Documentation ¶
Index ¶
- Variables
- type CachingIdentityAllocator
- func (m *CachingIdentityAllocator) AllocateIdentity(ctx context.Context, lbls labels.Labels, notifyOwner bool, ...) (id *identity.Identity, allocated bool, err error)
- func (m *CachingIdentityAllocator) Close()
- func (m *CachingIdentityAllocator) GetIdentities() IdentitiesModel
- func (m *CachingIdentityAllocator) GetIdentityCache() IdentityCache
- func (m *CachingIdentityAllocator) InitIdentityAllocator(client clientset.Interface, identityStore cache.Store) <-chan struct{}
- func (m *CachingIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity
- func (m *CachingIdentityAllocator) LookupIdentityByID(ctx context.Context, id identity.NumericIdentity) *identity.Identity
- func (m *CachingIdentityAllocator) Release(ctx context.Context, id *identity.Identity, notifyOwner bool) (released bool, err error)
- func (m *CachingIdentityAllocator) ReleaseSlice(ctx context.Context, owner IdentityAllocatorOwner, ...) error
- func (m *CachingIdentityAllocator) WaitForInitialGlobalIdentities(ctx context.Context) error
- func (m *CachingIdentityAllocator) WatchRemoteIdentities(backend kvstore.BackendOperations) (*allocator.RemoteCache, error)
- type GlobalIdentity
- type IdentitiesModel
- type IdentityAllocator
- type IdentityAllocatorOwner
- type IdentityCache
Constants ¶
This section is empty.
Variables ¶
var ( // IdentitiesPath is the path to where identities are stored in the // key-value store. IdentitiesPath = path.Join(kvstore.BaseKeyPrefix, "state", "identities", "v1") )
Functions ¶
This section is empty.
Types ¶
type CachingIdentityAllocator ¶
type CachingIdentityAllocator struct { // IdentityAllocator is an allocator for security identities from the // kvstore. IdentityAllocator *allocator.Allocator // contains filtered or unexported fields }
CachingIdentityAllocator manages the allocation of identities for both global and local identities.
func NewCachingIdentityAllocator ¶
func NewCachingIdentityAllocator(owner IdentityAllocatorOwner) *CachingIdentityAllocator
NewCachingIdentityAllocator creates a new instance of an CachingIdentityAllocator.
func (*CachingIdentityAllocator) AllocateIdentity ¶
func (m *CachingIdentityAllocator) AllocateIdentity(ctx context.Context, lbls labels.Labels, notifyOwner bool, oldNID identity.NumericIdentity) (id *identity.Identity, allocated bool, err error)
AllocateIdentity allocates an identity described by the specified labels. If an identity for the specified set of labels already exist, the identity is re-used and reference counting is performed, otherwise a new identity is allocated via the kvstore or via the local identity allocator. A possible previously used numeric identity for these labels can be passed in as the 'oldNID' parameter; identity.InvalidIdentity must be passed if no previous numeric identity exists.
func (*CachingIdentityAllocator) Close ¶
func (m *CachingIdentityAllocator) Close()
Close closes the identity allocator and allows to call InitIdentityAllocator() again.
func (*CachingIdentityAllocator) GetIdentities ¶
func (m *CachingIdentityAllocator) GetIdentities() IdentitiesModel
GetIdentities returns all known identities
func (*CachingIdentityAllocator) GetIdentityCache ¶
func (m *CachingIdentityAllocator) GetIdentityCache() IdentityCache
GetIdentityCache returns a cache of all known identities
func (*CachingIdentityAllocator) InitIdentityAllocator ¶
func (m *CachingIdentityAllocator) InitIdentityAllocator(client clientset.Interface, identityStore cache.Store) <-chan struct{}
InitIdentityAllocator creates the global identity allocator. Only the first invocation of this function will have an effect. The Caller must have initialized well known identities before calling this (by calling identity.InitWellKnownIdentities()). client and identityStore are only used by the CRD identity allocator, currently, and identityStore may be nil. Returns a channel which is closed when initialization of the allocator is completed. TODO: identity backends are initialized directly in this function, pulling in dependencies on kvstore and k8s. It would be better to decouple this, since the backends are an interface.
func (*CachingIdentityAllocator) LookupIdentity ¶
func (m *CachingIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity
LookupIdentity looks up the identity by its labels but does not create it. This function will first search through the local cache, then the caches for remote kvstores and finally fall back to the main kvstore. May return nil for lookups if the allocator has not yet been synchronized.
func (*CachingIdentityAllocator) LookupIdentityByID ¶
func (m *CachingIdentityAllocator) LookupIdentityByID(ctx context.Context, id identity.NumericIdentity) *identity.Identity
LookupIdentityByID returns the identity by ID. This function will first search through the local cache, then the caches for remote kvstores and finally fall back to the main kvstore May return nil for lookups if the allocator has not yet been synchronized.
func (*CachingIdentityAllocator) Release ¶
func (m *CachingIdentityAllocator) Release(ctx context.Context, id *identity.Identity, notifyOwner bool) (released bool, err error)
Release is the reverse operation of AllocateIdentity() and releases the identity again. This function may result in kvstore operations. After the last user has released the ID, the returned lastUse value is true.
func (*CachingIdentityAllocator) ReleaseSlice ¶
func (m *CachingIdentityAllocator) ReleaseSlice(ctx context.Context, owner IdentityAllocatorOwner, identities []*identity.Identity) error
ReleaseSlice attempts to release a set of identities. It is a helper function that may be useful for cleaning up multiple identities in paths where several identities may be allocated and another error means that they should all be released.
func (*CachingIdentityAllocator) WaitForInitialGlobalIdentities ¶
func (m *CachingIdentityAllocator) WaitForInitialGlobalIdentities(ctx context.Context) error
WaitForInitialGlobalIdentities waits for the initial set of global security identities to have been received and populated into the allocator cache.
func (*CachingIdentityAllocator) WatchRemoteIdentities ¶
func (m *CachingIdentityAllocator) WatchRemoteIdentities(backend kvstore.BackendOperations) (*allocator.RemoteCache, error)
WatchRemoteIdentities starts watching for identities in another kvstore and syncs all identities to the local identity cache.
type GlobalIdentity ¶ added in v1.6.0
type GlobalIdentity struct {
labels.LabelArray
}
GlobalIdentity is the structure used to store an identity
func (GlobalIdentity) GetAsMap ¶ added in v1.6.0
func (gi GlobalIdentity) GetAsMap() map[string]string
GetAsMap encodes a GlobalIdentity a map of keys to values. The keys will include a source delimted by a ':'. This output is pareable by PutKeyFromMap.
func (GlobalIdentity) GetKey ¶ added in v1.6.0
func (gi GlobalIdentity) GetKey() string
GetKey encodes an Identity as string
func (GlobalIdentity) PutKey ¶ added in v1.6.0
func (gi GlobalIdentity) PutKey(v string) allocator.AllocatorKey
PutKey decodes an Identity from its string representation
func (GlobalIdentity) PutKeyFromMap ¶ added in v1.6.0
func (gi GlobalIdentity) PutKeyFromMap(v map[string]string) allocator.AllocatorKey
PutKeyFromMap decodes an Identity from a map of key to value. Output from GetAsMap can be parsed. Note: NewLabelArrayFromMap will parse the ':' separated label source from the keys because the source parameter is ""
type IdentitiesModel ¶
IdentitiesModel is a wrapper so that we can implement the sort.Interface to sort the slice by ID
func (IdentitiesModel) FromIdentityCache ¶
func (s IdentitiesModel) FromIdentityCache(cache IdentityCache) IdentitiesModel
FromIdentityCache populates the provided model from an identity cache.
func (IdentitiesModel) Less ¶
func (s IdentitiesModel) Less(i, j int) bool
Less returns true if the element in index `i` is lower than the element in index `j`
type IdentityAllocator ¶
type IdentityAllocator interface { // WaitForInitialGlobalIdentities waits for the initial set of global // security identities to have been received. WaitForInitialGlobalIdentities(context.Context) error // AllocateIdentity allocates an identity described by the specified labels. // A possible previously used numeric identity for these labels can be passed // in as the last parameter; identity.InvalidIdentity must be passed if no // previous numeric identity exists. AllocateIdentity(context.Context, labels.Labels, bool, identity.NumericIdentity) (*identity.Identity, bool, error) // Release is the reverse operation of AllocateIdentity() and releases the // specified identity. Release(context.Context, *identity.Identity, bool) (released bool, err error) // ReleaseSlice is the slice variant of Release(). ReleaseSlice(context.Context, IdentityAllocatorOwner, []*identity.Identity) error // LookupIdentityByID returns the identity that corresponds to the given // labels. LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity // LookupIdentityByID returns the identity that corresponds to the given // numeric identity. LookupIdentityByID(ctx context.Context, id identity.NumericIdentity) *identity.Identity // GetIdentityCache returns the current cache of identities that the // allocator has allocated. The caller should not modify the resulting // identities by pointer. GetIdentityCache() IdentityCache // GetIdentities returns a copy of the current cache of identities. GetIdentities() IdentitiesModel // AllocateCIDRsForIPs attempts to allocate identities for a list of // CIDRs. If any allocation fails, all allocations are rolled back and // the error is returned. When an identity is freshly allocated for a // CIDR, it is added to the ipcache if 'newlyAllocatedIdentities' is // 'nil', otherwise the newly allocated identities are placed in // 'newlyAllocatedIdentities' and it is the caller's responsibility to // upsert them into ipcache by calling UpsertGeneratedIdentities(). // // Upon success, the caller must also arrange for the resulting identities to // be released via a subsequent call to ReleaseCIDRIdentitiesByID(). // // The implementation for this function currently lives in pkg/ipcache. AllocateCIDRsForIPs(ips []net.IP, newlyAllocatedIdentities map[netip.Prefix]*identity.Identity) ([]*identity.Identity, error) // ReleaseCIDRIdentitiesByID() is a wrapper for ReleaseSlice() that // also handles ipcache entries. ReleaseCIDRIdentitiesByID(context.Context, []identity.NumericIdentity) }
IdentityAllocator is any type which is responsible for allocating security identities based of sets of labels, and caching information about identities locally.
type IdentityAllocatorOwner ¶
type IdentityAllocatorOwner interface { // UpdateIdentities will be called when identities have changed // // The caller is responsible for making sure the same identity // is not present in both 'added' and 'deleted', so that they // can be processed in either order. UpdateIdentities(added, deleted IdentityCache) // GetSuffix must return the node specific suffix to use GetNodeSuffix() string }
IdentityAllocatorOwner is the interface the owner of an identity allocator must implement
type IdentityCache ¶
type IdentityCache map[identity.NumericIdentity]labels.LabelArray
IdentityCache is a cache of identity to labels mapping