Documentation ¶
Index ¶
- Constants
- func GetAuthType(auth *api.Authentication) (HasAuthType, AuthType)
- func GetCIDRPrefixes(rules api.Rules) []netip.Prefix
- func GetPolicyEnabled() string
- func GetPrefixesFromCIDRSet(rules api.CIDRRuleSlice) []netip.Prefix
- func JSONMarshalRules(rules api.Rules) string
- func JoinPath(a, b string) string
- func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, err error)
- func ProxyID(endpointID uint16, ingress bool, protocol string, port uint16) string
- func ProxyIDFromKey(endpointID uint16, key Key) string
- func SetPolicyEnabled(val string)
- type AddOptions
- type AuthMap
- type AuthType
- type AuthTypes
- type CachedSelectionUser
- type CachedSelector
- type CachedSelectorSlice
- type ChangeState
- type DeleteOptions
- type DirectionalVisibilityPolicy
- type Endpoint
- type EndpointPolicy
- func (p *EndpointPolicy) AllowsIdentity(identity identity.NumericIdentity) (ingress, egress bool)
- func (p EndpointPolicy) Attach(ctx PolicyContext)
- func (p *EndpointPolicy) ConsumeMapChanges() (adds, deletes Keys)
- func (p *EndpointPolicy) Detach()
- func (p EndpointPolicy) DistillPolicy(policyOwner PolicyOwner, isHost bool) *EndpointPolicy
- func (p *EndpointPolicy) UpdateRedirects(ingress bool, getProxyPort getProxyPortFunc, changes ChangeState)
- type EndpointSet
- type HasAuthType
- type Identities
- type Key
- type Keys
- type L4DirectionPolicy
- type L4Filter
- func (l4 *L4Filter) CopyL7RulesPerEndpoint() L7DataMap
- func (l4 *L4Filter) GetIngress() bool
- func (l4 *L4Filter) GetL7Parser() L7ParserType
- func (l4 *L4Filter) GetListener() string
- func (l4 *L4Filter) GetPort() uint16
- func (l4 *L4Filter) IdentitySelectionUpdated(selector CachedSelector, added, deleted []identity.NumericIdentity)
- func (l4 *L4Filter) IsRedirect() bool
- func (l4 *L4Filter) Marshal() string
- func (l4 *L4Filter) SelectsAllEndpoints() bool
- func (l4 *L4Filter) String() string
- type L4Policy
- func (l4 *L4Policy) AccumulateMapChanges(cs CachedSelector, adds, deletes []identity.NumericIdentity, ...)
- func (l4 *L4Policy) Attach(ctx PolicyContext)
- func (l4 *L4Policy) Detach(selectorCache *SelectorCache)
- func (l4 *L4Policy) GetModel() *models.L4Policy
- func (l4 *L4Policy) HasEnvoyRedirect() bool
- func (l4 *L4Policy) HasProxylibRedirect() bool
- func (l4 *L4Policy) HasRedirect() bool
- type L4PolicyMap
- type L7DataMap
- type L7ParserType
- type MapChange
- type MapChanges
- type MapState
- func (keys MapState) AddDependent(owner Key, dependent Key, changes ChangeState)
- func (keys MapState) AddVisibilityKeys(e PolicyOwner, redirectPort uint16, visMeta *VisibilityMetadata, ...)
- func (keys MapState) AllowAllIdentities(ingress, egress bool)
- func (keys MapState) DetermineAllowLocalhostIngress()
- func (pms MapState) GetDenyIdentities(log *logrus.Logger) (ingIdentities, egIdentities []int64)
- func (pms MapState) GetIdentities(log *logrus.Logger) (ingIdentities, egIdentities []int64)
- func (keys MapState) RemoveDependent(owner Key, dependent Key, changes ChangeState)
- func (keys MapState) RevertChanges(changes ChangeState)
- type MapStateEntry
- func (e *MapStateEntry) AddDependent(key Key)
- func (e *MapStateEntry) DatapathEqual(o *MapStateEntry) bool
- func (e *MapStateEntry) DeepEqual(o *MapStateEntry) bool
- func (e *MapStateEntry) HasDependent(key Key) bool
- func (e *MapStateEntry) IsRedirectEntry() bool
- func (e *MapStateEntry) Merge(entry *MapStateEntry)
- func (e *MapStateEntry) RemoveDependent(key Key)
- func (e MapStateEntry) String() string
- type MapStateOwner
- type PerSelectorPolicy
- type PolicyCache
- func (cache *PolicyCache) GetAuthTypes(localID, remoteID identityPkg.NumericIdentity) AuthTypes
- func (cache *PolicyCache) GetSelectorCache() *SelectorCache
- func (cache *PolicyCache) LocalEndpointIdentityAdded(identity *identityPkg.Identity)
- func (cache *PolicyCache) LocalEndpointIdentityRemoved(identity *identityPkg.Identity)
- func (cache *PolicyCache) Lookup(identity *identityPkg.Identity) SelectorPolicy
- func (cache *PolicyCache) UpdatePolicy(identity *identityPkg.Identity) error
- type PolicyContext
- type PolicyOwner
- type ProxyPolicy
- type Repository
- func (p *Repository) Add(r api.Rule, localRuleConsumers []Endpoint) (uint64, map[uint16]struct{}, error)
- func (p *Repository) AddList(rules api.Rules) (ruleSlice, uint64)
- func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64)
- func (p *Repository) AllowsEgressRLocked(ctx *SearchContext) api.Decision
- func (p *Repository) AllowsIngressRLocked(ctx *SearchContext) api.Decision
- func (p *Repository) BumpRevision()
- func (p *Repository) DeleteByLabels(lbls labels.LabelArray) (uint64, int)
- func (p *Repository) DeleteByLabelsLocked(lbls labels.LabelArray) (ruleSlice, uint64, int)
- func (p *Repository) Empty() bool
- func (p *Repository) GetAuthTypes(localID, remoteID identity.NumericIdentity) AuthTypes
- func (p *Repository) GetEnvoyHTTPRules(l7Rules *api.L7Rules, ns string) (*cilium.HttpNetworkPolicyRules, bool)
- func (p *Repository) GetJSON() string
- func (p *Repository) GetPolicyCache() *PolicyCache
- func (p *Repository) GetRevision() uint64
- func (p *Repository) GetRulesList() *models.Policy
- func (p *Repository) GetRulesMatching(lbls labels.LabelArray) (ingressMatch bool, egressMatch bool)
- func (p *Repository) GetSelectorCache() *SelectorCache
- func (p *Repository) Iterate(f func(rule *api.Rule))
- func (p *Repository) LocalEndpointIdentityAdded(*identity.Identity)
- func (p *Repository) LocalEndpointIdentityRemoved(identity *identity.Identity)
- func (p *Repository) NumRules() int
- func (p *Repository) ResolveL4EgressPolicy(ctx *SearchContext) (L4PolicyMap, error)
- func (p *Repository) ResolveL4IngressPolicy(ctx *SearchContext) (L4PolicyMap, error)
- func (p *Repository) SearchRLocked(lbls labels.LabelArray) api.Rules
- func (p *Repository) SetEnvoyRulesFunc(...)
- func (p *Repository) Start()
- func (p *Repository) TranslateRules(translator Translator) (*TranslationResult, error)
- type SearchContext
- func (s *SearchContext) CallDepth() string
- func (s *SearchContext) PolicyTrace(format string, a ...interface{})
- func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})
- func (s *SearchContext) String() string
- func (s *SearchContext) TraceEnabled() bool
- func (s *SearchContext) WithLogger(log io.Writer) *SearchContext
- type SelectorCache
- func (sc *SelectorCache) AddFQDNSelector(user CachedSelectionUser, fqdnSelec api.FQDNSelector) (cachedSelector CachedSelector, added bool)
- func (sc *SelectorCache) AddIdentitySelector(user CachedSelectionUser, selector api.EndpointSelector) (cachedSelector CachedSelector, added bool)
- func (sc *SelectorCache) ChangeUser(selector CachedSelector, from, to CachedSelectionUser)
- func (sc *SelectorCache) FindCachedIdentitySelector(selector api.EndpointSelector) CachedSelector
- func (sc *SelectorCache) GetModel() models.SelectorCache
- func (sc *SelectorCache) GetNetsLocked(id identity.NumericIdentity) []*net.IPNet
- func (sc *SelectorCache) RemoveIdentitiesFQDNSelectors(fqdnSels []api.FQDNSelector, wg *sync.WaitGroup)
- func (sc *SelectorCache) RemoveSelector(selector CachedSelector, user CachedSelectionUser)
- func (sc *SelectorCache) RemoveSelectors(selectors CachedSelectorSlice, user CachedSelectionUser)
- func (sc *SelectorCache) SetLocalIdentityNotifier(pop identityNotifier)
- func (sc *SelectorCache) UpdateFQDNSelector(fqdnSelec api.FQDNSelector, identities []identity.NumericIdentity, ...)
- func (sc *SelectorCache) UpdateIdentities(added, deleted cache.IdentityCache, wg *sync.WaitGroup)
- type SelectorPolicy
- type StringSet
- type TLSContext
- type TLSDirection
- type Tracing
- type TranslationResult
- type Translator
- type TriggerMetrics
- type Updater
- type VisibilityMetadata
- func (v *VisibilityMetadata) CopyL7RulesPerEndpoint() L7DataMap
- func (v *VisibilityMetadata) GetIngress() bool
- func (v *VisibilityMetadata) GetL7Parser() L7ParserType
- func (l4 *VisibilityMetadata) GetListener() string
- func (v *VisibilityMetadata) GetPort() uint16
- func (v *VisibilityMetadata) GetProtocol() uint8
- type VisibilityPolicy
Constants ¶
const ( LabelKeyPolicyDerivedFrom = "io.cilium.policy.derived-from" LabelAllowLocalHostIngress = "allow-localhost-ingress" LabelAllowRemoteHostIngress = "allow-remotehost-ingress" LabelAllowAnyIngress = "allow-any-ingress" LabelAllowAnyEgress = "allow-any-egress" LabelVisibilityAnnotation = "visibility-annotation" )
Variables ¶
This section is empty.
Functions ¶
func GetAuthType ¶ added in v0.15.7
func GetAuthType(auth *api.Authentication) (HasAuthType, AuthType)
GetAuthType returns boolean HasAuthType and AuthType for the api.Authentication If there is no explicit auth type, (DefaultAuthType, AuthTypeDisabled) is returned
func GetCIDRPrefixes ¶ added in v0.15.7
GetCIDRPrefixes runs through the specified 'rules' to find every reference to a CIDR in the rules, and returns a slice containing all of these CIDRs. Multiple rules referring to the same CIDR will result in multiple copies of the CIDR in the returned slice.
Assumes that validation already occurred on 'rules'.
func GetPolicyEnabled ¶ added in v0.15.7
func GetPolicyEnabled() string
GetPolicyEnabled returns the policy enablement configuration
func GetPrefixesFromCIDRSet ¶ added in v0.15.7
func GetPrefixesFromCIDRSet(rules api.CIDRRuleSlice) []netip.Prefix
GetPrefixesFromCIDRSet fetches all CIDRs referred to by the specified slice and returns them as regular golang CIDR objects.
Assumes that validation already occurred on 'rules'.
func JSONMarshalRules ¶ added in v0.9.0
JSONMarshalRules returns a slice of policy rules as string in JSON representation
func ParseProxyID ¶ added in v0.15.7
func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, err error)
ParseProxyID parses a proxy ID returned by ProxyID and returns its components.
func ProxyIDFromKey ¶ added in v0.15.7
ProxyIDFromKey returns a unique string to identify a proxy mapping.
func SetPolicyEnabled ¶ added in v0.15.7
func SetPolicyEnabled(val string)
SetPolicyEnabled sets the policy enablement configuration. Valid values are: - endpoint.AlwaysEnforce - endpoint.NeverEnforce - endpoint.DefaultEnforcement
Types ¶
type AddOptions ¶ added in v0.15.7
type AddOptions struct { // Replace if true indicates that existing rules with identical labels should be replaced Replace bool // ReplaceWithLabels if present indicates that existing rules with the // given LabelArray should be deleted. ReplaceWithLabels labels.LabelArray // Generated should be set as true to signalize a the policy being inserted // was generated by cilium-agent, e.g. dns poller. Generated bool // The source of this policy, one of api, fqdn or k8s Source source.Source // The time the policy initially began to be processed in Cilium, such as when the // policy was received from the API server. ProcessingStartTime time.Time // Resource provides the object ID for the underlying object that backs // this information from 'source'. Resource ipcacheTypes.ResourceID }
AddOptions are options which can be passed to PolicyAdd
type AuthMap ¶ added in v0.15.7
type AuthMap map[CachedSelector]AuthTypes
Authmap maps remote selectors to their needed AuthTypes, if any
type AuthType ¶ added in v0.15.7
type AuthType uint8
AuthType enumerates the supported authentication types in api. Numerically higher type takes precedence in case of conflicting auth types.
type AuthTypes ¶ added in v0.15.7
type AuthTypes map[AuthType]struct{}
AuthTypes is a set of AuthTypes, usually nil if empty
type CachedSelectionUser ¶ added in v0.15.7
type CachedSelectionUser interface { // IdentitySelectionUpdated implementations MUST NOT call back // to the name manager or the selector cache while executing this function! // // The caller is responsible for making sure the same identity is not // present in both 'added' and 'deleted'. IdentitySelectionUpdated(selector CachedSelector, added, deleted []identity.NumericIdentity) }
CachedSelectionUser inserts selectors into the cache and gets update callbacks whenever the set of selected numeric identities change for the CachedSelectors pushed by it.
type CachedSelector ¶ added in v0.15.7
type CachedSelector interface { // GetSelections returns the cached set of numeric identities // selected by the CachedSelector. The retuned slice must NOT // be modified, as it is shared among multiple users. GetSelections() []identity.NumericIdentity // Selects return 'true' if the CachedSelector selects the given // numeric identity. Selects(nid identity.NumericIdentity) bool // IsWildcard returns true if the endpoint selector selects // all endpoints. IsWildcard() bool // IsNone returns true if the selector never selects anything IsNone() bool // String returns the string representation of this selector. // Used as a map key. String() string }
CachedSelector represents an identity selector owned by the selector cache
type CachedSelectorSlice ¶ added in v0.15.7
type CachedSelectorSlice []CachedSelector
CachedSelectorSlice is a slice of CachedSelectors that can be sorted.
func (CachedSelectorSlice) Len ¶ added in v0.15.7
func (s CachedSelectorSlice) Len() int
func (CachedSelectorSlice) Less ¶ added in v0.15.7
func (s CachedSelectorSlice) Less(i, j int) bool
func (CachedSelectorSlice) MarshalJSON ¶ added in v0.15.7
func (s CachedSelectorSlice) MarshalJSON() ([]byte, error)
MarshalJSON returns the CachedSelectors as JSON formatted buffer
func (CachedSelectorSlice) SelectsAllEndpoints ¶ added in v0.15.7
func (s CachedSelectorSlice) SelectsAllEndpoints() bool
SelectsAllEndpoints returns whether the CachedSelectorSlice selects all endpoints, which is true if the wildcard endpoint selector is present in the slice.
func (CachedSelectorSlice) Swap ¶ added in v0.15.7
func (s CachedSelectorSlice) Swap(i, j int)
type ChangeState ¶ added in v0.15.7
type ChangeState struct { Adds Keys // Added or modified keys, if not nil Deletes Keys // deleted keys, if not nil Old MapState // Old values of all modified or deleted keys, if not nil }
ChangeState allows caller to revert changes made by (multiple) toMapState call(s)
type DeleteOptions ¶ added in v0.15.7
type DeleteOptions struct { // The source of this policy, one of api, fqdn or k8s Source source.Source // Resource provides the object ID for the underlying object that backs // this information from 'source'. Resource ipcacheTypes.ResourceID }
DeleteOptions are options which can be passed to PolicyDelete
type DirectionalVisibilityPolicy ¶ added in v0.15.7
type DirectionalVisibilityPolicy map[string]*VisibilityMetadata
DirectionalVisibilityPolicy is a mapping of VisibilityMetadata keyed by L4 Port / L4 Protocol (e.g., 80/TCP) for a given traffic direction (e.g., ingress or egress). This encodes at which L4 Port / L4 Protocol traffic should be redirected to a given L7 proxy. An empty instance of this type indicates that no traffic should be redirected.
type Endpoint ¶ added in v0.15.7
type Endpoint interface { GetID16() uint16 GetSecurityIdentity() (*identity.Identity, error) PolicyRevisionBumpEvent(rev uint64) IsHost() bool GetOpLabels() []string GetK8sNamespace() string }
Endpoint refers to any structure which has the following properties: * a node-local ID stored as a uint16 * a security identity * a means of incrementing its policy revision * a means of checking if it represents a node or a pod. * a set of labels * a kubernetes namespace
type EndpointPolicy ¶ added in v0.15.7
type EndpointPolicy struct { // PolicyMapState contains the state of this policy as it relates to the // datapath. In the future, this will be factored out of this object to // decouple the policy as it relates to the datapath vs. its userspace // representation. // It maps each Key to the proxy port if proxy redirection is needed. // Proxy port 0 indicates no proxy redirection. // All fields within the Key and the proxy port must be in host byte-order. // Must only be accessed with PolicyOwner (aka Endpoint) lock taken. PolicyMapState MapState // PolicyOwner describes any type which consumes this EndpointPolicy object. PolicyOwner PolicyOwner // contains filtered or unexported fields }
EndpointPolicy is a structure which contains the resolved policy across all layers (L3, L4, and L7), distilled against a set of identities.
func NewEndpointPolicy ¶ added in v0.15.7
func NewEndpointPolicy(repo *Repository) *EndpointPolicy
NewEndpointPolicy returns an empty EndpointPolicy stub.
func (*EndpointPolicy) AllowsIdentity ¶ added in v0.15.7
func (p *EndpointPolicy) AllowsIdentity(identity identity.NumericIdentity) (ingress, egress bool)
AllowsIdentity returns whether the specified policy allows ingress and egress traffic for the specified numeric security identity. If the 'secID' is zero, it will check if all traffic is allowed.
Returning true for either return value indicates all traffic is allowed.
func (EndpointPolicy) Attach ¶ added in v0.15.7
func (p EndpointPolicy) Attach(ctx PolicyContext)
func (*EndpointPolicy) ConsumeMapChanges ¶ added in v0.15.7
func (p *EndpointPolicy) ConsumeMapChanges() (adds, deletes Keys)
ConsumeMapChanges transfers the changes from MapChanges to the caller, locking the selector cache to make sure concurrent identity updates have completed. PolicyOwner (aka Endpoint) is also locked during this call.
func (*EndpointPolicy) Detach ¶ added in v0.15.7
func (p *EndpointPolicy) Detach()
Detach removes EndpointPolicy references from selectorPolicy to allow the EndpointPolicy to be GC'd. PolicyOwner (aka Endpoint) is also locked during this call.
func (EndpointPolicy) DistillPolicy ¶ added in v0.15.7
func (p EndpointPolicy) DistillPolicy(policyOwner PolicyOwner, isHost bool) *EndpointPolicy
DistillPolicy filters down the specified selectorPolicy (which acts upon selectors) into a set of concrete map entries based on the SelectorCache. These can subsequently be plumbed into the datapath.
Must be performed while holding the Repository lock. PolicyOwner (aka Endpoint) is also locked during this call.
func (*EndpointPolicy) UpdateRedirects ¶ added in v0.15.7
func (p *EndpointPolicy) UpdateRedirects(ingress bool, getProxyPort getProxyPortFunc, changes ChangeState)
UpdateRedirects updates redirects in the EndpointPolicy's PolicyMapState by using the provided function to obtain a proxy port number to use. Changes to 'p.PolicyMapState' are collected in 'adds' and 'updated' so that they can be reverted when needed.
type EndpointSet ¶ added in v0.15.7
type EndpointSet struct {
// contains filtered or unexported fields
}
EndpointSet is used to be able to group together a given set of Endpoints that need to have a specific operation performed upon them (e.g., policy revision updates).
func NewEndpointSet ¶ added in v0.15.7
func NewEndpointSet(m map[Endpoint]struct{}) *EndpointSet
NewEndpointSet returns an EndpointSet with the given Endpoints map
func (*EndpointSet) Delete ¶ added in v0.15.7
func (e *EndpointSet) Delete(ep Endpoint)
Delete removes ep from the EndpointSet.
func (*EndpointSet) ForEachGo ¶ added in v0.15.7
func (e *EndpointSet) ForEachGo(wg *sync.WaitGroup, epFunc func(epp Endpoint))
ForEachGo runs epFunc asynchronously inside a goroutine for each endpoint in the EndpointSet. It signals to the provided WaitGroup when epFunc has been executed for each endpoint.
func (*EndpointSet) Insert ¶ added in v0.15.7
func (e *EndpointSet) Insert(ep Endpoint)
Insert adds ep to the EndpointSet.
func (*EndpointSet) Len ¶ added in v0.15.7
func (e *EndpointSet) Len() (nElem int)
Len returns the number of elements in the EndpointSet.
type HasAuthType ¶ added in v0.15.7
type HasAuthType bool
const ( DefaultAuthType HasAuthType = false ExplicitAuthType HasAuthType = true )
type Identities ¶ added in v0.15.7
type Identities interface {
GetNetsLocked(identity.NumericIdentity) []*net.IPNet
}
type Key ¶ added in v0.15.7
type Key struct { // Identity is the numeric identity to / from which traffic is allowed. Identity uint32 // DestPort is the port at L4 to / from which traffic is allowed, in // host-byte order. DestPort uint16 // NextHdr is the protocol which is allowed. Nexthdr uint8 // TrafficDirection indicates in which direction Identity is allowed // communication (egress or ingress). TrafficDirection uint8 }
Key is the userspace representation of a policy key in BPF. It is intentionally duplicated from pkg/maps/policymap to avoid pulling in the BPF dependency to this package.
func (Key) IsEgress ¶ added in v0.15.7
IsEgress returns true if the key refers to an egress policy key
func (Key) IsIngress ¶ added in v0.15.7
IsIngress returns true if the key refers to an ingress policy key
func (Key) IsSuperSetOf ¶ added in v0.15.7
IsSuperSetOf checks if the receiver Key is a superset of the argument Key, and returns a specificity score of the receiver key (higher score is more specific), if so. Being a superset means that the receiver key would match all the traffic of the argument key without being the same key. Hence, a L3-only key is not a superset of a L4-only key, as the L3-only key would match the traffic for the given L3 only, while the L4-only key matches traffic on the given port for all the L3's. Returns 0 if the receiver key is not a superset of the argument key.
Specificity score for all possible superset wildcard patterns. Datapath requires proto to be specified if port is specified. x. L3/proto/port
- */*/*
- */proto/*
- */proto/port
- ID/*/*
- ID/proto/* ( ID/proto/port can not be superset of anything )
func (Key) PortProtoIsBroader ¶ added in v0.15.7
PortProtoIsBroader returns true if the receiver Key has broader port-protocol than the argument Key. That is a port-protocol that covers the argument Key's port-protocol and is larger. An equal port-protocol will return false.
func (Key) PortProtoIsEqual ¶ added in v0.15.7
PortProtoIsEqual returns true if the port-protocols of the two keys are exactly equal.
type L4DirectionPolicy ¶ added in v0.15.7
type L4DirectionPolicy struct { PortRules L4PolicyMap // contains filtered or unexported fields }
func (L4DirectionPolicy) Detach ¶ added in v0.15.7
func (l4 L4DirectionPolicy) Detach(selectorCache *SelectorCache)
Detach removes the cached selectors held by L4PolicyMap from the selectorCache, allowing the map to be garbage collected when there are no more references to it.
type L4Filter ¶
type L4Filter struct { // Port is the destination port to allow. Port 0 indicates that all traffic // is allowed at L4. Port int `json:"port"` PortName string `json:"port-name,omitempty"` // Protocol is the L4 protocol to allow or NONE Protocol api.L4Proto `json:"protocol"` // U8Proto is the Protocol in numeric format, or 0 for NONE U8Proto u8proto.U8proto `json:"-"` // PerSelectorPolicies is a map of policies for selectors, including any L7 rules passed to // the L7 proxy. nil values represent cached selectors that have selector-specific policy // restriction (such as no L7 rules). Holds references to the cached selectors, which must // be released! PerSelectorPolicies L7DataMap `json:"l7-rules,omitempty"` // L7Parser specifies the L7 protocol parser (optional). If specified as // an empty string, then means that no L7 proxy redirect is performed. L7Parser L7ParserType `json:"-"` // Listener is an optional fully qualified name of a Envoy Listner defined in a CiliumEnvoyConfig CRD that should be // used for this traffic instead of the default listener Listener string `json:"listener,omitempty"` // Ingress is true if filter applies at ingress; false if it applies at egress. Ingress bool `json:"-"` // RuleOrigin tracks which policy rules (identified by labels) are the origin for this L3/L4 // (i.e. selector and port) filter. This information is used when distilling a policy to an // EndpointPolicy, to track which policy rules were involved for a specific verdict. // Each LabelArrayList is in sorted order. RuleOrigin map[CachedSelector]labels.LabelArrayList `json:"-"` // contains filtered or unexported fields }
L4Filter represents the policy (allowed remote sources / destinations of traffic) that applies at a specific L4 port/protocol combination (including all ports and protocols), at either ingress or egress. The policy here is specified in terms of selectors that are mapped to security identities via the selector cache.
func (*L4Filter) CopyL7RulesPerEndpoint ¶ added in v0.15.7
CopyL7RulesPerEndpoint returns a shallow copy of the PerSelectorPolicies of the L4Filter.
func (*L4Filter) GetIngress ¶ added in v0.15.7
GetIngress returns whether the L4Filter applies at ingress or egress.
func (*L4Filter) GetL7Parser ¶ added in v0.15.7
func (l4 *L4Filter) GetL7Parser() L7ParserType
GetL7Parser returns the L7ParserType of the L4Filter.
func (*L4Filter) GetListener ¶ added in v0.15.7
GetListener returns the optional listener name.
func (*L4Filter) GetPort ¶ added in v0.15.7
GetPort returns the port at which the L4Filter applies as a uint16.
func (*L4Filter) IdentitySelectionUpdated ¶ added in v0.15.7
func (l4 *L4Filter) IdentitySelectionUpdated(selector CachedSelector, added, deleted []identity.NumericIdentity)
IdentitySelectionUpdated implements CachedSelectionUser interface This call is made from a single goroutine in FIFO order to keep add and delete events ordered properly. No locks are held.
The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.
func (*L4Filter) IsRedirect ¶
IsRedirect returns true if the L4 filter contains a port redirection
func (*L4Filter) SelectsAllEndpoints ¶ added in v0.15.7
SelectsAllEndpoints returns whether the L4Filter selects all endpoints, which is true if the wildcard endpoint selector is present in the map.
type L4Policy ¶
type L4Policy struct { Ingress L4DirectionPolicy Egress L4DirectionPolicy AuthMap AuthMap // Revision is the repository revision used to generate this policy. Revision uint64 // contains filtered or unexported fields }
func (*L4Policy) AccumulateMapChanges ¶ added in v0.15.7
func (l4 *L4Policy) AccumulateMapChanges(cs CachedSelector, adds, deletes []identity.NumericIdentity, l4Filter *L4Filter, direction trafficdirection.TrafficDirection, redirect, isDeny bool, hasAuth HasAuthType, authType AuthType)
AccumulateMapChanges distributes the given changes to the registered users.
The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.
func (*L4Policy) Attach ¶ added in v0.15.7
func (l4 *L4Policy) Attach(ctx PolicyContext)
Attach makes all the L4Filters to point back to the L4Policy that contains them. This is done before the L4Policy is exposed to concurrent access.
func (*L4Policy) Detach ¶ added in v0.15.7
func (l4 *L4Policy) Detach(selectorCache *SelectorCache)
Detach makes the L4Policy ready for garbage collection, removing circular pointer references. Note that the L4Policy itself is not modified in any way, so that it may still be used concurrently.
func (*L4Policy) HasEnvoyRedirect ¶ added in v0.15.7
HasEnvoyRedirect returns true if the L4 policy contains at least one port redirection to Envoy
func (*L4Policy) HasProxylibRedirect ¶ added in v0.15.7
HasProxylibRedirect returns true if the L4 policy contains at least one port redirection to Proxylib
func (*L4Policy) HasRedirect ¶
HasRedirect returns true if the L4 policy contains at least one port redirection
type L4PolicyMap ¶
L4PolicyMap is a list of L4 filters indexable by protocol/port key format: "port/proto"
func (L4PolicyMap) Detach ¶ added in v0.15.7
func (l4 L4PolicyMap) Detach(selectorCache *SelectorCache)
detach is used directly from tracing and testing functions
func (*L4PolicyMap) EgressCoversContext ¶ added in v0.15.7
func (l4 *L4PolicyMap) EgressCoversContext(ctx *SearchContext) api.Decision
EgressCoversContext checks if the receiver's egress L4Policy contains all `dPorts` and `labels`.
Note: Only used for policy tracing
func (*L4PolicyMap) IngressCoversContext ¶ added in v0.15.7
func (l4 *L4PolicyMap) IngressCoversContext(ctx *SearchContext) api.Decision
IngressCoversContext checks if the receiver's ingress L4Policy contains all `dPorts` and `labels`.
Note: Only used for policy tracing
type L7DataMap ¶ added in v0.15.7
type L7DataMap map[CachedSelector]*PerSelectorPolicy
L7DataMap contains a map of L7 rules per endpoint where key is a CachedSelector
func (L7DataMap) MarshalJSON ¶ added in v0.15.7
func (L7DataMap) ShallowCopy ¶ added in v0.15.7
ShallowCopy returns a shallow copy of the L7DataMap.
type L7ParserType ¶ added in v0.15.7
type L7ParserType string
L7ParserType is the type used to indicate what L7 parser to use. Consts are defined for all well known L7 parsers. Unknown string values are created for key-value pair policies, which are then transparently used in redirect configuration.
const ( // ParserTypeNone represents the case where no parser type is provided. ParserTypeNone L7ParserType = "" // ParserTypeTLS is used for TLS origination, termination, or SNI filtering without any L7 // parsing. If TLS policies are used with HTTP rules, ParserTypeHTTP is used instead. ParserTypeTLS L7ParserType = "tls" // ParserTypeCRD is used with a custom CiliumEnvoyConfig redirection. Incompatible with any // parser type with L7 enforcement (HTTP, Kafka, proxylib), as the custom Listener generally // does not support them. ParserTypeCRD L7ParserType = "crd" // ParserTypeHTTP specifies a HTTP parser type ParserTypeHTTP L7ParserType = "http" // ParserTypeKafka specifies a Kafka parser type ParserTypeKafka L7ParserType = "kafka" // ParserTypeDNS specifies a DNS parser type ParserTypeDNS L7ParserType = "dns" )
func (L7ParserType) Merge ¶ added in v0.15.7
func (a L7ParserType) Merge(b L7ParserType) (L7ParserType, error)
Merge ParserTypes 'a' to 'b' if possible
func (L7ParserType) String ¶ added in v0.15.7
func (l7 L7ParserType) String() string
type MapChange ¶ added in v0.15.7
type MapChange struct { Add bool // false deletes Key Key Value MapStateEntry }
type MapChanges ¶ added in v0.15.7
type MapChanges struct {
// contains filtered or unexported fields
}
MapChanges collects updates to the endpoint policy on the granularity of individual mapstate key-value pairs for both adds and deletes. 'mutex' must be held for any access.
func (*MapChanges) AccumulateMapChanges ¶ added in v0.15.7
func (mc *MapChanges) AccumulateMapChanges(cs CachedSelector, adds, deletes []identity.NumericIdentity, port uint16, proto uint8, direction trafficdirection.TrafficDirection, redirect, isDeny bool, hasAuth HasAuthType, authType AuthType, derivedFrom labels.LabelArrayList)
AccumulateMapChanges accumulates the given changes to the MapChanges.
The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.
type MapState ¶ added in v0.15.7
type MapState map[Key]MapStateEntry
MapState is a state of a policy map.
func (MapState) AddDependent ¶ added in v0.15.7
func (keys MapState) AddDependent(owner Key, dependent Key, changes ChangeState)
AddDependent adds 'key' to the set of dependent keys.
func (MapState) AddVisibilityKeys ¶ added in v0.15.7
func (keys MapState) AddVisibilityKeys(e PolicyOwner, redirectPort uint16, visMeta *VisibilityMetadata, changes ChangeState)
AddVisibilityKeys adjusts and expands PolicyMapState keys and values to redirect for visibility on the port of the visibility annotation while still denying traffic on this port for identities for which the traffic is denied.
Datapath lookup order is, from highest to lowest precedence: 1. L3/L4 2. L4-only (wildcard L3) 3. L3-only (wildcard L4) 4. Allow-all
This means that the L4-only allow visibility key can only be added if there is an allow-all key, and all L3-only deny keys are expanded to L3/L4 keys. If no L4-only key is added then also the L3-only allow keys need to be expanded to L3/L4 keys for visibility redirection. In addition the existing L3/L4 and L4-only allow keys need to be redirected to the proxy port, if not already redirected.
The above can be accomplished by:
- Change existing L4-only ALLOW key on matching port that does not already redirect to redirect. - e.g., 0:80=allow,0 -> 0:80=allow,<proxyport>
- If allow-all policy exists, add L4-only visibility redirect key if the L4-only key does not already exist. - e.g., 0:0=allow,0 -> add 0:80=allow,<proxyport> if 0:80 does not exist - this allows all traffic on port 80, but see step 5 below.
- Change all L3/L4 ALLOW keys on matching port that do not already redirect to redirect. - e.g, <ID1>:80=allow,0 -> <ID1>:80=allow,<proxyport>
- For each L3-only ALLOW key add the corresponding L3/L4 ALLOW redirect if no L3/L4 key already exists and no L4-only key already exists and one is not added. - e.g., <ID2>:0=allow,0 -> add <ID2>:80=allow,<proxyport> if <ID2>:80 and 0:80 do not exist
- If a new L4-only key was added: For each L3-only DENY key add the corresponding L3/L4 DENY key if no L3/L4 key already exists. - e.g., <ID3>:0=deny,0 -> add <ID3>:80=deny,0 if <ID3>:80 does not exist
With the above we only change/expand existing allow keys to redirect, and expand existing drop keys to also drop on the port of interest, if a new L4-only key allowing the port is added.
'adds' and 'oldValues' are updated with the changes made. 'adds' contains both the added and changed keys. 'oldValues' contains the old values for changed keys. This function does not delete any keys.
func (MapState) AllowAllIdentities ¶ added in v0.15.7
AllowAllIdentities translates all identities in selectorCache to their corresponding Keys in the specified direction (ingress, egress) which allows all at L3. Note that this is used when policy is not enforced, so authentication is explicitly not required.
func (MapState) DetermineAllowLocalhostIngress ¶ added in v0.15.7
func (keys MapState) DetermineAllowLocalhostIngress()
DetermineAllowLocalhostIngress determines whether communication should be allowed from the localhost. It inserts the Key corresponding to the localhost in the desiredPolicyKeys if the localhost is allowed to communicate with the endpoint. Authentication for localhost traffic is not required.
func (MapState) GetDenyIdentities ¶ added in v0.15.7
func (MapState) GetIdentities ¶ added in v0.15.7
func (MapState) RemoveDependent ¶ added in v0.15.7
func (keys MapState) RemoveDependent(owner Key, dependent Key, changes ChangeState)
RemoveDependent removes 'key' from the list of dependent keys. This is called when a dependent entry is being deleted. If 'old' is not nil, then old value is added there before any modifications.
func (MapState) RevertChanges ¶ added in v0.15.7
func (keys MapState) RevertChanges(changes ChangeState)
RevertChanges undoes changes to 'keys' as indicated by 'changes.adds' and 'changes.old' collected via denyPreferredInsertWithChanges().
type MapStateEntry ¶ added in v0.15.7
type MapStateEntry struct { // The proxy port, in host byte order. // If 0 (default), there is no proxy redirection for the corresponding // Key. Any other value signifies proxy redirection. ProxyPort uint16 // IsDeny is true when the policy should be denied. IsDeny bool // AuthType is non-zero when authentication is required for the traffic to be allowed. AuthType AuthType // DerivedFromRules tracks the policy rules this entry derives from // In sorted order. DerivedFromRules labels.LabelArrayList // contains filtered or unexported fields }
MapStateEntry is the configuration associated with a Key in a MapState. This is a minimized version of policymap.PolicyEntry.
func NewMapStateEntry ¶ added in v0.15.7
func NewMapStateEntry(cs MapStateOwner, derivedFrom labels.LabelArrayList, redirect, deny bool, hasAuth HasAuthType, authType AuthType) MapStateEntry
NewMapStateEntry creates a map state entry. If redirect is true, the caller is expected to replace the ProxyPort field before it is added to the actual BPF map. 'cs' is used to keep track of which policy selectors need this entry. If it is 'nil' this entry will become sticky and cannot be completely removed via incremental updates. Even in this case the entry may be overridden or removed by a deny entry.
func (*MapStateEntry) AddDependent ¶ added in v0.15.7
func (e *MapStateEntry) AddDependent(key Key)
AddDependent adds 'key' to the set of dependent keys.
func (*MapStateEntry) DatapathEqual ¶ added in v0.15.7
func (e *MapStateEntry) DatapathEqual(o *MapStateEntry) bool
DatapathEqual returns true of two entries are equal in the datapath's PoV, i.e., IsDeny, ProxyPort and AuthType are the same for both entries.
func (*MapStateEntry) DeepEqual ¶ added in v0.15.7
func (e *MapStateEntry) DeepEqual(o *MapStateEntry) bool
DeepEqual is a manually generated deepequal function, deeply comparing the receiver with other. in must be non-nil. Defined manually due to deepequal-gen not supporting interface types. 'cachedNets' member is ignored in comparison, as it is a cached value and makes no functional difference.
func (*MapStateEntry) HasDependent ¶ added in v0.15.7
func (e *MapStateEntry) HasDependent(key Key) bool
HasDependent returns true if the 'key' is contained within the set of dependent keys
func (*MapStateEntry) IsRedirectEntry ¶ added in v0.15.7
func (e *MapStateEntry) IsRedirectEntry() bool
IsRedirectEntry returns true if e contains a redirect
func (*MapStateEntry) Merge ¶ added in v0.15.7
func (e *MapStateEntry) Merge(entry *MapStateEntry)
Merge adds owners, dependents, and DerivedFromRules from a new 'entry' to an existing entry 'e'. 'entry' is not modified. IsDeny, ProxyPort, and AuthType are merged by giving precedence to deny over non-deny, proxy redirection over no proxy redirection, and explicit auth type over default auth type.
func (*MapStateEntry) RemoveDependent ¶ added in v0.15.7
func (e *MapStateEntry) RemoveDependent(key Key)
RemoveDependent removes 'key' from the set of dependent keys.
func (MapStateEntry) String ¶ added in v0.15.7
func (e MapStateEntry) String() string
String returns a string representation of the MapStateEntry
type MapStateOwner ¶ added in v0.15.7
type MapStateOwner interface{}
type PerSelectorPolicy ¶ added in v0.15.7
type PerSelectorPolicy struct { // TerminatingTLS is the TLS context for the connection terminated by // the L7 proxy. For egress policy this specifies the server-side TLS // parameters to be applied on the connections originated from the local // POD and terminated by the L7 proxy. For ingress policy this specifies // the server-side TLS parameters to be applied on the connections // originated from a remote source and terminated by the L7 proxy. TerminatingTLS *TLSContext `json:"terminatingTLS,omitempty"` // OriginatingTLS is the TLS context for the connections originated by // the L7 proxy. For egress policy this specifies the client-side TLS // parameters for the upstream connection originating from the L7 proxy // to the remote destination. For ingress policy this specifies the // client-side TLS parameters for the connection from the L7 proxy to // the local POD. OriginatingTLS *TLSContext `json:"originatingTLS,omitempty"` // ServerNames is a list of allowed TLS SNI values. If not empty, then // TLS must be present and one of the provided SNIs must be indicated in the // TLS handshake. ServerNames StringSet `json:"serverNames,omitempty"` // Pre-computed HTTP rules, computed after rule merging is complete EnvoyHTTPRules *cilium.HttpNetworkPolicyRules `json:"-"` // CanShortCircuit is true if all 'EnvoyHTTPRules' may be // short-circuited by other matches. CanShortCircuit bool `json:"-"` api.L7Rules // Authentication is the kind of cryptographic authentication required for the traffic to be allowed // at L3, if any. Authentication *api.Authentication `json:"auth,omitempty"` // IsDeny is set if this L4Filter contains should be denied IsDeny bool `json:",omitempty"` // contains filtered or unexported fields }
PerSelectorPolicy contains policy rules for a CachedSelector, i.e. for a selection of numerical identities.
func (*PerSelectorPolicy) Equal ¶ added in v0.15.7
func (a *PerSelectorPolicy) Equal(b *PerSelectorPolicy) bool
Equal returns true if 'a' and 'b' represent the same L7 Rules
func (*PerSelectorPolicy) GetAuthType ¶ added in v0.15.7
func (a *PerSelectorPolicy) GetAuthType() (HasAuthType, AuthType)
GetAuthType returns the AuthType of the L4Filter.
func (*PerSelectorPolicy) HasL7Rules ¶ added in v0.15.7
func (a *PerSelectorPolicy) HasL7Rules() bool
HasL7Rules returns whether the `L7Rules` contains any L7 rules.
func (*PerSelectorPolicy) IsRedirect ¶ added in v0.15.7
func (a *PerSelectorPolicy) IsRedirect() bool
IsRedirect returns true if the L7Rules are a redirect.
type PolicyCache ¶ added in v0.15.7
PolicyCache represents a cache of resolved policies for identities.
func NewPolicyCache ¶ added in v0.15.7
func NewPolicyCache(repo *Repository, subscribe bool) *PolicyCache
NewPolicyCache creates a new cache of SelectorPolicy.
func (*PolicyCache) GetAuthTypes ¶ added in v0.15.7
func (cache *PolicyCache) GetAuthTypes(localID, remoteID identityPkg.NumericIdentity) AuthTypes
GetAuthTypes returns the AuthTypes required by the policy between the localID and remoteID, if any, otherwise returns nil.
func (*PolicyCache) GetSelectorCache ¶ added in v0.15.7
func (cache *PolicyCache) GetSelectorCache() *SelectorCache
func (*PolicyCache) LocalEndpointIdentityAdded ¶ added in v0.15.7
func (cache *PolicyCache) LocalEndpointIdentityAdded(identity *identityPkg.Identity)
LocalEndpointIdentityAdded creates a SelectorPolicy cache entry for the specified Identity, without calculating any policy for it.
func (*PolicyCache) LocalEndpointIdentityRemoved ¶ added in v0.15.7
func (cache *PolicyCache) LocalEndpointIdentityRemoved(identity *identityPkg.Identity)
LocalEndpointIdentityRemoved deletes the cached SelectorPolicy for the specified Identity.
func (*PolicyCache) Lookup ¶ added in v0.15.7
func (cache *PolicyCache) Lookup(identity *identityPkg.Identity) SelectorPolicy
Lookup attempts to locate the SelectorPolicy corresponding to the specified identity. If policy is not cached for the identity, it returns nil.
func (*PolicyCache) UpdatePolicy ¶ added in v0.15.7
func (cache *PolicyCache) UpdatePolicy(identity *identityPkg.Identity) error
UpdatePolicy resolves the policy for the security identity of the specified endpoint and caches it for future use.
The caller must provide threadsafety for iteration over the policy repository.
type PolicyContext ¶ added in v0.15.7
type PolicyContext interface { // return the namespace in which the policy rule is being resolved GetNamespace() string // return the SelectorCache GetSelectorCache() *SelectorCache // GetTLSContext resolves the given 'api.TLSContext' into CA // certs and the public and private keys, using secrets from // k8s or from the local file system. GetTLSContext(tls *api.TLSContext) (ca, public, private string, err error) // GetEnvoyHTTPRules translates the given 'api.L7Rules' into // the protobuf representation the Envoy can consume. The bool // return parameter tells whether the the rule enforcement can // be short-circuited upon the first allowing rule. This is // false if any of the rules has side-effects, requiring all // such rules being evaluated. GetEnvoyHTTPRules(l7Rules *api.L7Rules) (*cilium.HttpNetworkPolicyRules, bool) // IsDeny returns true if the policy computation should be done for the // policy deny case. This function returns different values depending on the // code path as it can be changed during the policy calculation. IsDeny() bool // SetDeny sets the Deny field of the PolicyContext and returns the old // value stored. SetDeny(newValue bool) (oldValue bool) }
PolicyContext is an interface policy resolution functions use to access the Repository. This way testing code can run without mocking a full Repository.
type PolicyOwner ¶ added in v0.15.7
type PolicyOwner interface { GetID() uint64 LookupRedirectPortLocked(ingress bool, protocol string, port uint16) uint16 HasBPFPolicyMap() bool GetNamedPort(ingress bool, name string, proto uint8) uint16 PolicyDebug(fields logrus.Fields, msg string) }
PolicyOwner is anything which consumes a EndpointPolicy.
type ProxyPolicy ¶ added in v0.15.7
type ProxyPolicy interface { CopyL7RulesPerEndpoint() L7DataMap GetL7Parser() L7ParserType GetIngress() bool GetPort() uint16 GetProtocol() uint8 GetListener() string }
ProxyPolicy is any type which encodes state needed to redirect to an L7 proxy.
type Repository ¶ added in v0.9.0
type Repository struct { // Mutex protects the whole policy tree Mutex lock.RWMutex // RepositoryChangeQueue is a queue which serializes changes to the policy // repository. RepositoryChangeQueue *eventqueue.EventQueue // RuleReactionQueue is a queue which serializes the resultant events that // need to occur after updating the state of the policy repository. This // can include queueing endpoint regenerations, policy revision increments // for endpoints, etc. RuleReactionQueue *eventqueue.EventQueue // contains filtered or unexported fields }
Repository is a list of policy rules which in combination form the security policy. A policy repository can be
func NewPolicyRepository ¶ added in v0.9.0
func NewPolicyRepository( idAllocator cache.IdentityAllocator, idCache cache.IdentityCache, certManager certificatemanager.CertificateManager, secretManager certificatemanager.SecretManager, ) *Repository
NewPolicyRepository creates a new policy repository.
func NewStoppedPolicyRepository ¶ added in v0.15.7
func NewStoppedPolicyRepository( idAllocator cache.IdentityAllocator, idCache cache.IdentityCache, certManager certificatemanager.CertificateManager, secretManager certificatemanager.SecretManager, ) *Repository
NewStoppedPolicyRepository creates a new policy repository without starting queues.
Qeues must be allocated via Repository.Start. The function serves to satisfy hive invariants.
func (*Repository) Add ¶ added in v0.9.0
func (p *Repository) Add(r api.Rule, localRuleConsumers []Endpoint) (uint64, map[uint16]struct{}, error)
Add inserts a rule into the policy repository This is just a helper function for unit testing. TODO: this should be in a test_helpers.go file or something similar so we can clearly delineate what helpers are for testing. NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) AddList ¶ added in v0.9.0
func (p *Repository) AddList(rules api.Rules) (ruleSlice, uint64)
AddList inserts a rule into the policy repository. It is used for unit-testing purposes only.
func (*Repository) AddListLocked ¶ added in v0.9.0
func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64)
AddListLocked inserts a rule into the policy repository with the repository already locked Expects that the entire rule list has already been sanitized.
func (*Repository) AllowsEgressRLocked ¶ added in v0.15.7
func (p *Repository) AllowsEgressRLocked(ctx *SearchContext) api.Decision
AllowsEgressRLocked evaluates the policy repository for the provided search context and returns the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.
NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) AllowsIngressRLocked ¶ added in v0.15.7
func (p *Repository) AllowsIngressRLocked(ctx *SearchContext) api.Decision
AllowsIngressRLocked evaluates the policy repository for the provided search context and returns the verdict for ingress. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.
NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) BumpRevision ¶ added in v0.15.7
func (p *Repository) BumpRevision()
BumpRevision allows forcing policy regeneration
func (*Repository) DeleteByLabels ¶ added in v0.9.0
func (p *Repository) DeleteByLabels(lbls labels.LabelArray) (uint64, int)
DeleteByLabels deletes all rules in the policy repository which contain the specified labels
func (*Repository) DeleteByLabelsLocked ¶ added in v0.9.0
func (p *Repository) DeleteByLabelsLocked(lbls labels.LabelArray) (ruleSlice, uint64, int)
DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels. Returns the revision of the policy repository after deleting the rules, as well as now many rules were deleted.
func (*Repository) Empty ¶ added in v0.15.7
func (p *Repository) Empty() bool
Empty returns 'true' if repository has no rules, 'false' otherwise.
Must be called without p.Mutex held
func (*Repository) GetAuthTypes ¶ added in v0.15.7
func (p *Repository) GetAuthTypes(localID, remoteID identity.NumericIdentity) AuthTypes
GetAuthTypes returns the AuthTypes required by the policy between the localID and remoteID
func (*Repository) GetEnvoyHTTPRules ¶ added in v0.15.7
func (p *Repository) GetEnvoyHTTPRules(l7Rules *api.L7Rules, ns string) (*cilium.HttpNetworkPolicyRules, bool)
func (*Repository) GetJSON ¶ added in v0.9.0
func (p *Repository) GetJSON() string
GetJSON returns all rules of the policy repository as string in JSON representation
func (*Repository) GetPolicyCache ¶ added in v0.15.7
func (p *Repository) GetPolicyCache() *PolicyCache
GetPolicyCache() returns the policy cache used by the Repository
func (*Repository) GetRevision ¶ added in v0.10.0
func (p *Repository) GetRevision() uint64
GetRevision returns the revision of the policy repository
func (*Repository) GetRulesList ¶ added in v0.15.7
func (p *Repository) GetRulesList() *models.Policy
GetRulesList returns the current policy
func (*Repository) GetRulesMatching ¶ added in v0.9.0
func (p *Repository) GetRulesMatching(lbls labels.LabelArray) (ingressMatch bool, egressMatch bool)
GetRulesMatching returns whether any of the rules in a repository contain a rule with labels matching the labels in the provided LabelArray.
Must be called with p.Mutex held
func (*Repository) GetSelectorCache ¶ added in v0.15.7
func (p *Repository) GetSelectorCache() *SelectorCache
GetSelectorCache() returns the selector cache used by the Repository
func (*Repository) Iterate ¶ added in v0.15.7
func (p *Repository) Iterate(f func(rule *api.Rule))
Iterate iterates the policy repository, calling f for each rule. It is safe to execute Iterate concurrently.
func (*Repository) LocalEndpointIdentityAdded ¶ added in v0.15.7
func (p *Repository) LocalEndpointIdentityAdded(*identity.Identity)
LocalEndpointIdentityAdded handles local identity add events.
func (*Repository) LocalEndpointIdentityRemoved ¶ added in v0.15.7
func (p *Repository) LocalEndpointIdentityRemoved(identity *identity.Identity)
LocalEndpointIdentityRemoved handles local identity removal events to remove references from rules in the repository to the specified identity.
func (*Repository) NumRules ¶ added in v0.9.0
func (p *Repository) NumRules() int
NumRules returns the amount of rules in the policy repository.
Must be called with p.Mutex held
func (*Repository) ResolveL4EgressPolicy ¶ added in v0.15.7
func (p *Repository) ResolveL4EgressPolicy(ctx *SearchContext) (L4PolicyMap, error)
ResolveL4EgressPolicy resolves the L4 egress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.From`. `ctx.To` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.
Caller must release resources by calling Detach() on the returned map!
NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) ResolveL4IngressPolicy ¶ added in v0.15.7
func (p *Repository) ResolveL4IngressPolicy(ctx *SearchContext) (L4PolicyMap, error)
ResolveL4IngressPolicy resolves the L4 ingress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.
TODO: Coalesce l7 rules?
Caller must release resources by calling Detach() on the returned map!
NOTE: This is only called from unit tests, but from multiple packages.
func (*Repository) SearchRLocked ¶ added in v0.9.0
func (p *Repository) SearchRLocked(lbls labels.LabelArray) api.Rules
SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.
func (*Repository) SetEnvoyRulesFunc ¶ added in v0.15.7
func (p *Repository) SetEnvoyRulesFunc(f func(certificatemanager.SecretManager, *api.L7Rules, string) (*cilium.HttpNetworkPolicyRules, bool))
func (*Repository) Start ¶ added in v0.15.7
func (p *Repository) Start()
Start allocates and starts various queues used by the Repository.
Must only be called if using NewStoppedPolicyRepository
func (*Repository) TranslateRules ¶ added in v0.15.7
func (p *Repository) TranslateRules(translator Translator) (*TranslationResult, error)
TranslateRules traverses rules and applies provided translator to rules
Note: Only used by the k8s watcher.
type SearchContext ¶
type SearchContext struct { Trace Tracing Depth int Logging *stdlog.Logger From labels.LabelArray To labels.LabelArray DPorts []*models.Port // contains filtered or unexported fields }
SearchContext defines the context while evaluating policy
func (*SearchContext) CallDepth ¶
func (s *SearchContext) CallDepth() string
func (*SearchContext) PolicyTrace ¶ added in v0.9.0
func (s *SearchContext) PolicyTrace(format string, a ...interface{})
PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.
func (*SearchContext) PolicyTraceVerbose ¶ added in v0.9.0
func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})
PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.
func (*SearchContext) String ¶
func (s *SearchContext) String() string
func (*SearchContext) TraceEnabled ¶ added in v0.15.7
func (s *SearchContext) TraceEnabled() bool
TraceEnabled returns true if the SearchContext requests tracing.
func (*SearchContext) WithLogger ¶ added in v0.15.7
func (s *SearchContext) WithLogger(log io.Writer) *SearchContext
WithLogger returns a shallow copy of the received SearchContext with the logging set to write to 'log'.
type SelectorCache ¶ added in v0.15.7
type SelectorCache struct {
// contains filtered or unexported fields
}
SelectorCache caches identities, identity selectors, and the subsets of identities each selector selects.
func NewSelectorCache ¶ added in v0.15.7
func NewSelectorCache(allocator cache.IdentityAllocator, ids cache.IdentityCache) *SelectorCache
NewSelectorCache creates a new SelectorCache with the given identities.
func (*SelectorCache) AddFQDNSelector ¶ added in v0.15.7
func (sc *SelectorCache) AddFQDNSelector(user CachedSelectionUser, fqdnSelec api.FQDNSelector) (cachedSelector CachedSelector, added bool)
AddFQDNSelector adds the given api.FQDNSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding CachedSelector is returned, otherwise one is created and added to the cache.
func (*SelectorCache) AddIdentitySelector ¶ added in v0.15.7
func (sc *SelectorCache) AddIdentitySelector(user CachedSelectionUser, selector api.EndpointSelector) (cachedSelector CachedSelector, added bool)
AddIdentitySelector adds the given api.EndpointSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding CachedSelector is returned, otherwise one is created and added to the cache.
func (*SelectorCache) ChangeUser ¶ added in v0.15.7
func (sc *SelectorCache) ChangeUser(selector CachedSelector, from, to CachedSelectionUser)
ChangeUser changes the CachedSelectionUser that gets updates on the updates on the cached selector.
func (*SelectorCache) FindCachedIdentitySelector ¶ added in v0.15.7
func (sc *SelectorCache) FindCachedIdentitySelector(selector api.EndpointSelector) CachedSelector
FindCachedIdentitySelector finds the given api.EndpointSelector in the selector cache, returning nil if one can not be found.
func (*SelectorCache) GetModel ¶ added in v0.15.7
func (sc *SelectorCache) GetModel() models.SelectorCache
GetModel returns the API model of the SelectorCache.
func (*SelectorCache) GetNetsLocked ¶ added in v1.12.15
func (sc *SelectorCache) GetNetsLocked(id identity.NumericIdentity) []*net.IPNet
GetNetsLocked returns the most specific CIDR for an identity. For the "World" identity it returns both IPv4 and IPv6.
func (*SelectorCache) RemoveIdentitiesFQDNSelectors ¶ added in v0.15.7
func (sc *SelectorCache) RemoveIdentitiesFQDNSelectors(fqdnSels []api.FQDNSelector, wg *sync.WaitGroup)
RemoveIdentitiesFQDNSelectors removes all identities from being mapped to the set of FQDNSelectors.
func (*SelectorCache) RemoveSelector ¶ added in v0.15.7
func (sc *SelectorCache) RemoveSelector(selector CachedSelector, user CachedSelectionUser)
RemoveSelector removes CachedSelector for the user.
func (*SelectorCache) RemoveSelectors ¶ added in v0.15.7
func (sc *SelectorCache) RemoveSelectors(selectors CachedSelectorSlice, user CachedSelectionUser)
RemoveSelectors removes CachedSelectorSlice for the user.
func (*SelectorCache) SetLocalIdentityNotifier ¶ added in v0.15.7
func (sc *SelectorCache) SetLocalIdentityNotifier(pop identityNotifier)
SetLocalIdentityNotifier injects the provided identityNotifier into the SelectorCache. Currently, this is used to inject the FQDN subsystem into the SelectorCache so the SelectorCache can notify the FQDN subsystem when it should be aware of a given FQDNSelector for which CIDR identities need to be provided upon DNS lookups which corespond to said FQDNSelector.
func (*SelectorCache) UpdateFQDNSelector ¶ added in v0.15.7
func (sc *SelectorCache) UpdateFQDNSelector(fqdnSelec api.FQDNSelector, identities []identity.NumericIdentity, wg *sync.WaitGroup)
UpdateFQDNSelector updates the mapping of fqdnKey (the FQDNSelector from a policy rule as a string) to to the provided list of identities. If the contents of the cachedSelections differ from those in the identities slice, all users are notified asynchronously. Caller should Wait() on the returned sync.WaitGroup before triggering any policy updates. Policy updates may need Endpoint locks, so this Wait() can deadlock if the caller is holding any endpoint locks.
func (*SelectorCache) UpdateIdentities ¶ added in v0.15.7
func (sc *SelectorCache) UpdateIdentities(added, deleted cache.IdentityCache, wg *sync.WaitGroup)
UpdateIdentities propagates identity updates to selectors
The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.
Caller should Wait() on the returned sync.WaitGroup before triggering any policy updates. Policy updates may need Endpoint locks, so this Wait() can deadlock if the caller is holding any endpoint locks.
type SelectorPolicy ¶ added in v0.15.7
type SelectorPolicy interface { // Consume returns the policy in terms of connectivity to peer // Identities. Consume(owner PolicyOwner) *EndpointPolicy }
SelectorPolicy represents a cached selectorPolicy, previously resolved from the policy repository and ready to be distilled against a set of identities to compute datapath-level policy configuration.
type StringSet ¶ added in v0.15.7
type StringSet map[string]struct{}
func NewStringSet ¶ added in v0.15.7
NewStringSet returns a StringSet initialized from slice of strings. Returns nil for an empty slice
type TLSContext ¶ added in v0.15.7
type TLSContext struct { TrustedCA string `json:"trustedCA,omitempty"` CertificateChain string `json:"certificateChain,omitempty"` PrivateKey string `json:"privateKey,omitempty"` }
TLS context holds the secret values resolved from an 'api.TLSContext'
func (*TLSContext) Equal ¶ added in v0.15.7
func (a *TLSContext) Equal(b *TLSContext) bool
Equal returns true if 'a' and 'b' have the same contents.
func (*TLSContext) MarshalJSON ¶ added in v0.15.7
func (t *TLSContext) MarshalJSON() ([]byte, error)
MarshalJSON marsahls a redacted version of the TLSContext. We want to see which fields are present, but not reveal their values in any logs, etc.
type TLSDirection ¶ added in v0.15.7
type TLSDirection string
const ( TerminatingTLS TLSDirection = "terminating" OriginatingTLS TLSDirection = "originating" )
type TranslationResult ¶ added in v0.15.7
type TranslationResult struct { // NumToServicesRules is the number of ToServices rules processed while // translating the rules NumToServicesRules int // BackendPrefixes contains all egress CIDRs that are to be added // for the translation. PrefixesToAdd []netip.Prefix // BackendPrefixes contains all egress CIDRs that are to be removed // for the translation. PrefixesToRelease []netip.Prefix }
TranslationResult contains the results of the rule translation
type Translator ¶ added in v0.15.7
type Translator interface {
Translate(*api.Rule, *TranslationResult) error
}
Translator is an interface for altering policy rules
type TriggerMetrics ¶ added in v0.15.7
type TriggerMetrics struct{}
TriggerMetrics handles the metrics for trigger policy recalculations.
func (*TriggerMetrics) PostRun ¶ added in v0.15.7
func (p *TriggerMetrics) PostRun(duration, latency time.Duration, folds int)
func (*TriggerMetrics) QueueEvent ¶ added in v0.15.7
func (p *TriggerMetrics) QueueEvent(reason string)
type Updater ¶ added in v0.15.7
Updater is responsible for triggering policy updates, in order to perform policy recalculation.
func NewUpdater ¶ added in v0.15.7
func NewUpdater(r *Repository, regen regenerator) (*Updater, error)
NewUpdater returns a new Updater instance to handle triggering policy updates ready for use.
func (*Updater) TriggerPolicyUpdates ¶ added in v0.15.7
TriggerPolicyUpdates triggers the policy update trigger.
To follow what the trigger does, see NewUpdater.
type VisibilityMetadata ¶ added in v0.15.7
type VisibilityMetadata struct { // Parser represents the proxy to which traffic should be redirected. Parser L7ParserType // Port, in tandem with Proto, signifies which L4 port for which traffic // should be redirected. Port uint16 // Proto, in tandem with port, signifies which L4 protocol for which traffic // should be redirected. Proto u8proto.U8proto // Ingress specifies whether ingress traffic at the given L4 port / protocol // should be redirected to the proxy. Ingress bool // L7Metadata encodes optional information what is allowed at L7 for // visibility. Some specific protocol parsers do not need this set for // allowing of traffic (e.g., HTTP), but some do (e.g., DNS). L7Metadata L7DataMap }
VisibilityMetadata encodes state about what type of traffic should be redirected to an L7Proxy. Implements the ProxyPolicy interface. TODO: an L4Filter could be composed of this type.
func (*VisibilityMetadata) CopyL7RulesPerEndpoint ¶ added in v0.15.7
func (v *VisibilityMetadata) CopyL7RulesPerEndpoint() L7DataMap
CopyL7RulesPerEndpoint returns a shallow copy of the L7Metadata of the L4Filter.
func (*VisibilityMetadata) GetIngress ¶ added in v0.15.7
func (v *VisibilityMetadata) GetIngress() bool
GetIngress returns whether the VisibilityMetadata applies at ingress or egress.
func (*VisibilityMetadata) GetL7Parser ¶ added in v0.15.7
func (v *VisibilityMetadata) GetL7Parser() L7ParserType
GetL7Parser returns the L7ParserType for this VisibilityMetadata.
func (*VisibilityMetadata) GetListener ¶ added in v0.15.7
func (l4 *VisibilityMetadata) GetListener() string
GetListener returns the optional listener name.
func (*VisibilityMetadata) GetPort ¶ added in v0.15.7
func (v *VisibilityMetadata) GetPort() uint16
GetPort returns at which port the VisibilityMetadata applies.
func (*VisibilityMetadata) GetProtocol ¶ added in v1.13.15
func (v *VisibilityMetadata) GetProtocol() uint8
GetProtocol returns the protocol where the VisibilityMetadata applies.
type VisibilityPolicy ¶ added in v0.15.7
type VisibilityPolicy struct { Ingress DirectionalVisibilityPolicy Egress DirectionalVisibilityPolicy Error error }
VisibilityPolicy represents for both ingress and egress which types of traffic should be redirected to a given L7 proxy.
func NewVisibilityPolicy ¶ added in v0.15.7
func NewVisibilityPolicy(anno string) (*VisibilityPolicy, error)
NewVisibilityPolicy generates the VisibilityPolicy that is encoded in the annotation parameter. Returns an error:
- if the annotation does not correspond to the expected format for a visibility annotation.
- if there is a conflict between the state encoded in the annotation (e.g., different L7 protocols for the same L4 port / protocol / traffic direction.
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package api defines the API of the Cilium network policy interface +groupName=policy
|
Package api defines the API of the Cilium network policy interface +groupName=policy |
package trafficdirection specifies the directionality of policy in a numeric representation.
|
package trafficdirection specifies the directionality of policy in a numeric representation. |