Documentation ¶
Index ¶
- Constants
- Variables
- func JoinPath(a, b string) string
- func SplitNodePath(fullPath string) (string, string)
- type AllowL4
- type AllowRule
- type AuxRule
- type Consumable
- func (c *Consumable) AddMap(m *policymap.PolicyMap)
- func (c *Consumable) AllowConsumer(cache *ConsumableCache, id NumericIdentity) *Consumer
- func (c *Consumable) AllowConsumerAndReverse(cache *ConsumableCache, id NumericIdentity)
- func (c *Consumable) Allows(id NumericIdentity) bool
- func (c *Consumable) BanConsumer(id NumericIdentity)
- func (c *Consumable) DeepCopy() *Consumable
- func (c *Consumable) Delete()
- func (c *Consumable) GetConsumer(id NumericIdentity) *Consumer
- func (c *Consumable) GetModel() *models.EndpointPolicy
- func (c *Consumable) RemoveMap(m *policymap.PolicyMap)
- type ConsumableCache
- type ConsumableDecision
- type Consumer
- type Identity
- type L4Filter
- type L4Policy
- type L4PolicyMap
- type Node
- func (n *Node) AddChild(name string, child *Node) (bool, error)
- func (n *Node) Allows(ctx *SearchContext) ConsumableDecision
- func (n *Node) CanMerge(obj *Node) error
- func (n *Node) Covers(ctx *SearchContext) bool
- func (n *Node) DebugString(level int) string
- func (n *Node) HasPolicyRule(pr PolicyRule) bool
- func (n *Node) HasRules() bool
- func (n *Node) IsMergeable() bool
- func (n *Node) JSONMarshal() string
- func (n *Node) Merge(obj *Node) (bool, error)
- func (n *Node) NormalizeNames(path string) (string, error)
- func (n *Node) Path() string
- func (n *Node) ResolveL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy
- func (n *Node) ResolveName(name string) string
- func (n *Node) ResolveTree() error
- func (n *Node) UnmarshalJSON(data []byte) error
- type NumericIdentity
- type PolicyRule
- type Privilege
- type RuleConsumers
- func (prc *RuleConsumers) Allows(ctx *SearchContext) ConsumableDecision
- func (prc *RuleConsumers) CoverageSHA256Sum() (string, error)
- func (prc *RuleConsumers) IsMergeable() bool
- func (prc *RuleConsumers) Resolve(node *Node) error
- func (prc *RuleConsumers) SHA256Sum() (string, error)
- func (prc *RuleConsumers) String() string
- type RuleL4
- type RuleRequires
- func (prr *RuleRequires) Allows(ctx *SearchContext) ConsumableDecision
- func (prr *RuleRequires) CoverageSHA256Sum() (string, error)
- func (prr *RuleRequires) IsMergeable() bool
- func (prr *RuleRequires) Resolve(node *Node) error
- func (prr *RuleRequires) SHA256Sum() (string, error)
- func (prr *RuleRequires) String() string
- type SearchContext
- type SearchContextReply
- type Tracing
- type Tree
Constants ¶
const ( RootNodeName = "root" NodePathDelimiter = "." RootPrefix = RootNodeName + NodePathDelimiter )
const ( // MinimalNumericIdentity represents the minimal numeric identity not // used for reserved purposes. MinimalNumericIdentity = NumericIdentity(256) // InvalidIdentity is the identity assigned if the identity is invalid // or not determined yet InvalidIdentity = NumericIdentity(0) )
Variables ¶
var ( ReservedIdentities = map[string]NumericIdentity{ labels.IDNameHost: ID_HOST, labels.IDNameWorld: ID_WORLD, } ReservedIdentityNames = map[NumericIdentity]string{ ID_HOST: labels.IDNameHost, ID_WORLD: labels.IDNameWorld, } )
var (
CoverageSHASize = len(fmt.Sprintf("%x", sha512.New512_256().Sum(nil)))
)
Functions ¶
func SplitNodePath ¶
Types ¶
type AllowL4 ¶
type AllowRule ¶
type AllowRule struct { Action ConsumableDecision `json:"action,omitempty"` Label labels.Label `json:"label"` }
func (*AllowRule) Allows ¶
func (a *AllowRule) Allows(ctx *SearchContext) ConsumableDecision
func (*AllowRule) IsMergeable ¶
func (*AllowRule) UnmarshalJSON ¶
type Consumable ¶
type Consumable struct { ID NumericIdentity `json:"id"` Iteration int `json:"-"` Labels *Identity `json:"labels"` LabelList []labels.Label `json:"-"` Maps map[int]*policymap.PolicyMap `json:"-"` Consumers map[string]*Consumer `json:"consumers"` ReverseRules map[NumericIdentity]*Consumer `json:"-"` L4Policy *L4Policy `json:"l4-policy"` // contains filtered or unexported fields }
Consumable is the entity that is being consumed by a Consumable.
func NewConsumable ¶
func NewConsumable(id NumericIdentity, lbls *Identity, cache *ConsumableCache) *Consumable
func (*Consumable) AddMap ¶
func (c *Consumable) AddMap(m *policymap.PolicyMap)
func (*Consumable) AllowConsumer ¶
func (c *Consumable) AllowConsumer(cache *ConsumableCache, id NumericIdentity) *Consumer
func (*Consumable) AllowConsumerAndReverse ¶
func (c *Consumable) AllowConsumerAndReverse(cache *ConsumableCache, id NumericIdentity)
func (*Consumable) Allows ¶
func (c *Consumable) Allows(id NumericIdentity) bool
func (*Consumable) BanConsumer ¶
func (c *Consumable) BanConsumer(id NumericIdentity)
func (*Consumable) DeepCopy ¶
func (c *Consumable) DeepCopy() *Consumable
func (*Consumable) Delete ¶
func (c *Consumable) Delete()
func (*Consumable) GetConsumer ¶
func (c *Consumable) GetConsumer(id NumericIdentity) *Consumer
func (*Consumable) GetModel ¶
func (c *Consumable) GetModel() *models.EndpointPolicy
func (*Consumable) RemoveMap ¶
func (c *Consumable) RemoveMap(m *policymap.PolicyMap)
type ConsumableCache ¶
type ConsumableCache struct { // List of consumables representing the reserved identities Reserved []*Consumable Iteration int // contains filtered or unexported fields }
func NewConsumableCache ¶
func NewConsumableCache() *ConsumableCache
func (*ConsumableCache) AddReserved ¶
func (c *ConsumableCache) AddReserved(elem *Consumable)
func (*ConsumableCache) GetOrCreate ¶
func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable
func (*ConsumableCache) Lookup ¶
func (c *ConsumableCache) Lookup(id NumericIdentity) *Consumable
func (*ConsumableCache) Remove ¶
func (c *ConsumableCache) Remove(elem *Consumable)
type ConsumableDecision ¶
type ConsumableDecision byte
const ( UNDECIDED ConsumableDecision = iota ACCEPT ALWAYS_ACCEPT DENY )
func (ConsumableDecision) MarshalJSON ¶
func (d ConsumableDecision) MarshalJSON() ([]byte, error)
func (ConsumableDecision) String ¶
func (d ConsumableDecision) String() string
func (*ConsumableDecision) UnmarshalJSON ¶
func (d *ConsumableDecision) UnmarshalJSON(b []byte) error
type Consumer ¶
type Consumer struct { ID NumericIdentity Reverse *Consumer DeletionMark bool Decision ConsumableDecision }
Consumer is the entity that consumes a Consumable.
func NewConsumer ¶
func NewConsumer(id NumericIdentity) *Consumer
type Identity ¶
type Identity struct { // Identity's ID. ID NumericIdentity `json:"id"` // Endpoints that have this Identity where their value is the last time they were seen. Labels labels.Labels `json:"labels"` // Set of labels that belong to this Identity. Endpoints map[string]time.Time `json:"containers"` }
Identity is the representation of the security context for a particular set of labels.
func NewIdentity ¶
func NewIdentity() *Identity
func NewIdentityFromModel ¶
func (*Identity) AssociateEndpoint ¶
AssociateEndpoint associates the endpoint with identity.
func (*Identity) DisassociateEndpoint ¶
DisassociateEndpoint disassociates the endpoint endpoint with identity and return true if successful.
type L4Filter ¶
type L4Filter struct { // Port is the destination port to allow Port int `json:"port,omitempty"` // Protocol is the L4 protocol to allow or NONE Protocol string `json:"protocol,omitempty"` // L7Parser specifies the L7 protocol parser (optional) L7Parser string `json:"l7-parser,omitempty"` // L7RedirectPort is the L7 proxy port to redirect to (optional) L7RedirectPort int `json:"l7-redirect-port,omitempty"` // L7Rules is a list of L7 rules which are passed to the L7 proxy (optional) L7Rules []AuxRule `json:"l7-rules,omitempty"` }
func (*L4Filter) IsRedirect ¶
IsRedirect returns true if the L4 filter contains a port redirection
func (*L4Filter) UnmarshalJSON ¶
type L4Policy ¶
type L4Policy struct { // key format: "proto:port" Ingress L4PolicyMap Egress L4PolicyMap }
func NewL4Policy ¶
func NewL4Policy() *L4Policy
func (*L4Policy) HasRedirect ¶
HasRedirect returns true if the L4 policy contains at least one port redirection
func (*L4Policy) RequiresConntrack ¶
RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.
type L4PolicyMap ¶
func (L4PolicyMap) HasRedirect ¶
func (l4 L4PolicyMap) HasRedirect() bool
HasRedirect returns true if at least one L4 filter contains a port redirection
type Node ¶
type Node struct { Name string `json:"name"` Parent *Node `json:"-"` Rules []PolicyRule `json:"rules,omitempty"` Children map[string]*Node `json:"children,omitempty"` // contains filtered or unexported fields }
Node to define hierarchy of rules
func (*Node) Allows ¶
func (n *Node) Allows(ctx *SearchContext) ConsumableDecision
func (*Node) CanMerge ¶
CanMerge returns an error if obj cannot be safely merged into an existing node
func (*Node) Covers ¶
func (n *Node) Covers(ctx *SearchContext) bool
func (*Node) DebugString ¶
func (*Node) HasPolicyRule ¶
func (n *Node) HasPolicyRule(pr PolicyRule) bool
func (*Node) HasRules ¶
HasRules returns true if a node has any rules attached or at least one child.
func (*Node) IsMergeable ¶
IsMergeable returns true if the node is eligible to be merged with another node
func (*Node) JSONMarshal ¶
func (*Node) NormalizeNames ¶
NormalizeNames walks all policy nodes and normalizes the policy node name according to to the path specified. Takes a node with a list of optional children and the path to where the node is/will be located in the tree.
1. If the name of a node is omitted, the node name will be derived from the path. The element after the last node path delimiter is assumed to be the node name, e.g. rootNode.parentNode.name
2. If the node name is an absolute path, it must match the path but will be translated to a relative node name.
func (*Node) ResolveL4Policy ¶
func (n *Node) ResolveL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy
func (*Node) ResolveName ¶
ResolveName translates a possibly relative name to an absolute path relative to the node
func (*Node) ResolveTree ¶
func (*Node) UnmarshalJSON ¶
type NumericIdentity ¶
type NumericIdentity uint32
NumericIdentity represents an identity of an entity to which consumer policy can be applied to.
const ( ID_UNKNOWN NumericIdentity = iota ID_HOST ID_WORLD )
func GetReservedID ¶
func GetReservedID(name string) NumericIdentity
func ParseNumericIdentity ¶
func ParseNumericIdentity(id string) (NumericIdentity, error)
func (NumericIdentity) String ¶
func (id NumericIdentity) String() string
func (NumericIdentity) StringID ¶
func (id NumericIdentity) StringID() string
func (NumericIdentity) Uint32 ¶
func (id NumericIdentity) Uint32() uint32
Uint32 normalizes the ID for use in BPF program.
type PolicyRule ¶
type PolicyRule interface { // Resolve must resolve any internal label members to the full path // assuming that the rule is attached to the specified node. Resolve(node *Node) error // SHA256Sum must return the SHA256 hash over the policy rule SHA256Sum() (string, error) // CoverageSHA256Sum must return the SHA256 hash over the coverage // section of the policy rule CoverageSHA256Sum() (string, error) // IsMergeable must return true if a rule allows merging with other // rules within a node. Certain rules are not additive and require // strict ordering, such rules may never be merged in a node as // merging may occur in undefined order. IsMergeable() bool }
type Privilege ¶
type Privilege byte
Privilege represents the privileges available to define for a policy node.
func (Privilege) MarshalJSON ¶
func (*Privilege) UnmarshalJSON ¶
type RuleConsumers ¶
type RuleConsumers struct { Coverage []labels.Label `json:"coverage,omitempty"` Allow []AllowRule `json:"allow"` }
RuleConsumers allows the following consumers.
func (*RuleConsumers) Allows ¶
func (prc *RuleConsumers) Allows(ctx *SearchContext) ConsumableDecision
func (*RuleConsumers) CoverageSHA256Sum ¶
func (prc *RuleConsumers) CoverageSHA256Sum() (string, error)
func (*RuleConsumers) IsMergeable ¶
func (prc *RuleConsumers) IsMergeable() bool
func (*RuleConsumers) Resolve ¶
func (prc *RuleConsumers) Resolve(node *Node) error
func (*RuleConsumers) SHA256Sum ¶
func (prc *RuleConsumers) SHA256Sum() (string, error)
func (*RuleConsumers) String ¶
func (prc *RuleConsumers) String() string
type RuleL4 ¶
type RuleL4 struct { Coverage []labels.Label `json:"coverage,omitempty"` Allow []AllowL4 `json:"l4"` }
func (*RuleL4) CoverageSHA256Sum ¶
func (*RuleL4) GetL4Policy ¶
func (l4 *RuleL4) GetL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy
func (*RuleL4) IsMergeable ¶
type RuleRequires ¶
type RuleRequires struct { Coverage []labels.Label `json:"coverage,omitempty"` Requires []labels.Label `json:"requires"` }
RuleRequires any further consumer requires the specified list of labels in order to consume.
func (*RuleRequires) Allows ¶
func (prr *RuleRequires) Allows(ctx *SearchContext) ConsumableDecision
Allows a require rule imposes additional label requirements but does not imply access immediately. Hence if the label context is not sufficient access can be denied but fullfillment of the requirement only leads to the decision being UNDECIDED waiting on an explicit allow rule further down the tree
func (*RuleRequires) CoverageSHA256Sum ¶
func (prr *RuleRequires) CoverageSHA256Sum() (string, error)
func (*RuleRequires) IsMergeable ¶
func (prr *RuleRequires) IsMergeable() bool
func (*RuleRequires) Resolve ¶
func (prr *RuleRequires) Resolve(node *Node) error
func (*RuleRequires) SHA256Sum ¶
func (prr *RuleRequires) SHA256Sum() (string, error)
func (*RuleRequires) String ¶
func (prr *RuleRequires) String() string
type SearchContext ¶
type SearchContext struct { Trace Tracing Depth int Logging *logging.LogBackend // TODO: Put this as []*Label? From []labels.Label To []labels.Label }
func (*SearchContext) CallDepth ¶
func (s *SearchContext) CallDepth() string
func (*SearchContext) String ¶
func (s *SearchContext) String() string
func (*SearchContext) TargetCoveredBy ¶
func (s *SearchContext) TargetCoveredBy(coverage []labels.Label) bool
type SearchContextReply ¶
type SearchContextReply struct { Logging []byte Decision ConsumableDecision }
type Tree ¶
Tree overall policy tree.
func (*Tree) Allows ¶
func (t *Tree) Allows(ctx *SearchContext) ConsumableDecision
func (*Tree) ResolveL4Policy ¶
func (t *Tree) ResolveL4Policy(ctx *SearchContext) *L4Policy