Affected by GO-2022-0959 and 9 other vulnerabilities

GO-2022-0959: Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium

GO-2023-1643: Potential network policy bypass when routing IPv6 traffic in github.com/cilium/cilium

GO-2023-1730: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium

GO-2023-1785: Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium

GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

agent

package

v1.11.7 Latest Latest Go to latest Published: Jul 15, 2022 License: Apache-2.0 Imports: 29 Imported by: 1

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Open Source Insights

Documentation ¶

Overview ¶

This package contains the agent code used to configure the Wireguard tunnel between nodes. The code supports adding and removing peers at run-time and the peer information is retrieved via the CiliumNode object.

Index ¶

type Agent
- func NewAgent(privKeyPath string) (*Agent, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

This section is empty.

Types ¶

type Agent ¶

type Agent struct {
	lock.RWMutex
	// contains filtered or unexported fields
}

Agent needs to be initialized with Init(). In Init(), the Wireguard tunnel device will be created and the proper routes set. During Init(), existing peer keys are placed into `restoredPubKeys`. Once RestoreFinished() is called obsolete keys and peers are removed. UpdatePeer() inserts or updates the public key of peer discovered via the node manager.

func NewAgent ¶

func NewAgent(privKeyPath string) (*Agent, error)

NewAgent creates a new Wireguard Agent

func (*Agent) Close ¶

func (a *Agent) Close() error

Close is called when the agent stops

func (*Agent) DeletePeer ¶

func (a *Agent) DeletePeer(nodeName string) error

func (*Agent) Init ¶

func (a *Agent) Init(mtuConfig mtu.Configuration) error

Init creates and configures the local WireGuard tunnel device.

func (*Agent) OnIPIdentityCacheChange ¶

func (a *Agent) OnIPIdentityCacheChange(modType ipcache.CacheModification, ipnet net.IPNet, oldHostIP, newHostIP net.IP,
	_ *ipcache.Identity, _ ipcache.Identity, _ uint8, _ *ipcache.K8sMetadata)

OnIPIdentityCacheChange implements ipcache.IPIdentityMappingListener

func (*Agent) OnIPIdentityCacheGC ¶

func (a *Agent) OnIPIdentityCacheGC()

OnIPIdentityCacheGC implements ipcache.IPIdentityMappingListener

func (*Agent) RestoreFinished ¶

func (a *Agent) RestoreFinished() error

func (*Agent) Status ¶

func (a *Agent) Status(withPeers bool) (*models.WireguardStatus, error)

Status returns the state of the Wireguard tunnel managed by this instance. If withPeers is true, then the details about each connected peer are are populated as well.

func (*Agent) UpdatePeer ¶

func (a *Agent) UpdatePeer(nodeName, pubKeyHex string, nodeIPv4, nodeIPv6 net.IP) error

Source Files ¶

View all Source files

agent.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL