types

package
v1.15.12 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 12, 2024 License: Apache-2.0 Imports: 17 Imported by: 9

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func RemoteSNATDstAddrExclusionCIDRv4

func RemoteSNATDstAddrExclusionCIDRv4() *cidr.CIDR

RemoteSNATDstAddrExclusionCIDRv4 returns a CIDR for SNAT exclusion. Any packet sent from a local endpoint to an IP address belonging to the CIDR should not be SNAT'd.

func RemoteSNATDstAddrExclusionCIDRv6

func RemoteSNATDstAddrExclusionCIDRv6() *cidr.CIDR

RemoteSNATDstAddrExclusionCIDRv6 returns a IPv6 CIDR for SNAT exclusion. Any packet sent from a local endpoint to an IP address belonging to the CIDR should not be SNAT'd.

Types

type BackendIDByServiceIDSet

type BackendIDByServiceIDSet map[uint16]map[loadbalancer.BackendID]struct{} // svc ID => backend ID

BackendIDByServiceIDSet is the type of a set for checking whether a backend belongs to a given service

type BandwidthManager added in v1.15.8

type BandwidthManager interface {
	BBREnabled() bool
	DeleteEndpointBandwidthLimit(epID uint16) error
	Enabled() bool
}

type BaseProgramOwner

type BaseProgramOwner interface {
	DeviceConfiguration
	GetCompilationLock() *lock.RWMutex
	Datapath() Datapath
	LocalConfig() *LocalNodeConfiguration
	SetPrefilter(pf PreFilter)
}

BaseProgramOwner is any type for which a loader is building base programs.

type CompileTimeConfiguration

type CompileTimeConfiguration interface {
	DeviceConfiguration

	// TODO: Move this detail into the datapath
	ConntrackLocalLocked() bool

	// RequireARPPassthrough returns true if the datapath must implement
	// ARP passthrough for this endpoint
	RequireARPPassthrough() bool

	// RequireEgressProg returns true if the endpoint requires an egress
	// program attached to the InterfaceName() invoking the section
	// "to-container"
	RequireEgressProg() bool

	// RequireRouting returns true if the endpoint requires BPF routing to
	// be enabled, when disabled, routing is delegated to Linux routing
	RequireRouting() bool

	// RequireEndpointRoute returns true if the endpoint wishes to have a
	// per endpoint route installed in the host's routing table to point to
	// the endpoint's interface
	RequireEndpointRoute() bool

	// GetPolicyVerdictLogFilter returns the PolicyVerdictLogFilter for the endpoint
	GetPolicyVerdictLogFilter() uint32

	// IsHost returns true if the endpoint is the host endpoint.
	IsHost() bool
}

CompileTimeConfiguration provides datapath implementations a clean interface to access endpoint-specific configuration that can only be changed at compile time.

type ConfigWriter

type ConfigWriter interface {
	// WriteNodeConfig writes the implementation-specific configuration of
	// node-wide options into the specified writer.
	WriteNodeConfig(io.Writer, *LocalNodeConfiguration) error

	// WriteNetdevConfig writes the implementation-specific configuration
	// of configurable options to the specified writer. Options specified
	// here will apply to base programs and not to endpoints, though
	// endpoints may have equivalent configurable options.
	WriteNetdevConfig(io.Writer, DeviceConfiguration) error

	// WriteTemplateConfig writes the implementation-specific configuration
	// of configurable options for BPF templates to the specified writer.
	WriteTemplateConfig(w io.Writer, cfg EndpointConfiguration) error

	// WriteEndpointConfig writes the implementation-specific configuration
	// of configurable options for the endpoint to the specified writer.
	WriteEndpointConfig(w io.Writer, cfg EndpointConfiguration) error
}

ConfigWriter is anything which writes the configuration for various datapath program types.

type Datapath

type Datapath interface {
	ConfigWriter
	IptablesManager

	// Node must return the handler for node events
	Node() NodeHandler

	NodeIDs() NodeIDHandler

	NodeNeighbors() NodeNeighbors

	// LocalNodeAddressing must return the node addressing implementation
	// of the local node
	LocalNodeAddressing() NodeAddressing

	// Loader must return the implementation of the loader, which is responsible
	// for loading, reloading, and compiling datapath programs.
	Loader() Loader

	// WireguardAgent returns the WireGuard agent for the local node
	WireguardAgent() WireguardAgent

	// LBMap returns the load-balancer map
	LBMap() LBMap

	Procfs() string

	BandwidthManager() BandwidthManager
}

Datapath is the interface to abstract all datapath interactions. The abstraction allows to implement the datapath requirements with multiple implementations

type DeviceConfiguration

type DeviceConfiguration interface {
	// GetOptions fetches the configurable datapath options from the owner.
	GetOptions() *option.IntOptions
}

DeviceConfiguration is an interface for injecting configuration of datapath options that affect lookups and logic applied at a per-device level, whether those are devices associated with the endpoint or associated with the host.

type Endpoint

type Endpoint interface {
	EndpointConfiguration
	InterfaceName() string
	Logger(subsystem string) *logrus.Entry
	StateDir() string
}

Endpoint provides access endpoint configuration information that is necessary to compile and load the datapath.

type EndpointConfiguration

type EndpointConfiguration interface {
	CompileTimeConfiguration
	LoadTimeConfiguration
}

EndpointConfiguration provides datapath implementations a clean interface to access endpoint-specific configuration when configuring the datapath.

type IPsecKeyCustodian added in v1.15.0

type IPsecKeyCustodian interface {
	AuthKeySize() int
	SPI() uint8
	StartBackgroundJobs(NodeHandler) error
}

type IptablesManager

type IptablesManager interface {
	// InstallProxyRules creates the necessary datapath config (e.g., iptables
	// rules for redirecting host proxy traffic on a specific ProxyPort)
	InstallProxyRules(ctx context.Context, proxyPort uint16, ingress bool, name string) error

	// SupportsOriginalSourceAddr tells if the datapath supports
	// use of original source addresses in proxy upstream
	// connections.
	SupportsOriginalSourceAddr() bool
	InstallRules(ctx context.Context, ifName string, quiet, install bool) error

	// GetProxyPorts fetches the existing proxy ports configured in the
	// datapath. Used early in bootstrap to reopen proxy ports.
	GetProxyPorts() map[string]uint16

	// InstallNoTrackRules is explicitly called when a pod has valid
	// "policy.cilium.io/no-track-port" annotation.  When
	// InstallNoConntrackIptRules flag is set, a super set of v4 NOTRACK
	// rules will be automatically installed upon agent bootstrap (via
	// function addNoTrackPodTrafficRules) and this function will be
	// skipped.  When InstallNoConntrackIptRules is not set, this function
	// will be executed to install NOTRACK rules.  The rules installed by
	// this function is very specific, for now, the only user is
	// node-local-dns pods.
	InstallNoTrackRules(IP string, port uint16, ipv6 bool) error

	// See comments for InstallNoTrackRules.
	RemoveNoTrackRules(IP string, port uint16, ipv6 bool) error
}

IptablesManager manages iptables rules.

type LBMap

type LBMap interface {
	UpsertService(*UpsertServiceParams) error
	UpsertMaglevLookupTable(uint16, map[string]*loadbalancer.Backend, bool) error
	IsMaglevLookupTableRecreated(bool) bool
	DeleteService(loadbalancer.L3n4AddrID, int, bool, loadbalancer.SVCNatPolicy) error
	AddBackend(*loadbalancer.Backend, bool) error
	UpdateBackendWithState(*loadbalancer.Backend) error
	DeleteBackendByID(loadbalancer.BackendID) error
	AddAffinityMatch(uint16, loadbalancer.BackendID) error
	DeleteAffinityMatch(uint16, loadbalancer.BackendID) error
	UpdateSourceRanges(uint16, []*cidr.CIDR, []*cidr.CIDR, bool) error
	DumpServiceMaps() ([]*loadbalancer.SVC, []error)
	DumpBackendMaps() ([]*loadbalancer.Backend, error)
	DumpAffinityMatches() (BackendIDByServiceIDSet, error)
	DumpSourceRanges(bool) (SourceRangeSetByServiceID, error)
	ExistsSockRevNat(cookie uint64, addr net.IP, port uint16) bool
}

LBMap is the interface describing methods for manipulating service maps.

type LoadTimeConfiguration

type LoadTimeConfiguration interface {
	// GetID returns a locally-significant endpoint identification number.
	GetID() uint64
	// StringID returns the string-formatted version of the ID from GetID().
	StringID() string
	// GetIdentity returns a globally-significant numeric security identity.
	GetIdentity() identity.NumericIdentity

	// GetIdentityLocked returns a globally-significant numeric security
	// identity while assuming that the backing data structure is locked.
	// This function should be removed in favour of GetIdentity()
	GetIdentityLocked() identity.NumericIdentity

	IPv4Address() netip.Addr
	IPv6Address() netip.Addr
	GetNodeMAC() mac.MAC
	GetIfIndex() int
}

LoadTimeConfiguration provides datapath implementations a clean interface to access endpoint-specific configuration that can be changed at load time.

type Loader

type Loader interface {
	CallsMapPath(id uint16) string
	CustomCallsMapPath(id uint16) string
	CompileAndLoad(ctx context.Context, ep Endpoint, stats *metrics.SpanStat) error
	CompileOrLoad(ctx context.Context, ep Endpoint, stats *metrics.SpanStat) error
	ReloadDatapath(ctx context.Context, ep Endpoint, stats *metrics.SpanStat) error
	EndpointHash(cfg EndpointConfiguration) (string, error)
	Unload(ep Endpoint)
	Reinitialize(ctx context.Context, o BaseProgramOwner, tunnelConfig tunnel.Config, deviceMTU int, iptMgr IptablesManager, p Proxy) error
	HostDatapathInitialized() <-chan struct{}
}

Loader is an interface to abstract out loading of datapath programs.

type LocalNodeConfiguration

type LocalNodeConfiguration struct {
	// MtuConfig is the MTU configuration of the node.
	//
	// This field is immutable at runtime. The value will not change in
	// subsequent calls to NodeConfigurationChanged().
	MtuConfig MTUConfiguration

	// AuxiliaryPrefixes is the list of auxiliary prefixes that should be
	// configured in addition to the node PodCIDR
	//
	// This field is mutable. The implementation of
	// NodeConfigurationChanged() must adjust the routes accordingly.
	AuxiliaryPrefixes []*cidr.CIDR

	// EnableIPv4 enables use of IPv4. Routing to the IPv4 allocation CIDR
	// of other nodes must be enabled.
	//
	// This field is immutable at runtime. The value will not change in
	// subsequent calls to NodeConfigurationChanged().
	EnableIPv4 bool

	// EnableIPv6 enables use of IPv6. Routing to the IPv6 allocation CIDR
	// of other nodes must be enabled.
	//
	// This field is immutable at runtime. The value will not change in
	// subsequent calls to NodeConfigurationChanged().
	EnableIPv6 bool

	// EnableEncapsulation enables use of encapsulation in communication
	// between nodes.
	//
	// This field is immutable at runtime. The value will not change in
	// subsequent calls to NodeConfigurationChanged().
	EnableEncapsulation bool

	// EnableAutoDirectRouting enables the use of direct routes for
	// communication between nodes if two nodes have direct L2
	// connectivity.
	//
	// EnableAutoDirectRouting must be compatible with EnableEncapsulation
	// and must provide a fallback to use encapsulation if direct routing
	// is not feasible and encapsulation is enabled.
	//
	// This field is immutable at runtime. The value will not change in
	// subsequent calls to NodeConfigurationChanged().
	EnableAutoDirectRouting bool

	// EnableLocalNodeRoute enables installation of the route which points
	// the allocation prefix of the local node. Disabling this option is
	// useful when another component is responsible for the routing of the
	// allocation CIDR IPs into Cilium endpoints.
	EnableLocalNodeRoute bool

	// EnableIPSec enables IPSec routes
	EnableIPSec bool

	// EncryptNode enables encrypting NodeIP traffic requires EnableIPSec
	EncryptNode bool

	// IPv4PodSubnets is a list of IPv4 subnets that pod IPs are assigned from
	// these are then used when encryption is enabled to configure the node
	// for encryption over these subnets at node initialization.
	IPv4PodSubnets []*net.IPNet

	// IPv6PodSubnets is a list of IPv6 subnets that pod IPs are assigned from
	// these are then used when encryption is enabled to configure the node
	// for encryption over these subnets at node initialization.
	IPv6PodSubnets []*net.IPNet
}

LocalNodeConfiguration represents the configuration of the local node

type MTUConfiguration added in v1.15.0

type MTUConfiguration interface {
	GetDeviceMTU() int
	GetRouteMTU() int
	GetRoutePostEncryptMTU() int
}

type NodeAddressing

type NodeAddressing interface {
	IPv6() NodeAddressingFamily
	IPv4() NodeAddressingFamily
}

NodeAddressing implements addressing of a node

type NodeAddressingFamily

type NodeAddressingFamily interface {
	// Router is the address that will act as the router on each node where
	// an agent is running on. Endpoints have a default route that points
	// to this address.
	Router() net.IP

	// PrimaryExternal is the primary external address of the node. Nodes
	// must be able to reach each other via this address.
	PrimaryExternal() net.IP

	// AllocationCIDR is the CIDR used for IP allocation of all endpoints
	// on the node
	AllocationCIDR() *cidr.CIDR

	// LocalAddresses lists all local addresses
	LocalAddresses() ([]net.IP, error)

	// LoadBalancerNodeAddresses lists all addresses on which HostPort and
	// NodePort services should be responded to
	LoadBalancerNodeAddresses() []net.IP

	// DirectRouting returns the interface index and IP address for
	// direct routing.
	DirectRouting() (int, net.IP, bool)
}

NodeAddressingFamily is the node addressing information for a particular address family

type NodeHandler

type NodeHandler interface {
	// Name identifies the handler, this is used in logging/reporting handler
	// reconciliation errors.
	Name() string

	// NodeAdd is called when a node is discovered for the first time.
	NodeAdd(newNode nodeTypes.Node) error

	// NodeUpdate is called when a node definition changes. Both the old
	// and new node definition is provided. NodeUpdate() is never called
	// before NodeAdd() is called for a particular node.
	NodeUpdate(oldNode, newNode nodeTypes.Node) error

	// NodeDelete is called after a node has been deleted
	NodeDelete(node nodeTypes.Node) error

	// AllNodeValidateImplementation is called to validate the implementation
	// of all nodes in the node cache.
	AllNodeValidateImplementation()

	// NodeValidateImplementation is called to validate the implementation of
	// the node in the datapath. This function is intended to be run on an
	// interval to ensure that the datapath is consistently converged.
	NodeValidateImplementation(node nodeTypes.Node) error

	// NodeConfigurationChanged is called when the local node configuration
	// has changed
	NodeConfigurationChanged(config LocalNodeConfiguration) error
}

NodeHandler handles node related events such as addition, update or deletion of nodes or changes to the local node configuration.

Node events apply to the local node as well as to remote nodes. The implementation can differ between the own local node and remote nodes by calling node.IsLocal().

type NodeIDHandler

type NodeIDHandler interface {
	// GetNodeIP returns the string node IP that was previously registered as the given node ID.
	GetNodeIP(uint16) string

	// GetNodeID gets the node ID for the given node IP. If none is found, exists is false.
	GetNodeID(nodeIP net.IP) (nodeID uint16, exists bool)

	// DumpNodeIDs returns all node IDs and their associated IP addresses.
	DumpNodeIDs() []*models.NodeID

	// RestoreNodeIDs restores node IDs and their associated IP addresses from the
	// BPF map and into the node handler in-memory copy.
	RestoreNodeIDs()
}

type NodeNeighbors

type NodeNeighbors interface {
	// NodeNeighDiscoveryEnabled returns whether node neighbor discovery is enabled
	NodeNeighDiscoveryEnabled() bool

	// NodeNeighborRefresh is called to refresh node neighbor table
	NodeNeighborRefresh(ctx context.Context, node nodeTypes.Node)

	// NodeCleanNeighbors cleans all neighbor entries for the direct routing device
	// and the encrypt interface.
	NodeCleanNeighbors(migrateOnly bool)
}

type PreFilter

type PreFilter interface {
	WriteConfig(fw io.Writer)
	Dump(to []string) ([]string, int64)
	Insert(revision int64, cidrs []net.IPNet) error
	Delete(revision int64, cidrs []net.IPNet) error
}

PreFilter an interface for an XDP pre-filter.

type Proxy

type Proxy interface {
	ReinstallRoutingRules(mtu int) error
	ReinstallIPTablesRules(ctx context.Context) error
}

Proxy is any type which installs rules related to redirecting traffic to a proxy.

type SourceRangeSetByServiceID

type SourceRangeSetByServiceID map[uint16][]*cidr.CIDR // svc ID => src range CIDRs

type UpsertServiceParams

type UpsertServiceParams struct {
	ID   uint16
	IP   net.IP
	Port uint16

	// PreferredBackends is a subset of ActiveBackends
	// Note: this is only used in clustermesh with service affinity annotation.
	PreferredBackends         map[string]*loadbalancer.Backend
	ActiveBackends            map[string]*loadbalancer.Backend
	NonActiveBackends         []loadbalancer.BackendID
	PrevBackendsCount         int
	IPv6                      bool
	Type                      loadbalancer.SVCType
	NatPolicy                 loadbalancer.SVCNatPolicy
	ExtLocal                  bool
	IntLocal                  bool
	Scope                     uint8
	SessionAffinity           bool
	SessionAffinityTimeoutSec uint32
	CheckSourceRange          bool
	UseMaglev                 bool
	L7LBProxyPort             uint16                   // Non-zero for L7 LB services
	Name                      loadbalancer.ServiceName // Fully qualified name of the service
	LoopbackHostport          bool
}

func (*UpsertServiceParams) GetOrderedBackends

func (p *UpsertServiceParams) GetOrderedBackends() []loadbalancer.BackendID

GetOrderedBackends returns an ordered list of backends with all the sorted preferred backend followed by active and non-active backends. Encapsulates logic to be also used in unit tests.

type WireguardAgent

type WireguardAgent interface {
	UpdatePeer(nodeName, pubKeyHex string, nodeIPv4, nodeIPv6 net.IP) error
	DeletePeer(nodeName string) error
	Status(includePeers bool) (*models.WireguardStatus, error)
}

WireguardAgent manages the WireGuard peers

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL