serializes changes to the policy
	// repository.
	RepositoryChangeQueue *eventqueue.EventQueue

	// RuleReactionQueue is a queue which serializes the resultant events that
	// need to occur after updating the state of the policy repository. This
	// can include queueing endpoint regenerations, policy revision increments
	// for endpoints, etc.
	RuleReactionQueue *eventqueue.EventQueue
	// contains filtered or unexported fields
}

Repository is a list of policy rules which in combination form the security policy. A policy repository can be

func NewPolicyRepository added in v0.9.0

func NewPolicyRepository() *Repository

NewPolicyRepository allocates a new policy repository

func (*Repository) Add added in v0.9.0

func (p *Repository) Add(r api.Rule, localRuleConsumers []Endpoint) (uint64, map[uint16]struct{}, error)

Add inserts a rule into the policy repository This is just a helper function for unit testing. TODO: this should be in a test_helpers.go file or something similar so we can clearly delineate what helpers are for testing.

func (*Repository) AddList added in v0.9.0

func (p *Repository) AddList(rules api.Rules) (ruleSlice, uint64)

AddList inserts a rule into the policy repository. It is used for unit-testing purposes only.

func (*Repository) AddListLocked added in v0.9.0

func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64)

AddListLocked inserts a rule into the policy repository with the repository already locked Expects that the entire rule list has already been sanitized.

func (*Repository) AllowsEgressLabelAccess added in v1.5.0

func (p *Repository) AllowsEgressLabelAccess(egressCtx *SearchContext) api.Decision

AllowsEgressLabelAccess evaluates the policy repository for the provided search context and returns the verdict for egress. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

func (*Repository) AllowsEgressRLocked added in v1.5.0

func (p *Repository) AllowsEgressRLocked(egressCtx *SearchContext) api.Decision

AllowsEgressRLocked evaluates the policy repository for the provided search context and returns the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

func (*Repository) AllowsIngressLabelAccess added in v1.5.0

func (p *Repository) AllowsIngressLabelAccess(ctx *SearchContext) api.Decision

AllowsIngressLabelAccess evaluates the policy repository for the provided search context and returns the verdict for ingress policy. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

func (*Repository) AllowsIngressRLocked added in v1.5.0

func (p *Repository) AllowsIngressRLocked(ctx *SearchContext) api.Decision

AllowsIngressRLocked evaluates the policy repository for the provided search context and returns the verdict for ingress. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

func (*Repository) BumpRevision added in v1.5.0

func (p *Repository) BumpRevision()

BumpRevision allows forcing policy regeneration

func (*Repository) CanReachEgressRLocked added in v1.5.0

func (p *Repository) CanReachEgressRLocked(egressCtx *SearchContext) api.Decision

CanReachEgressRLocked evaluates the policy repository for the provided search context and returns the verdict or api.Undecided if no rule matches for egress policy. The policy repository mutex must be held.

func (*Repository) CanReachIngressRLocked added in v1.5.0

func (p *Repository) CanReachIngressRLocked(ctx *SearchContext) api.Decision

CanReachIngressRLocked evaluates the policy repository for the provided search context and returns the verdict or api.Undecided if no rule matches for ingress. The policy repository mutex must be held.

func (*Repository) ContainsAllRLocked added in v1.5.0

func (p *Repository) ContainsAllRLocked(needed labels.LabelArrayList) bool

ContainsAllRLocked returns true if repository contains all the labels in needed. If needed contains no labels, ContainsAllRLocked() will always return true.

func (*Repository) DeleteByLabels added in v0.9.0

func (p *Repository) DeleteByLabels(labels labels.LabelArray) (uint64, int)

DeleteByLabels deletes all rules in the policy repository which contain the specified labels

func (*Repository) DeleteByLabelsLocked added in v0.9.0

func (p *Repository) DeleteByLabelsLocked(labels labels.LabelArray) (ruleSlice, uint64, int)

DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels. Returns the revision of the policy repository after deleting the rules, as well as now many rules were deleted.

func (*Repository) Empty added in v1.5.0

func (p *Repository) Empty() bool

Empty returns 'true' if repository has no rules, 'false' otherwise.

Must be called without p.Mutex held

func (*Repository) GetJSON added in v0.9.0

func (p *Repository) GetJSON() string

GetJSON returns all rules of the policy repository as string in JSON representation

func (*Repository) GetRevision added in v0.10.0

func (p *Repository) GetRevision() uint64

GetRevision returns the revision of the policy repository

func (*Repository) GetRulesList added in v1.5.0

func (p *Repository) GetRulesList() *models.Policy

GetRulesList returns the current policy

func (*Repository) GetRulesMatching added in v0.9.0

func (p *Repository) GetRulesMatching(labels labels.LabelArray) (ingressMatch bool, egressMatch bool)

GetRulesMatching returns whether any of the rules in a repository contain a rule with labels matching the labels in the provided LabelArray.

Must be called with p.Mutex held

func (*Repository) NumRules added in v0.9.0

func (p *Repository) NumRules() int

NumRules returns the amount of rules in the policy repository.

Must be called with p.Mutex held

func (*Repository) RemoveEndpointIDFromRuleCaches added in v1.5.0

func (p *Repository) RemoveEndpointIDFromRuleCaches(endpointID uint16) *sync.WaitGroup

RemoveEndpointIDFromRuleCaches removes identifier from the processedConsumers and localRuleConsumers sets in each rule within the repository. Returns a sync.WaitGroup which can be waited on once all rules have been processed in relation to the identifier.

func (*Repository) ResolveCIDRPolicy added in v1.5.0

func (p *Repository) ResolveCIDRPolicy(ctx *SearchContext) *CIDRPolicy

ResolveCIDRPolicy resolves the L3 policy for a set of endpoints by searching the policy repository for `CIDR` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search.

func (*Repository) ResolveL4EgressPolicy added in v1.5.0

func (p *Repository) ResolveL4EgressPolicy(ctx *SearchContext) (*L4PolicyMap, error)

ResolveL4EgressPolicy resolves the L4 egress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.From`. `ctx.To` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

func (*Repository) ResolveL4IngressPolicy added in v1.5.0

func (p *Repository) ResolveL4IngressPolicy(ctx *SearchContext) (*L4PolicyMap, error)

ResolveL4IngressPolicy resolves the L4 ingress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

TODO: Coalesce l7 rules?

func (*Repository) ResolvePolicy added in v1.5.0

func (p *Repository) ResolvePolicy(id uint16, securityIdentity *identity.Identity, policyOwner PolicyOwner, identityCache cache.IdentityCache) (*EndpointPolicy, error)

ResolvePolicy returns the EndpointPolicy for the provided set of labels against the set of rules in the repository, and the provided set of identities. If the policy cannot be generated due to conflicts at L4 or L7, returns an error.

func (*Repository) SearchRLocked added in v0.9.0

func (p *Repository) SearchRLocked(labels labels.LabelArray) api.Rules

SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.

func (*Repository) TranslateRules added in v1.5.0

func (p *Repository) TranslateRules(translator Translator) (*TranslationResult, error)

TranslateRules traverses rules and applies provided translator to rules

func (*Repository) UpdateLocalConsumers added in v1.5.0

func (p *Repository) UpdateLocalConsumers(eps []Endpoint) *sync.WaitGroup

UpdateLocalConsumers updates the cache within each rule in the given repository which specifies whether said rule selects said identity. Returns a wait group which can be used to wait until all rules have had said caches updated.

type SearchContext

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *logging.LogBackend
	From    labels.LabelArray
	To      labels.LabelArray
	DPorts  []*models.Port
	// contains filtered or unexported fields
}

SearchContext defines the context while evaluating policy

func (*SearchContext) CallDepth

func (s *SearchContext) CallDepth() string

func (*SearchContext) PolicyTrace added in v0.9.0

func (s *SearchContext) PolicyTrace(format string, a ...interface{})

PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) PolicyTraceVerbose added in v0.9.0

func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})

PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) String

func (s *SearchContext) String() string

type Tracing

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

type TranslationResult added in v1.5.0

type TranslationResult struct {
	// NumToServicesRules is the number of ToServices rules processed while
	// translating the rules
	NumToServicesRules int
}

TranslationResult contains the results of the rule translation

type Translator added in v1.5.0

type Translator interface {
	Translate(*api.Rule, *TranslationResult) error
}

Translator is an interface for altering policy rules

Directories

Path Synopsis
Package api defines the API of the Cilium network policy interface +groupName=policy
Package api defines the API of the Cilium network policy interface +groupName=policy
aws
package trafficdirection specifies the directionality of policy in a numeric representation.
package trafficdirection specifies the directionality of policy in a numeric representation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL