Affected by GO-2023-2078 and 5 other vulnerabilities

GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

egressgateway

package

v1.12.11 Latest Latest Go to latest Published: Jun 14, 2023 License: Apache-2.0 Imports: 27 Imported by: 2

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package egressgateway defines an internal representation of the Cilium Egress Policy. The structures are managed by the Manager.

Index ¶

func ParseCEGPConfigID(cegp *v2.CiliumEgressGatewayPolicy) types.NamespacedName
func ParseCENPConfigID(cenp *v2alpha1.CiliumEgressNATPolicy) types.NamespacedName
type Manager
- func NewEgressGatewayManager(k8sCacheSyncedChecker k8sCacheSyncedChecker, ...) *Manager
type PolicyConfig
- func ParseCEGP(cegp *v2.CiliumEgressGatewayPolicy) (*PolicyConfig, error)
- func ParseCENP(cenp *v2alpha1.CiliumEgressNATPolicy) (*PolicyConfig, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ParseCEGPConfigID ¶

func ParseCEGPConfigID(cegp *v2.CiliumEgressGatewayPolicy) types.NamespacedName

ParseCEGPConfigID takes a CiliumEgressGatewayPolicy CR and returns only the config id

func ParseCENPConfigID ¶ added in v1.12.0

func ParseCENPConfigID(cenp *v2alpha1.CiliumEgressNATPolicy) types.NamespacedName

ParseCENPConfigID takes a CiliumEgressNATPolicy CR and returns only the config id

Types ¶

type Manager ¶

type Manager struct {
	lock.Mutex
	// contains filtered or unexported fields
}

The egressgateway manager stores the internal data tracking the node, policy, endpoint, and lease mappings. It also hooks up all the callbacks to update egress bpf policy map accordingly.

func NewEgressGatewayManager ¶

func NewEgressGatewayManager(k8sCacheSyncedChecker k8sCacheSyncedChecker, identityAlocator identityCache.IdentityAllocator, installRoutes bool) *Manager

NewEgressGatewayManager returns a new Egress Gateway Manager.

func (*Manager) OnAddEgressPolicy ¶ added in v1.10.6

func (manager *Manager) OnAddEgressPolicy(config PolicyConfig)

OnAddEgressPolicy parses the given policy config, and updates internal state with the config fields.

func (*Manager) OnDeleteEgressPolicy ¶ added in v1.10.6

func (manager *Manager) OnDeleteEgressPolicy(configID policyID)

OnDeleteEgressPolicy deletes the internal state associated with the given policy, including egress eBPF map entries.

func (*Manager) OnDeleteEndpoint ¶

func (manager *Manager) OnDeleteEndpoint(endpoint *k8sTypes.CiliumEndpoint)

OnDeleteEndpoint is the event handler for endpoint deletions.

func (*Manager) OnDeleteNode ¶

func (manager *Manager) OnDeleteNode(node nodeTypes.Node)

OnDeleteNode is the event handler for node deletions.

func (*Manager) OnUpdateEndpoint ¶

func (manager *Manager) OnUpdateEndpoint(endpoint *k8sTypes.CiliumEndpoint)

OnUpdateEndpoint is the event handler for endpoint additions and updates.

func (*Manager) OnUpdateNode ¶

func (manager *Manager) OnUpdateNode(node nodeTypes.Node)

OnUpdateNode is the event handler for node additions and updates.

type PolicyConfig ¶

type PolicyConfig struct {
	// contains filtered or unexported fields
}

PolicyConfig is the internal representation of Cilium Egress NAT Policy.

func ParseCEGP ¶

func ParseCEGP(cegp *v2.CiliumEgressGatewayPolicy) (*PolicyConfig, error)

ParseCEGP takes a CiliumEgressGatewayPolicy CR and converts to PolicyConfig, the internal representation of the egress gateway policy

func ParseCENP ¶ added in v1.12.0

func ParseCENP(cenp *v2alpha1.CiliumEgressNATPolicy) (*PolicyConfig, error)

ParseCENP takes a CiliumEgressNATPolicy CR and converts to PolicyConfig, the internal representation of the egress nat policy

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL