Affected by GO-2023-1643 and 8 other vulnerabilities

GO-2023-1643: Potential network policy bypass when routing IPv6 traffic in github.com/cilium/cilium

GO-2023-1730: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium

GO-2023-1785: Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium

GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

ingress

package

v1.12.3 Latest Latest Go to latest Published: Oct 12, 2022 License: Apache-2.0 Imports: 41 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Open Source Insights

Documentation ¶

Overview ¶

Package ingress contains all the logic for Cilium Ingress Controller For every Ingress object, the controller will check if spec.ingressClassName is cilium, then perform the respective operations

Create one Load Balancer service, the external IP/FQDN is available will bubble up to Ingress status once ready.
Create CiliumEnvoyConfig with all routing details.
Create dummy Endpoint for above LB service

All above child resources are having respective ownerReferences for proper cleanup.

There is a small secret sync component, which will watch all tls ingress secrets and sync them to another give namespace. This is to limit the permission during runtime in all nodes.

Index ¶

Constants
Variables
type IngressController
- func NewIngressController(options ...Option) (*IngressController, error)
- func (ic *IngressController) Run()
type Option
type Options
type SortableRoute

Constants ¶

View Source

const Subsys = "ingress-controller"

Variables ¶

View Source

var DefaultIngressOptions = Options{
	MaxRetries:           10,
	EnforcedHTTPS:        true,
	EnabledSecretsSync:   true,
	LBAnnotationPrefixes: []string{},
}

DefaultIngressOptions specifies default values for cilium ingress controller.

Functions ¶

This section is empty.

Types ¶

type IngressController ¶ added in v1.12.0

type IngressController struct {
	// contains filtered or unexported fields
}

IngressController is a simple pattern that allows to perform the following tasks:

Watch cilium Ingress object
Manage related child resources for this Ingress
Service
Endpoint
CiliumEnvoyConfig
Manage synced TLS secrets in given namespace
TLS secrets

func NewIngressController ¶ added in v1.12.0

func NewIngressController(options ...Option) (*IngressController, error)

NewIngressController returns a controller for ingress objects having ingressClassName as cilium

func (*IngressController) Run ¶ added in v1.12.0

func (ic *IngressController) Run()

Run kicks off the controlled loop

type Option ¶

type Option func(o *Options) error

Option customizes the configuration of cilium ingress controller

func WithHTTPSEnforced ¶

func WithHTTPSEnforced(enforcedHTTPS bool) Option

WithHTTPSEnforced specifies if https enforcement should be done or not

func WithLBAnnotationPrefixes ¶

func WithLBAnnotationPrefixes(lbAnnotationPrefixes []string) Option

WithLBAnnotationPrefixes configures LB annotations to be used for LB service

func WithMaxRetries ¶

func WithMaxRetries(maxRetries int) Option

WithMaxRetries sets the maximum number of retries while processing events

func WithSecretsNamespace ¶

func WithSecretsNamespace(secretsNamespace string) Option

WithSecretsNamespace configures destination namespace for syncing all TLS secrets across namespaces.

func WithSecretsSyncEnabled ¶

func WithSecretsSyncEnabled(enabledSecretsSync bool) Option

WithSecretsSyncEnabled specifies if secrets syncs process should be done or not

type Options ¶

type Options struct {
	MaxRetries           int
	EnforcedHTTPS        bool
	EnabledSecretsSync   bool
	SecretsNamespace     string
	LBAnnotationPrefixes []string
}

Options stores all the configurations values for cilium ingress controller.

type SortableRoute ¶ added in v1.12.0

type SortableRoute []*envoy_config_route_v3.Route

SortableRoute is a slice of envoy Route, which can be sorted based on matching order as per Ingress requirement.

- Exact Match must have the highest priority - If multiple prefix matches are satisfied, the longest path is having higher priority

As Envoy route matching logic is done sequentially, we need to enforce such sorting order.

func (SortableRoute) Len ¶ added in v1.12.0

func (s SortableRoute) Len() int

func (SortableRoute) Less ¶ added in v1.12.0

func (s SortableRoute) Less(i, j int) bool

func (SortableRoute) Swap ¶ added in v1.12.0

func (s SortableRoute) Swap(i, j int)

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
annotations Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults.	Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL