Affected by GO-2023-2078 and 5 other vulnerabilities

GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

ingress

package

v1.12.0-rc3 Latest Latest Go to latest Published: Jun 22, 2022 License: Apache-2.0 Imports: 41 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Documentation ¶

Overview ¶

Package ingress contains all the logic for Cilium Ingress Controller For every Ingress object, the controller will check if spec.ingressClassName is cilium, then perform the respective operations

Create one Load Balancer service, the external IP/FQDN is available will bubble up to Ingress status once ready.
Create CiliumEnvoyConfig with all routing details.
Create dummy Endpoint for above LB service

All above child resources are having respective ownerReferences for proper cleanup.

There is a small secret sync component, which will watch all tls ingress secrets and sync them to another give namespace. This is to limit the permission during runtime in all nodes.

Index ¶

Constants
Variables
type IngressController
- func NewIngressController(options ...Option) (*IngressController, error)
- func (ic *IngressController) Run()
type Option
type Options
type SortableRoute

Constants ¶

View Source

const Subsys = "ingress-controller"

Variables ¶

View Source

var DefaultIngressOptions = Options{
	MaxRetries:         10,
	EnforcedHTTPS:      true,
	EnabledSecretsSync: true,
}

DefaultIngressOptions specifies default values for cilium ingress controller.

Functions ¶

This section is empty.

Types ¶

type IngressController ¶ added in v1.12.0

type IngressController struct {
	// contains filtered or unexported fields
}

IngressController is a simple pattern that allows to perform the following tasks:

Watch cilium Ingress object
Manage related child resources for this Ingress
Service
Endpoint
CiliumEnvoyConfig
Manage synced TLS secrets in given namespace
TLS secrets

func NewIngressController ¶ added in v1.12.0

func NewIngressController(options ...Option) (*IngressController, error)

NewIngressController returns a controller for ingress objects having ingressClassName as cilium

func (*IngressController) Run ¶ added in v1.12.0

func (ic *IngressController) Run()

Run kicks off the controlled loop

type Option ¶

type Option func(o *Options) error

Option customizes the configuration of cilium ingress controller

func WithHTTPSEnforced ¶

func WithHTTPSEnforced(enforcedHTTPS bool) Option

WithHTTPSEnforced specifies if https enforcement should be done or not

func WithMaxRetries ¶

func WithMaxRetries(maxRetries int) Option

WithMaxRetries sets the maximum number of retries while processing events

func WithSecretsNamespace ¶

func WithSecretsNamespace(secretsNamespace string) Option

WithSecretsNamespace configures destination namespace for syncing all TLS secrets across namespaces.

func WithSecretsSyncEnabled ¶

func WithSecretsSyncEnabled(enabledSecretsSync bool) Option

WithSecretsSyncEnabled specifies if secrets syncs process should be done or not

type Options ¶

type Options struct {
	MaxRetries         int
	EnforcedHTTPS      bool
	EnabledSecretsSync bool
	SecretsNamespace   string
}

Options stores all the configurations values for cilium ingress controller.

type SortableRoute ¶ added in v1.12.0

type SortableRoute []*envoy_config_route_v3.Route

SortableRoute is a slice of envoy Route, which can be sorted based on matching order as per Ingress requirement.

- Exact Match must have the highest priority - If multiple prefix matches are satisfied, the longest path is having higher priority

As Envoy route matching logic is done sequentially, we need to enforce such sorting order.

func (SortableRoute) Len ¶ added in v1.12.0

func (s SortableRoute) Len() int

func (SortableRoute) Less ¶ added in v1.12.0

func (s SortableRoute) Less(i, j int) bool

func (SortableRoute) Swap ¶ added in v1.12.0

func (s SortableRoute) Swap(i, j int)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
annotations Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults.	Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL