Affected by GO-2024-2656 and 2 other vulnerabilities

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

ingress

package

v1.13.0-rc5 Latest Latest Go to latest Published: Jan 24, 2023 License: Apache-2.0 Imports: 28 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Documentation ¶

Overview ¶

Package ingress contains all the logic for Cilium Ingress Controller. Only Ingress resources having spec.ingressClassName set to "cilium" are managed and processed by Cilium Ingress Controller.

Two LB modes are supported:

dedicated LB mode: a dedicated LB is used for each Ingress.
shared LB mode: all eligible Ingresses are using the same LB.

Each LB mode will have its own translation logic, which converts Ingress resource(s) into internal representation, and then turns it into a set of Cilium configurations (e.g. CiliumEnvoyConfig, LB Service, Endpoints etc.).

Create one Load Balancer service, the external IP/FQDN is available will bubble up to Ingress status once ready. (dedicated LB mode only)
Create dummy Endpoint for above LB service. (dedicated LB mode only)
Create CiliumEnvoyConfig with all routing details. (both modes)

There is a small secret sync component, which will watch all tls ingress secrets and sync them to another give namespace. This is to limit the permission during runtime in all nodes.

Index ¶

Constants
Variables
type Controller
- func NewController(clientset k8sClient.Clientset, options ...Option) (*Controller, error)
- func (ic *Controller) Run()
type Option
type Options

Constants ¶

View Source

const Subsys = "ingress-controller"

Variables ¶

View Source

var DefaultIngressOptions = Options{
	MaxRetries:              10,
	EnforcedHTTPS:           true,
	EnabledSecretsSync:      true,
	LBAnnotationPrefixes:    []string{},
	SharedLBServiceName:     "cilium-ingress",
	CiliumNamespace:         "kube-system",
	DefaultLoadbalancerMode: "shared",
}

DefaultIngressOptions specifies default values for cilium ingress controller.

Functions ¶

This section is empty.

Types ¶

type Controller ¶

type Controller struct {
	// contains filtered or unexported fields
}

Controller is a simple pattern that allows to perform the following tasks:

Watch cilium Ingress object
Manage related child resources for this Ingress - Service - Endpoint - CiliumEnvoyConfig
Manage synced TLS secrets in given namespace - TLS secrets

func NewController ¶

func NewController(clientset k8sClient.Clientset, options ...Option) (*Controller, error)

NewController returns a controller for ingress objects having ingressClassName as cilium

func (*Controller) Run ¶

func (ic *Controller) Run()

Run kicks off the controlled loop

type Option ¶

type Option func(o *Options) error

Option customizes the configuration of cilium ingress controller

func WithCiliumNamespace ¶

func WithCiliumNamespace(ciliumNamespace string) Option

WithCiliumNamespace configures the namespace of cilium

func WithDefaultLoadbalancerMode ¶

func WithDefaultLoadbalancerMode(defaultLoadbalancerMode string) Option

WithDefaultLoadbalancerMode configures the default loadbalancer mode

func WithHTTPSEnforced ¶

func WithHTTPSEnforced(enforcedHTTPS bool) Option

WithHTTPSEnforced specifies if https enforcement should be done or not

func WithLBAnnotationPrefixes ¶

func WithLBAnnotationPrefixes(lbAnnotationPrefixes []string) Option

WithLBAnnotationPrefixes configures LB annotations to be used for LB service

func WithMaxRetries ¶

func WithMaxRetries(maxRetries int) Option

WithMaxRetries sets the maximum number of retries while processing events

func WithSecretsNamespace ¶

func WithSecretsNamespace(secretsNamespace string) Option

WithSecretsNamespace configures destination namespace for syncing all TLS secrets across namespaces.

func WithSecretsSyncEnabled ¶

func WithSecretsSyncEnabled(enabledSecretsSync bool) Option

WithSecretsSyncEnabled specifies if secrets syncs process should be done or not

func WithSharedLBServiceName ¶

func WithSharedLBServiceName(sharedLBServiceName string) Option

WithSharedLBServiceName configures the name of the shared LB service

type Options ¶

type Options struct {
	MaxRetries              int
	EnforcedHTTPS           bool
	EnabledSecretsSync      bool
	SecretsNamespace        string
	LBAnnotationPrefixes    []string
	SharedLBServiceName     string
	CiliumNamespace         string
	DefaultLoadbalancerMode string
}

Options stores all the configurations values for cilium ingress controller.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
annotations Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults.	Package annotations contains all annotations that supported by cilium ingress controller along with some sensible defaults.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL