Documentation ¶
Index ¶
- Constants
- Variables
- func APICanModify(e *Endpoint) error
- func CheckHealth(ep *Endpoint) error
- func EndpointSyncControllerName(epID uint16) string
- func FilterEPDir(dirFiles []os.DirEntry) []string
- func NewDatapathConfiguration() models.EndpointDatapathConfiguration
- func ParseExternalRegenerationMetadata(ctx context.Context, c context.CancelFunc, ...) *regenerationContext
- func ReadEPsFromDirNames(ctx context.Context, owner regeneration.Owner, policyGetter policyRepoGetter, ...) map[uint16]*Endpoint
- type AnnotationsResolverCB
- type CEPOwnerInterface
- type DeleteConfig
- type Endpoint
- func CreateHostEndpoint(owner regeneration.Owner, policyGetter policyRepoGetter, ...) (*Endpoint, error)
- func CreateIngressEndpoint(owner regeneration.Owner, policyGetter policyRepoGetter, ...) (*Endpoint, error)
- func NewEndpointFromChangeModel(ctx context.Context, owner regeneration.Owner, policyGetter policyRepoGetter, ...) (*Endpoint, error)
- func NewTestEndpointWithState(owner regeneration.Owner, policyGetter policyRepoGetter, ...) *Endpoint
- func (e *Endpoint) APICanModifyConfig(n models.ConfigurationMap) error
- func (e *Endpoint) Allows(id identity.NumericIdentity) bool
- func (e *Endpoint) ApplyOpts(opts option.OptionMap) (bool, error)
- func (e *Endpoint) ApplyPolicyMapChanges(proxyWaitGroup *completion.WaitGroup) error
- func (e *Endpoint) ApplyUserLabelChanges(lbls labels.Labels) (add, del labels.Labels, err error)
- func (e *Endpoint) BuilderSetStateLocked(toState State, reason string) bool
- func (e *Endpoint) Close()
- func (e *Endpoint) ConntrackLocal() bool
- func (e *Endpoint) ConntrackLocalLocked() bool
- func (e *Endpoint) ConntrackNameLocked() string
- func (e *Endpoint) Delete(conf DeleteConfig) []error
- func (e *Endpoint) DirectoryPath() string
- func (e *Endpoint) FailedDirectoryPath() string
- func (e *Endpoint) FormatGlobalEndpointID() string
- func (e *Endpoint) GetCEPOwner() CEPOwnerInterface
- func (e *Endpoint) GetCNIAttachmentID() string
- func (e *Endpoint) GetCiliumEndpointStatus() *cilium_v2.EndpointStatus
- func (e *Endpoint) GetCiliumEndpointUID() types.UID
- func (e *Endpoint) GetConfigurationStatus() *models.EndpointConfigurationStatus
- func (e *Endpoint) GetContainerID() string
- func (e *Endpoint) GetContainerName() string
- func (e *Endpoint) GetCreatedAt() time.Time
- func (e *Endpoint) GetDisableLegacyIdentifiers() bool
- func (e *Endpoint) GetDockerEndpointID() string
- func (e *Endpoint) GetEndpointNetNsCookie() uint64
- func (e *Endpoint) GetHealthModel() *models.EndpointHealth
- func (e *Endpoint) GetID() uint64
- func (e *Endpoint) GetID16() uint16
- func (e *Endpoint) GetIPv4Address() string
- func (e *Endpoint) GetIPv6Address() string
- func (e *Endpoint) GetIdentity() identity.NumericIdentity
- func (e *Endpoint) GetIdentityLocked() identity.NumericIdentity
- func (e *Endpoint) GetIfIndex() int
- func (e *Endpoint) GetK8sCEPName() string
- func (e *Endpoint) GetK8sNamespace() string
- func (e *Endpoint) GetK8sNamespaceAndCEPName() string
- func (e *Endpoint) GetK8sNamespaceAndPodName() string
- func (e *Endpoint) GetK8sPodName() string
- func (e *Endpoint) GetK8sPorts() (k8sPorts types.NamedPortMap)
- func (e *Endpoint) GetK8sUID() string
- func (e *Endpoint) GetLabels() labels.Labels
- func (e *Endpoint) GetLabelsModel() (*models.LabelConfiguration, error)
- func (e *Endpoint) GetModel() *models.Endpoint
- func (e *Endpoint) GetModelRLocked() *models.Endpoint
- func (e *Endpoint) GetNamedPort(ingress bool, name string, proto u8proto.U8proto) uint16
- func (e *Endpoint) GetNamedPortsModel() models.NamedPorts
- func (e *Endpoint) GetNodeMAC() mac.MAC
- func (e *Endpoint) GetOpLabels() []string
- func (e *Endpoint) GetOptions() *option.IntOptions
- func (e *Endpoint) GetPod() *slim_corev1.Pod
- func (e *Endpoint) GetPolicyModel() *models.EndpointPolicyStatus
- func (e *Endpoint) GetPolicyVerdictLogFilter() uint32
- func (e *Endpoint) GetPolicyVersionHandle() *versioned.VersionHandle
- func (e *Endpoint) GetPropertyValue(key string) interface{}
- func (e *Endpoint) GetRealizedPolicyRuleLabelsForKey(key policyTypes.Key) (derivedFrom labels.LabelArrayList, revision uint64, ok bool)
- func (e *Endpoint) GetReporter(name string) cell.Health
- func (e *Endpoint) GetSecurityIdentity() (*identity.Identity, error)
- func (e *Endpoint) GetShortContainerID() string
- func (e *Endpoint) GetState() State
- func (e *Endpoint) GetStatusModel() []*models.EndpointStatusChange
- func (e *Endpoint) HasLabels(l labels.Labels) bool
- func (e *Endpoint) HaveK8sMetadata() (metadataSet bool)
- func (e *Endpoint) HostInterface() string
- func (e *Endpoint) HumanString() string
- func (e *Endpoint) IPv4Address() netip.Addr
- func (e *Endpoint) IPv6Address() netip.Addr
- func (e *Endpoint) Identifiers() id.Identifiers
- func (e *Endpoint) InitEndpointHealth(parent cell.Health)
- func (e *Endpoint) InitEventQueue()
- func (e *Endpoint) InitMap() error
- func (e *Endpoint) InitWithIngressLabels(ctx context.Context, launchTime time.Duration)
- func (e *Endpoint) InitWithNodeLabels(ctx context.Context, nodeLabels map[string]string, launchTime time.Duration)
- func (e *Endpoint) IsAtHostNS() bool
- func (e *Endpoint) IsDisconnecting() bool
- func (e *Endpoint) IsHost() bool
- func (e *Endpoint) IsInit() bool
- func (e *Endpoint) IsProperty(propertyKey string) bool
- func (e *Endpoint) IsProxyDisabled() bool
- func (e *Endpoint) K8sNamespaceAndPodNameIsSet() bool
- func (e *Endpoint) LXCMac() mac.MAC
- func (e *Endpoint) LogStatus(typ StatusType, code StatusCode, msg string)
- func (e *Endpoint) LogStatusOK(typ StatusType, msg string)
- func (e *Endpoint) LogStatusOKLocked(typ StatusType, msg string)
- func (e *Endpoint) Logger(subsystem string) *logrus.Entry
- func (e *Endpoint) MarkCTGCTime(prev, next time.Time)
- func (e *Endpoint) MarkDNSCTEntry(dstIP netip.Addr, now time.Time)
- func (ep *Endpoint) MarshalJSON() ([]byte, error)
- func (e *Endpoint) ModifyIdentityLabels(source string, addLabels, delLabels labels.Labels) error
- func (e *Endpoint) NextDirectoryPath() string
- func (e *Endpoint) OnDNSPolicyUpdateLocked(rules restore.DNSRules)
- func (e *Endpoint) OnProxyPolicyUpdate(revision uint64)
- func (e *Endpoint) PolicyDebug(fields logrus.Fields, msg string)
- func (e *Endpoint) PolicyRevisionBumpEvent(rev uint64)
- func (e *Endpoint) ProcessChangeRequest(newEp *Endpoint, validPatchTransitionState bool) (string, error)
- func (e *Endpoint) Regenerate(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
- func (e *Endpoint) RegenerateAfterRestore(regenerator *Regenerator, bwm dptypes.BandwidthManager, ...) error
- func (e *Endpoint) RegenerateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
- func (e *Endpoint) RequireARPPassthrough() bool
- func (e *Endpoint) RequireEgressProg() bool
- func (e *Endpoint) RequireEndpointRoute() bool
- func (e *Endpoint) RequireRouting() (required bool)
- func (e *Endpoint) RunMetadataResolver(restoredEndpoint, blocking bool, baseLabels labels.Labels, ...) (regenTriggered bool)
- func (e *Endpoint) RunRestoredMetadataResolver(bwm dptypes.BandwidthManager, resolveMetadata MetadataResolverCB)
- func (e *Endpoint) SetAllocator(allocator cache.IdentityAllocator)
- func (e *Endpoint) SetCiliumEndpointUID(uid types.UID)
- func (e *Endpoint) SetDefaultConfiguration()
- func (e *Endpoint) SetDefaultOpts(opts *option.IntOptions)
- func (e *Endpoint) SetIdentity(identity *identityPkg.Identity, newEndpoint bool)
- func (ep *Endpoint) SetIsHost(isHost bool)
- func (e *Endpoint) SetK8sMetadata(containerPorts []slim_corev1.ContainerPort)
- func (e *Endpoint) SetMac(mac mac.MAC)
- func (e *Endpoint) SetPod(pod *slim_corev1.Pod)
- func (e *Endpoint) SetPolicyRevision(rev uint64)
- func (e *Endpoint) SetPropertyValue(key string, value interface{}) interface{}
- func (e *Endpoint) SetProxy(p EndpointProxy)
- func (e *Endpoint) SetRegenerateStateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) (bool, error)
- func (e *Endpoint) SetState(toState State, reason string) bool
- func (e *Endpoint) SkipStateClean()
- func (e *Endpoint) Start(id uint16)
- func (e *Endpoint) StateDirectoryPath() string
- func (e *Endpoint) Stop()
- func (e *Endpoint) String() string
- func (e *Endpoint) StringID() string
- func (e *Endpoint) SyncEndpointHeaderFile()
- func (ep *Endpoint) UnmarshalJSON(raw []byte) error
- func (e *Endpoint) Update(cfg *models.EndpointConfigurationSpec) error
- func (e *Endpoint) UpdateBandwidthPolicy(bwm dptypes.BandwidthManager, annoCB AnnotationsResolverCB)
- func (e *Endpoint) UpdateController(name string, params controller.ControllerParams)
- func (e *Endpoint) UpdateLabels(ctx context.Context, sourceFilter string, ...) (regenTriggered bool)
- func (e *Endpoint) UpdateLabelsFrom(oldLbls, newLbls map[string]string, source string) error
- func (e *Endpoint) UpdateLogger(fields map[string]interface{})
- func (e *Endpoint) UpdateNoTrackRules(annoCB AnnotationsResolverCB)
- func (e *Endpoint) UpdateProxyStatistics(proxyType, l4Protocol string, port, proxyPort uint16, ingress, request bool, ...)
- func (e *Endpoint) ValidateConnectorPlumbing(linkChecker linkCheckerFunc) error
- func (e *Endpoint) WaitForFirstRegeneration(ctx context.Context) error
- func (e *Endpoint) WaitForIdentity(timeoutDuration time.Duration) *identity.Identity
- func (e *Endpoint) WaitForPolicyRevision(ctx context.Context, rev uint64, done func(ts time.Time)) <-chan struct{}
- type EndpointNoTrackEvent
- type EndpointPolicyBandwidthEvent
- type EndpointProxy
- type EndpointRegenerationEvent
- type EndpointRegenerationResult
- type EndpointRevisionBumpEvent
- type EndpointStatus
- type FakeEndpointProxy
- func (f *FakeEndpointProxy) CreateOrUpdateRedirect(ctx context.Context, l4 policy.ProxyPolicy, id string, ...) (proxyPort uint16, err error, finalizeFunc revert.FinalizeFunc, ...)
- func (f *FakeEndpointProxy) RemoveNetworkPolicy(ep endpoint.EndpointInfoSource)
- func (f *FakeEndpointProxy) RemoveRedirect(id string)
- func (f *FakeEndpointProxy) UpdateNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, ...) (error, func() error)
- func (f *FakeEndpointProxy) UseCurrentNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, wg *completion.WaitGroup)
- type K8sMetadata
- type KVStoreNodesWaitFn
- type MetadataResolverCB
- type PolicyMapPressureEvent
- type Regenerator
- type State
- type Status
- type StatusCode
- type StatusResponse
- type StatusType
- type UpdateCompilationError
- type UpdateStateChangeError
- type UpdateValidationError
Constants ¶
const ( // PropertyFakeEndpoint marks the endpoint as being "fake". By "fake" it // means that it doesn't have any datapath bpf programs regenerated. PropertyFakeEndpoint = "property-fake-endpoint" // PropertyAtHostNS is used for endpoints that are reached via the host networking // namespace, but have their own IP(s) from the node's pod CIDR range PropertyAtHostNS = "property-at-host-network-namespace" // PropertyWithouteBPFDatapath marks the endpoint that doesn't contain a // eBPF datapath program. PropertyWithouteBPFDatapath = "property-without-bpf-endpoint" // PropertySkipBPFPolicy will mark the endpoint to skip ebpf // policy regeneration. PropertySkipBPFPolicy = "property-skip-bpf-policy" // PropertySkipBPFRegeneration will mark the endpoint to skip ebpf // regeneration. PropertySkipBPFRegeneration = "property-skip-bpf-regeneration" // PropertyCEPOwner will be able to store the CEP owner for this endpoint. PropertyCEPOwner = "property-cep-owner" // PropertyCEPName contains the CEP name for this endpoint. PropertyCEPName = "property-cep-name" )
const ( // StateWaitingForIdentity is used to set if the endpoint is waiting // for an identity from the KVStore. StateWaitingForIdentity = State(models.EndpointStateWaitingDashForDashIdentity) // StateReady specifies if the endpoint is ready to be used. StateReady = State(models.EndpointStateReady) // StateWaitingToRegenerate specifies when the endpoint needs to be regenerated, but regeneration has not started yet. StateWaitingToRegenerate = State(models.EndpointStateWaitingDashToDashRegenerate) // StateRegenerating specifies when the endpoint is being regenerated. StateRegenerating = State(models.EndpointStateRegenerating) // StateDisconnecting indicates that the endpoint is being disconnected StateDisconnecting = State(models.EndpointStateDisconnecting) // StateDisconnected is used to set the endpoint is disconnected. StateDisconnected = State(models.EndpointStateDisconnected) // StateRestoring is used to set the endpoint is being restored. StateRestoring = State(models.EndpointStateRestoring) // StateInvalid is used when an endpoint failed during creation due to // invalid data. StateInvalid = State(models.EndpointStateInvalid) )
const ( // EndpointGenerationTimeout specifies timeout for proxy completion context EndpointGenerationTimeout = 330 * time.Second )
Variables ¶
var (
EndpointMutableOptionLibrary = option.GetEndpointMutableOptionLibrary()
)
var ( // ErrNotAlive is an error which indicates that the endpoint could not be // locked because it is currently being removed. // Same error is returned for both lock and rlock. ErrNotAlive = errors.New("lock failed: endpoint is in the process of being removed") )
var ( RegeneratorCell = cell.Module( "endpoint-regeneration", "Endpoints regeneration", cell.Provide(newRegenerator), ) )
Functions ¶
func APICanModify ¶ added in v0.15.7
APICanModify determines whether API requests from a user are allowed to modify this endpoint.
func CheckHealth ¶ added in v0.15.7
CheckHealth verifies that the endpoint is alive and healthy by checking the link status. This satisfies endpointmanager.EndpointCheckerFunc.
func EndpointSyncControllerName ¶ added in v0.15.7
EndpointSyncControllerName returns the controller name to synchronize endpoint in to kubernetes.
func FilterEPDir ¶
FilterEPDir returns a list of directories' names that possible belong to an endpoint.
func NewDatapathConfiguration ¶ added in v0.15.7
func NewDatapathConfiguration() models.EndpointDatapathConfiguration
NewDatapathConfiguration return the default endpoint datapath configuration based on whether per-endpoint routes are enabled.
func ParseExternalRegenerationMetadata ¶ added in v0.15.7
func ParseExternalRegenerationMetadata(ctx context.Context, c context.CancelFunc, e *regeneration.ExternalRegenerationMetadata) *regenerationContext
func ReadEPsFromDirNames ¶ added in v0.15.7
func ReadEPsFromDirNames(ctx context.Context, owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, basePath string, eptsDirNames []string) map[uint16]*Endpoint
ReadEPsFromDirNames returns a mapping of endpoint ID to endpoint of endpoints from a list of directory names that can possible contain an endpoint.
Types ¶
type AnnotationsResolverCB ¶ added in v0.15.7
AnnotationsResolverCB provides an implementation for resolving the pod annotations.
type CEPOwnerInterface ¶ added in v1.16.0
type CEPOwnerInterface interface { // IsNil returns true or false if the object is nil. IsNil() bool // GetAPIVersion returns the API version of the owner. GetAPIVersion() string // GetKind returns the Kind of the owner. GetKind() string // GetNamespace returns the namespace where the owner lives. GetNamespace() string // GetName returns the owners' name. GetName() string // GetLabels returns the labels of the owner. GetLabels() map[string]string // GetUID returns the owners' UID. GetUID() k8sTypes.UID // GetHostIP returns the owners' host IP. GetHostIP() string }
CEPOwnerInterface contains the interface of an endpoint owner.
type DeleteConfig ¶ added in v0.15.7
DeleteConfig is the endpoint deletion configuration
type Endpoint ¶
type Endpoint struct { // ID of the endpoint, unique in the scope of the node ID uint16 // OpLabels is the endpoint's label configuration // // FIXME: Rename this field to Labels OpLabels labels.OpLabels // IPv6 is the IPv6 address of the endpoint. // Constant after endpoint creation / restoration. IPv6 netip.Addr // IPv6IPAMPool is the IPAM address pool from which the IPv6 address has been allocated from. // Constant after endpoint creation / restoration. IPv6IPAMPool string // IPv4 is the IPv4 address of the endpoint. // Constant after endpoint creation / restoration. IPv4 netip.Addr // IPv4IPAMPool is the IPAM address pool from which the IPv4 address has been allocated from. // Constant after endpoint creation / restoration. IPv4IPAMPool string // SecurityIdentity is the security identity of this endpoint. This is computed from // the endpoint's labels. SecurityIdentity *identity.Identity `json:"SecLabel"` // PolicyMapPressureUpdater updates the policymap pressure metric. PolicyMapPressureUpdater policyMapPressureUpdater // Options determine the datapath configuration of the endpoint. Options *option.IntOptions // DNSRules is the collection of current endpoint-specific DNS proxy // rules that conform to using restore.PortProto V1 (that is, they do // **not** take protocol into account). These can be restored during // Cilium restart. // TODO: This can be removed when 1.16 is deprecated. DNSRules restore.DNSRules // DNSRulesV2 is the collection of current endpoint-specific DNS proxy // rules that conform to using restore.PortProto V2 (that is, they take // protocol into account). These can be restored during Cilium restart. DNSRulesV2 restore.DNSRules // DNSHistory is the collection of still-valid DNS responses intercepted for // this endpoint. DNSHistory *fqdn.DNSCache // DNSZombies is the collection of DNS IPs that have expired in or been // evicted from DNSHistory. They are held back from deletion until we can // confirm that no existing connection is using them. DNSZombies *fqdn.DNSZombieMappings // K8sPodName is the Kubernetes pod name of the endpoint. // Immutable after Endpoint creation. K8sPodName string // K8sNamespace is the Kubernetes namespace of the endpoint. // Immutable after Endpoint creation. K8sNamespace string // K8sUID is the Kubernetes UID of the pod. Passed directly from the CNI. // Immutable after Endpoint creation. K8sUID string // DatapathConfiguration is the endpoint's datapath configuration as // passed in via the plugin that created the endpoint, e.g. the CNI // plugin which performed the plumbing will enable certain datapath // features according to the mode selected. DatapathConfiguration models.EndpointDatapathConfiguration // NetNsCookie is the network namespace cookie of the Endpoint. NetNsCookie uint64 // contains filtered or unexported fields }
Endpoint represents a container or similar which can be individually addresses on L3 with its own IP addresses. This structured is managed by the endpoint manager in pkg/endpointmanager.
The representation of the Endpoint which is serialized to disk for restore purposes is the serializableEndpoint type in this package.
func CreateHostEndpoint ¶ added in v0.15.7
func CreateHostEndpoint(owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, proxy EndpointProxy, allocator cache.IdentityAllocator) (*Endpoint, error)
CreateHostEndpoint creates the endpoint corresponding to the host.
func CreateIngressEndpoint ¶ added in v1.13.15
func CreateIngressEndpoint(owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, proxy EndpointProxy, allocator cache.IdentityAllocator) (*Endpoint, error)
CreateIngressEndpoint creates the endpoint corresponding to Cilium Ingress.
func NewEndpointFromChangeModel ¶
func NewEndpointFromChangeModel(ctx context.Context, owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, proxy EndpointProxy, allocator cache.IdentityAllocator, base *models.EndpointChangeRequest) (*Endpoint, error)
NewEndpointFromChangeModel creates a new endpoint from a request
func NewTestEndpointWithState ¶ added in v1.16.0
func NewTestEndpointWithState(owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, proxy EndpointProxy, allocator cache.IdentityAllocator, ID uint16, state State) *Endpoint
NewTestEndpointWithState creates a new endpoint useful for testing purposes
Note: This function is intended for testing purposes only and should not be used in production code.
func (*Endpoint) APICanModifyConfig ¶ added in v0.15.7
func (e *Endpoint) APICanModifyConfig(n models.ConfigurationMap) error
APICanModifyConfig determines whether API requests from users are allowed to modify the configuration of the endpoint.
func (*Endpoint) Allows ¶
func (e *Endpoint) Allows(id identity.NumericIdentity) bool
Allows is only used for unit testing
func (*Endpoint) ApplyOpts ¶
ApplyOpts tries to lock endpoint, applies the given options to the endpoint's options and returns true if there were any options changed.
func (*Endpoint) ApplyPolicyMapChanges ¶ added in v0.15.7
func (e *Endpoint) ApplyPolicyMapChanges(proxyWaitGroup *completion.WaitGroup) error
ApplyPolicyMapChanges updates the Endpoint's PolicyMap with the changes that have accumulated for the PolicyMap via various outside events (e.g., identities added / deleted). 'proxyWaitGroup' may not be nil.
func (*Endpoint) ApplyUserLabelChanges ¶ added in v0.15.7
ApplyUserLabelChanges changes the label configuration of the endpoint per the provided labels. Returns labels that were added and deleted. Returns an error if the endpoint is being deleted.
func (*Endpoint) BuilderSetStateLocked ¶ added in v0.15.7
BuilderSetStateLocked modifies the endpoint's state endpoint.mutex must be Lock()ed endpoint buildMutex must be held!
func (*Endpoint) ConntrackLocal ¶ added in v0.15.7
ConntrackLocal determines whether this endpoint is currently using a local table to handle connection tracking (true), or the global table (false).
func (*Endpoint) ConntrackLocalLocked ¶ added in v0.15.7
ConntrackLocalLocked is the same as ConntrackLocal, but assumes that the endpoint is already locked for reading.
func (*Endpoint) ConntrackNameLocked ¶ added in v0.15.7
ConntrackNameLocked returns the name suffix for the endpoint-specific bpf conntrack map, which is a 5-digit endpoint ID, or "global" when the global map should be used. Must be called with the endpoint locked.
func (*Endpoint) Delete ¶ added in v0.15.7
func (e *Endpoint) Delete(conf DeleteConfig) []error
Delete cleans up all resources associated with this endpoint, including the following: * all goroutines managed by this Endpoint (EventQueue, Controllers) * removal from the endpointmanager, resulting in new events not taking effect on this endpoint * cleanup of datapath state (BPF maps, proxy configuration, directories) * releasing of the reference to its allocated security identity
func (*Endpoint) DirectoryPath ¶
DirectoryPath returns the directory name for this endpoint bpf program.
func (*Endpoint) FailedDirectoryPath ¶ added in v0.15.7
FailedDirectoryPath returns the directory name for this endpoint bpf program failed builds.
func (*Endpoint) FormatGlobalEndpointID ¶ added in v0.15.7
FormatGlobalEndpointID returns the global ID of endpoint in the format / <global ID Prefix>:<cluster name>:<node name>:<endpoint ID> as a string.
func (*Endpoint) GetCEPOwner ¶ added in v1.16.0
func (e *Endpoint) GetCEPOwner() CEPOwnerInterface
GetCEPOwner retrieves the cep owner related to this endpoint which will be, by default, the pod associated with this endpoint.
func (*Endpoint) GetCNIAttachmentID ¶ added in v0.15.7
GetCNIAttachmentID returns the endpoint's unique CNI attachment ID
func (*Endpoint) GetCiliumEndpointStatus ¶ added in v0.15.7
func (e *Endpoint) GetCiliumEndpointStatus() *cilium_v2.EndpointStatus
GetCiliumEndpointStatus creates a cilium_v2.EndpointStatus of an endpoint. See cilium_v2.EndpointStatus for a detailed explanation of each field.
func (*Endpoint) GetCiliumEndpointUID ¶ added in v0.15.7
GetCiliumEndpointUID returns the UID of the CiliumEndpoint.
func (*Endpoint) GetConfigurationStatus ¶ added in v0.15.7
func (e *Endpoint) GetConfigurationStatus() *models.EndpointConfigurationStatus
GetConfigurationStatus returns the Cilium API representation of the configuration of this endpoint.
func (*Endpoint) GetContainerID ¶ added in v0.15.7
GetContainerID returns the endpoint's container ID
func (*Endpoint) GetContainerName ¶ added in v0.15.7
GetContainerName returns the name of the container for the endpoint.
func (*Endpoint) GetCreatedAt ¶ added in v0.15.7
GetCreatedAt returns the endpoint creation time.
func (*Endpoint) GetDisableLegacyIdentifiers ¶ added in v1.16.0
GetDisableLegacyIdentifiers returns the endpoint's disableLegacyIdentifiers.
func (*Endpoint) GetDockerEndpointID ¶ added in v0.15.7
func (*Endpoint) GetEndpointNetNsCookie ¶ added in v1.16.3
GetEndpointNetNsCookie returns the endpoint's netns cookie.
func (*Endpoint) GetHealthModel ¶ added in v0.15.7
func (e *Endpoint) GetHealthModel() *models.EndpointHealth
GetHealthModel returns the endpoint's health object.
func (*Endpoint) GetID ¶ added in v0.10.0
GetID returns the endpoint's ID as a 64-bit unsigned integer.
func (*Endpoint) GetID16 ¶ added in v0.15.7
GetID16 returns the endpoint's ID as a 16-bit unsigned integer.
func (*Endpoint) GetIPv4Address ¶ added in v0.10.0
GetIPv4Address returns the IPv4 address of the endpoint as a string
func (*Endpoint) GetIPv6Address ¶ added in v0.10.0
GetIPv6Address returns the IPv6 address of the endpoint as a string
func (*Endpoint) GetIdentity ¶
func (e *Endpoint) GetIdentity() identity.NumericIdentity
GetIdentity returns the numeric security identity of the endpoint
func (*Endpoint) GetIdentityLocked ¶ added in v0.15.7
func (e *Endpoint) GetIdentityLocked() identity.NumericIdentity
GetIdentityLocked is identical to GetIdentity() but assumes that a.mutex is already held. This function is obsolete and should no longer be used.
func (*Endpoint) GetIfIndex ¶ added in v0.15.7
GetIfIndex returns the ifIndex for this endpoint.
func (*Endpoint) GetK8sCEPName ¶ added in v0.15.7
GetK8sCEPName returns the corresponding K8s CiliumEndpoint resource name for this endpoint (without the namespace) Returns an empty string if the endpoint does not belong to a pod.
func (*Endpoint) GetK8sNamespace ¶ added in v0.15.7
GetK8sNamespace returns the name of the pod if the endpoint represents a Kubernetes pod
func (*Endpoint) GetK8sNamespaceAndCEPName ¶ added in v0.15.7
GetK8sNamespaceAndCEPName returns the corresponding namespace and K8s CiliumEndpoint resource name for this endpoint.
func (*Endpoint) GetK8sNamespaceAndPodName ¶ added in v0.15.7
GetK8sNamespaceAndPodName returns the corresponding namespace and pod name for this endpoint.
func (*Endpoint) GetK8sPodName ¶ added in v0.15.7
GetK8sPodName returns the name of the pod if the endpoint represents a Kubernetes pod
func (*Endpoint) GetK8sPorts ¶ added in v0.15.7
func (e *Endpoint) GetK8sPorts() (k8sPorts types.NamedPortMap)
GetK8sPorts returns the k8sPorts, which must not be modified by the caller
func (*Endpoint) GetK8sUID ¶ added in v1.15.5
GetK8sUID returns the UID of the pod if the endpoint represents a Kubernetes pod.
func (*Endpoint) GetLabelsModel ¶ added in v0.15.7
func (e *Endpoint) GetLabelsModel() (*models.LabelConfiguration, error)
GetLabelsModel returns the labels of the endpoint in their representation for the Cilium API. Returns an error if the Endpoint is being deleted.
func (*Endpoint) GetModelRLocked ¶ added in v0.15.7
GetModelRLocked returns the API model of endpoint e. e.mutex must be RLocked.
func (*Endpoint) GetNamedPort ¶ added in v0.15.7
GetNamedPort returns the port for the given name.
func (*Endpoint) GetNamedPortsModel ¶ added in v0.15.7
func (e *Endpoint) GetNamedPortsModel() models.NamedPorts
GetNamedPortsModel returns the endpoint's NamedPorts object.
func (*Endpoint) GetNodeMAC ¶ added in v0.15.7
GetNodeMAC returns the MAC address of the node from this endpoint's perspective.
func (*Endpoint) GetOpLabels ¶ added in v0.15.7
GetOpLabels returns the labels as slice
func (*Endpoint) GetOptions ¶ added in v0.15.7
func (e *Endpoint) GetOptions() *option.IntOptions
GetOptions returns the datapath configuration options of the endpoint.
func (*Endpoint) GetPod ¶ added in v0.15.7
func (e *Endpoint) GetPod() *slim_corev1.Pod
GetPod retrieves the pod related to this endpoint
func (*Endpoint) GetPolicyModel ¶ added in v0.15.7
func (e *Endpoint) GetPolicyModel() *models.EndpointPolicyStatus
GetPolicyModel returns the endpoint's policy as an API model.
Must be called with e.mutex RLock()ed.
func (*Endpoint) GetPolicyVerdictLogFilter ¶ added in v0.15.7
GetPolicyVerdictLogFilter returns the PolicyVerdictLogFilter that would control the creation of policy verdict logs. Value of VerdictLogFilter needs to be consistent with how it is used in policy_verdict_filter_allow() in bpf/lib/policy_log.h
func (*Endpoint) GetPolicyVersionHandle ¶
func (e *Endpoint) GetPolicyVersionHandle() *versioned.VersionHandle
func (*Endpoint) GetPropertyValue ¶ added in v1.16.0
GetPropertyValue returns the metadata value for this key.
func (*Endpoint) GetRealizedPolicyRuleLabelsForKey ¶ added in v0.15.7
func (e *Endpoint) GetRealizedPolicyRuleLabelsForKey(key policyTypes.Key) ( derivedFrom labels.LabelArrayList, revision uint64, ok bool, )
GetRealizedPolicyRuleLabelsForKey returns the list of policy rule labels which match a given flow key (in host byte-order). The returned LabelArrayList is shallow-copied and therefore must not be mutated. This function explicitly exported to be accessed by code outside of the Cilium source code tree and for testing.
func (*Endpoint) GetReporter ¶ added in v1.15.0
func (*Endpoint) GetSecurityIdentity ¶ added in v0.15.7
GetSecurityIdentity returns the security identity of the endpoint. It assumes the endpoint's mutex is held.
func (*Endpoint) GetShortContainerID ¶ added in v0.15.7
GetShortContainerID returns the endpoint's shortened container ID
func (*Endpoint) GetState ¶ added in v0.15.7
GetState returns the endpoint's state endpoint.mutex may only be rlockAlive()ed
func (*Endpoint) GetStatusModel ¶ added in v0.15.7
func (e *Endpoint) GetStatusModel() []*models.EndpointStatusChange
GetStatusModel returns the model of the status of this endpoint.
func (*Endpoint) HasLabels ¶ added in v0.10.0
HasLabels returns whether endpoint e contains all labels l. Will return 'false' if any label in l is not in the endpoint's labels.
func (*Endpoint) HaveK8sMetadata ¶ added in v0.15.7
HaveK8sMetadata returns true once hasK8sMetadata was set
func (*Endpoint) HostInterface ¶ added in v0.15.7
HostInterface returns the name of the link-layer interface used for communicating with the endpoint from the host (if available).
In some datapath modes, it may return an empty string as there is no unique host netns network interface for this endpoint.
func (*Endpoint) HumanString ¶ added in v0.15.7
HumanString returns the endpoint's most human readable identifier as string
func (*Endpoint) IPv4Address ¶ added in v0.15.7
IPv4Address returns the IPv4 address of the endpoint
func (*Endpoint) IPv6Address ¶ added in v0.15.7
IPv6Address returns the IPv6 address of the endpoint
func (*Endpoint) Identifiers ¶ added in v0.15.7
func (e *Endpoint) Identifiers() id.Identifiers
Identifiers fetches the set of attributes that uniquely identify the endpoint.
func (*Endpoint) InitEndpointHealth ¶ added in v1.16.0
func (*Endpoint) InitEventQueue ¶ added in v0.15.7
func (e *Endpoint) InitEventQueue()
InitEventQueue initializes the endpoint's event queue. Note that this function does not begin processing events off the queue, as that's left up to the caller to call Expose in order to allow other subsystems to access the endpoint. This function assumes that the endpoint ID has already been allocated!
Having this be a separate function allows us to prepare the event queue while the endpoint is being validated (during restoration) so that when its metadata is resolved, events can be enqueued (such as bandwidth policy).
func (*Endpoint) InitWithIngressLabels ¶ added in v1.13.15
InitWithIngressLabels initializes the endpoint with reserved:ingress. It should only be used for the host endpoint.
func (*Endpoint) InitWithNodeLabels ¶ added in v0.15.7
func (e *Endpoint) InitWithNodeLabels(ctx context.Context, nodeLabels map[string]string, launchTime time.Duration)
InitWithNodeLabels initializes the endpoint with the known node labels as well as reserved:host. It should only be used for the host endpoint.
func (*Endpoint) IsAtHostNS ¶
func (*Endpoint) IsDisconnecting ¶ added in v0.15.7
IsDisconnecting returns true if the endpoint is being disconnected or already disconnected
This function must be called after re-acquiring the endpoint mutex to verify that the endpoint has not been removed in the meantime.
endpoint.mutex must be held in read mode at least
func (*Endpoint) IsInit ¶ added in v0.15.7
IsInit returns true if the endpoint still hasn't received identity labels, i.e. has the special identity with label reserved:init.
func (*Endpoint) IsProperty ¶ added in v1.16.0
IsProperty checks if the value of the properties map is set, it's a boolean and its value is 'true'.
func (*Endpoint) IsProxyDisabled ¶ added in v0.15.7
func (*Endpoint) K8sNamespaceAndPodNameIsSet ¶ added in v0.15.7
K8sNamespaceAndPodNameIsSet returns true if the namespace and the pod name are both set.
func (*Endpoint) LogStatus ¶
func (e *Endpoint) LogStatus(typ StatusType, code StatusCode, msg string)
func (*Endpoint) LogStatusOK ¶
func (e *Endpoint) LogStatusOK(typ StatusType, msg string)
func (*Endpoint) LogStatusOKLocked ¶ added in v0.15.7
func (e *Endpoint) LogStatusOKLocked(typ StatusType, msg string)
LogStatusOKLocked will log an OK message of the given status type with the given msg string. Must be called with endpoint.mutex RLock()ed.
func (*Endpoint) Logger ¶ added in v0.15.7
Logger returns a logrus object with EndpointID, containerID and the Endpoint revision fields. The caller must specify their subsystem.
func (*Endpoint) MarkCTGCTime ¶ added in v0.15.7
MarkCTGCTime is the START time of a GC run. It is used by the DNS garbage collector to determine whether a DNS zombie can be deleted. This is done by comparing the timestamp of the start CT GC run with the alive timestamps of specific DNS zombies IPs marked with MarkDNSCTEntry. NOTE: While the timestamp is the start of the run, it should be set AFTER the run completes. This avoids a race between the DNS garbage collector and the CT GC. This would occur when a DNS zombie that has not been visited by the CT GC run is seen by a concurrent DNS garbage collector run, and then deleted. The DNS garbage collector is in daemon/fqdn.go and the CT GC is in pkg/maps/ctmap/gc/gc.go
func (*Endpoint) MarkDNSCTEntry ¶ added in v0.15.7
MarkDNSCTEntry records that dstIP is in use by a connection that is allowed by toFQDNs policy. The reverse lookup is attempted in both DNSHistory and DNSCTHistory, allowing short DNS TTLs but long-lived connections to persist there.DNSCTHistory is used to suppress delete handling of expired DNS lookups (in DNSHistory) and it relies on pkg/maps/ctmap/gc to call this function. Internally, the lookupTime is used to checkpoint this update so that dns-garbage-collector-job can correctly clear older connection data.
func (*Endpoint) MarshalJSON ¶ added in v0.15.7
MarshalJSON marshals the Endpoint as its serializableEndpoint representation.
func (*Endpoint) ModifyIdentityLabels ¶ added in v0.15.7
ModifyIdentityLabels changes the custom and orchestration identity labels of an endpoint. Labels can be added or deleted. If a label change is performed, the endpoint will receive a new identity and will be regenerated. Both of these operations will happen in the background.
func (*Endpoint) NextDirectoryPath ¶ added in v0.15.7
NextDirectoryPath returns the directory name for this endpoint bpf program next bpf builds.
func (*Endpoint) OnDNSPolicyUpdateLocked ¶ added in v0.15.7
OnDNSPolicyUpdateLocked is called when the Endpoint's DNS policy has been updated
func (*Endpoint) OnProxyPolicyUpdate ¶ added in v0.15.7
OnProxyPolicyUpdate is a callback used to update the Endpoint's proxyPolicyRevision when the specified revision has been applied in the proxy.
func (*Endpoint) PolicyDebug ¶ added in v0.15.7
PolicyDebug logs the 'msg' with 'fields' if policy debug logging is enabled.
func (*Endpoint) PolicyRevisionBumpEvent ¶ added in v0.15.7
PolicyRevisionBumpEvent queues an event for the given endpoint to set its realized policy revision to rev. This may block depending on if events have been queued up for the given endpoint. It blocks until the event has succeeded, or if the event has been cancelled.
func (*Endpoint) ProcessChangeRequest ¶ added in v0.15.7
func (e *Endpoint) ProcessChangeRequest(newEp *Endpoint, validPatchTransitionState bool) (string, error)
ProcessChangeRequest handles the update logic for performing a PATCH operation on a given Endpoint. Returns the reason which will be used for informational purposes should a caller choose to try to regenerate this endpoint, as well as an error if the Endpoint is being deleted, since there is no point in changing an Endpoint if it is going to be deleted.
Before adding any new fields here, check to see if they are assumed to be mutable after endpoint creation!
func (*Endpoint) Regenerate ¶
func (e *Endpoint) Regenerate(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
Regenerate forces the regeneration of endpoint programs & policy Should only be called with e.state at StateWaitingToRegenerate, StateWaitingForIdentity, or StateRestoring
func (*Endpoint) RegenerateAfterRestore ¶ added in v0.15.7
func (e *Endpoint) RegenerateAfterRestore(regenerator *Regenerator, bwm dptypes.BandwidthManager, resolveMetadata MetadataResolverCB) error
RegenerateAfterRestore performs the following operations on the specified Endpoint: * allocates an identity for the Endpoint * fetches the latest labels from the pod. * regenerates the endpoint Returns an error if any operation fails while trying to perform the above operations.
func (*Endpoint) RegenerateIfAlive ¶ added in v0.15.7
func (e *Endpoint) RegenerateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
RegenerateIfAlive queue a regeneration of this endpoint into the build queue of the endpoint and returns a channel that is closed when the regeneration of the endpoint is complete. The channel returns:
- false if the regeneration failed
- true if the regeneration succeed
- nothing and the channel is closed if the regeneration did not happen
func (*Endpoint) RequireARPPassthrough ¶ added in v0.15.7
RequireARPPassthrough returns true if the datapath must implement ARP passthrough for this endpoint
func (*Endpoint) RequireEgressProg ¶ added in v0.15.7
RequireEgressProg returns true if the endpoint requires bpf_lxc with section "to-container" to be attached at egress on the host facing veth pair
func (*Endpoint) RequireEndpointRoute ¶ added in v0.15.7
RequireEndpointRoute returns if the endpoint wants a per endpoint route
func (*Endpoint) RequireRouting ¶ added in v0.15.7
RequireRouting returns true if the endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing
func (*Endpoint) RunMetadataResolver ¶ added in v0.15.7
func (e *Endpoint) RunMetadataResolver(restoredEndpoint, blocking bool, baseLabels labels.Labels, bwm dptypes.BandwidthManager, resolveMetadata MetadataResolverCB) (regenTriggered bool)
RunMetadataResolver starts a controller associated with the received endpoint which will periodically attempt to resolve the metadata for the endpoint and update the endpoint with the related. It stops resolving after either the first successful metadata resolution or when the endpoint is removed.
baseLabels contains the list of labels use as "base" for the endpoint. The labels retrieved from 'MetadataResolverCB' will be merged into the baseLabels and put into the endpoint. If this list is empty, the labels set on the endpoint will be replaced by the labels returned 'MetadataResolverCB' as long their source matches the source of the labels already present on the endpoint.
restoredEndpoint should be set to 'true' if the endpoint is being restored. If this is set to false and the resolver is unable to retrieve the endpoint labels from k8s, the endpoint will be set with the 'init' identity.
blocking - will block this function until the endpoint receives a new security identity, and it is regenerated. If 'false', this operation will be done in the background and 'regenTriggered' will always be 'false'.
This assumes that after the initial successful resolution, other mechanisms will handle updates (such as pkg/k8s/watchers informers).
func (*Endpoint) RunRestoredMetadataResolver ¶ added in v1.14.5
func (e *Endpoint) RunRestoredMetadataResolver(bwm dptypes.BandwidthManager, resolveMetadata MetadataResolverCB)
RunRestoredMetadataResolver starts a controller associated with the received endpoint which will periodically attempt to resolve the metadata for the endpoint and update the endpoint with the related. It stops resolving after either the first successful metadata resolution or when the endpoint is removed.
This assumes that after the initial successful resolution, other mechanisms will handle updates (such as pkg/k8s/watchers informers).
func (*Endpoint) SetAllocator ¶ added in v0.15.7
func (e *Endpoint) SetAllocator(allocator cache.IdentityAllocator)
SetAllocator sets the identity allocator for this endpoint.
func (*Endpoint) SetCiliumEndpointUID ¶ added in v0.15.7
SetCiliumEndpointUID modifies the endpoint's CiliumEndpoint UID.
func (*Endpoint) SetDefaultConfiguration ¶ added in v0.15.7
func (e *Endpoint) SetDefaultConfiguration()
SetDefaultConfiguration sets the default configuration options for its boolean configuration options and for policy enforcement based off of the global policy enforcement configuration options. If the configuration option to keep endpoint configuration during endpoint restore is enabled, this is a no-op.
func (*Endpoint) SetDefaultOpts ¶
func (e *Endpoint) SetDefaultOpts(opts *option.IntOptions)
SetDefaultOpts configures all options for the endpoint, getting the values from 'opts'.
func (*Endpoint) SetIdentity ¶
func (e *Endpoint) SetIdentity(identity *identityPkg.Identity, newEndpoint bool)
SetIdentity resets endpoint's policy identity to 'id'. Caller triggers policy regeneration if needed. Called with e.mutex Lock()ed
func (*Endpoint) SetIsHost ¶ added in v1.14.14
SetIsHost is a convenient method to create host endpoints for testing.
func (*Endpoint) SetK8sMetadata ¶ added in v0.15.7
func (e *Endpoint) SetK8sMetadata(containerPorts []slim_corev1.ContainerPort)
SetK8sMetadata sets the k8s container ports specified by kubernetes. Note that once put in place, the new k8sPorts is never changed, so that the map can be used concurrently without keeping locks. Can't really error out as that might break backwards compatibility.
func (*Endpoint) SetPod ¶ added in v0.15.7
func (e *Endpoint) SetPod(pod *slim_corev1.Pod)
SetPod sets the pod related to this endpoint.
func (*Endpoint) SetPolicyRevision ¶ added in v0.15.7
SetPolicyRevision sets the endpoint's policy revision with the given revision.
func (*Endpoint) SetPropertyValue ¶ added in v1.16.0
SetPropertyValue sets the metadata value for this key.
func (*Endpoint) SetProxy ¶ added in v0.15.7
func (e *Endpoint) SetProxy(p EndpointProxy)
SetProxy sets the proxy for this endpoint.
func (*Endpoint) SetRegenerateStateIfAlive ¶ added in v0.15.7
func (e *Endpoint) SetRegenerateStateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) (bool, error)
SetRegenerateStateIfAlive tries to change the state of the endpoint for pending regeneration. Returns 'true' if 'e.Regenerate()' should be called after releasing the endpoint lock. Return 'false' if returned error is non-nil.
func (*Endpoint) SetState ¶ added in v0.15.7
SetState modifies the endpoint's state. Returns true only if endpoints state was changed as requested
func (*Endpoint) SkipStateClean ¶ added in v0.15.7
func (e *Endpoint) SkipStateClean()
SkipStateClean can be called on a endpoint before its first build to skip the cleaning of state such as the conntrack table. This is useful when an endpoint is being restored from state and the datapath state should not be claned.
The endpoint lock must NOT be held.
func (*Endpoint) Start ¶ added in v0.15.7
Start assigns a Cilium Endpoint ID to the endpoint and prepares it to receive events from other subsystems.
The endpoint must not already be exposed via the endpointmanager prior to calling Start(), as it assumes unconditional access over the Endpoint object.
func (*Endpoint) StateDirectoryPath ¶ added in v0.15.7
StateDirectoryPath returns the directory name for this endpoint bpf program.
func (*Endpoint) Stop ¶ added in v0.15.7
func (e *Endpoint) Stop()
Stop cleans up all goroutines managed by this endpoint (EventQueue, Controllers). This function should be used directly in cleanup functions which aim to stop goroutines managed by this endpoint, but without removing BPF maps and datapath state (for instance, because the daemon is shutting down but the endpoint should remain operational while the daemon is not running).
func (*Endpoint) SyncEndpointHeaderFile ¶ added in v0.15.7
func (e *Endpoint) SyncEndpointHeaderFile()
SyncEndpointHeaderFile triggers the header file sync to the ep_config.h file. This includes updating the current DNS History information.
func (*Endpoint) UnmarshalJSON ¶ added in v0.15.7
UnmarshalJSON expects that the contents of `raw` are a serializableEndpoint, which is then converted into an Endpoint.
func (*Endpoint) Update ¶
func (e *Endpoint) Update(cfg *models.EndpointConfigurationSpec) error
Update modifies the endpoint options and *always* tries to regenerate the endpoint's program. Returns an error if the provided options are not valid, if there was an issue triggering policy updates for the given endpoint, or if endpoint regeneration was unable to be triggered. Note that the LabelConfiguration in the EndpointConfigurationSpec is *not* consumed here.
func (*Endpoint) UpdateBandwidthPolicy ¶ added in v0.15.7
func (e *Endpoint) UpdateBandwidthPolicy(bwm dptypes.BandwidthManager, annoCB AnnotationsResolverCB)
UpdateBandwidthPolicy updates the egress bandwidth of this endpoint to progagate the throttle rate to the BPF data path.
func (*Endpoint) UpdateController ¶ added in v0.15.7
func (e *Endpoint) UpdateController(name string, params controller.ControllerParams)
UpdateController updates the controller with the specified name with the provided list of parameters in endpoint's list of controllers.
func (*Endpoint) UpdateLabels ¶ added in v0.15.7
func (e *Endpoint) UpdateLabels(ctx context.Context, sourceFilter string, identityLabels, infoLabels labels.Labels, blocking bool) (regenTriggered bool)
UpdateLabels is called to update the labels of an endpoint for the given 'sourceFilter', if 'source' is 'LabelSourceAny' then all labels are replaced. Calls to this function do not necessarily mean that the labels actually changed. The container runtime layer will periodically synchronize labels.
The specified 'sourceFilter' will only remove the labels with that same source. For example: If the endpoint contains `k8s:foo=bar` and if 'sourceFilter' is 'cni' with labels `cni:bar=bar`, the result is:
`k8s:foo=bar` + `cni:bar=bar` - The "foo=bar" label is kept.
if 'sourceFilter' is 'any' with labels `cni:bar=bar`, the result is:
`cni:bar=bar` - The "foo=bar" gets removed.
If a net label changed was performed, the endpoint will receive a new security identity and will be regenerated. Both of these operations will run first synchronously if 'blocking' is true, and then in the background.
Returns 'true' if endpoint regeneration was triggered.
func (*Endpoint) UpdateLabelsFrom ¶ added in v0.15.7
UpdateLabelsFrom is a convenience function to update an endpoint's identity labels from any source.
func (*Endpoint) UpdateLogger ¶ added in v0.15.7
UpdateLogger creates a logger instance specific to this endpoint. It will create a custom Debug logger for this endpoint when the option on it is set. If fields is not nil only the those specific fields will be updated in the endpoint's logger, otherwise a full update of those fields is executed.
Note: You must hold Endpoint.mutex.Lock() to synchronize logger pointer updates if the endpoint is already exposed. Callers that create new endpoints do not need locks to call this.
func (*Endpoint) UpdateNoTrackRules ¶ added in v0.15.7
func (e *Endpoint) UpdateNoTrackRules(annoCB AnnotationsResolverCB)
UpdateNoTrackRules updates the NOTRACK iptable rules for this endpoint. If anno is empty, then any existing NOTRACK rules will be removed. If anno cannot be parsed, we remove existing NOTRACK rules too if there's any.
func (*Endpoint) UpdateProxyStatistics ¶ added in v0.15.7
func (e *Endpoint) UpdateProxyStatistics(proxyType, l4Protocol string, port, proxyPort uint16, ingress, request bool, verdict accesslog.FlowVerdict)
UpdateProxyStatistics updates the Endpoint's proxy statistics to account for a new observed flow with the given characteristics.
func (*Endpoint) ValidateConnectorPlumbing ¶ added in v0.15.7
ValidateConnectorPlumbing checks whether the endpoint is correctly plumbed.
func (*Endpoint) WaitForFirstRegeneration ¶ added in v0.15.7
WaitForFirstRegeneration waits for the endpoint to complete its first full regeneration.
func (*Endpoint) WaitForIdentity ¶ added in v0.15.7
WaitForIdentity waits for up to timeoutDuration amount of time for the endpoint to have an identity. If the timeout is reached, returns nil.
func (*Endpoint) WaitForPolicyRevision ¶ added in v0.15.7
func (e *Endpoint) WaitForPolicyRevision(ctx context.Context, rev uint64, done func(ts time.Time)) <-chan struct{}
WaitForPolicyRevision returns a channel that is closed when one or more of the following conditions have met:
- the endpoint is disconnected state
- the endpoint's policy revision reaches the wanted revision
When the done callback is non-nil it will be called just before the channel is closed.
type EndpointNoTrackEvent ¶ added in v0.15.7
type EndpointNoTrackEvent struct {
// contains filtered or unexported fields
}
EndpointNoTrackEvent contains all fields necessary to update the NOTRACK rules.
func (*EndpointNoTrackEvent) Handle ¶ added in v0.15.7
func (ev *EndpointNoTrackEvent) Handle(res chan interface{})
Handle handles the NOTRACK rule update.
type EndpointPolicyBandwidthEvent ¶ added in v0.15.7
type EndpointPolicyBandwidthEvent struct {
// contains filtered or unexported fields
}
EndpointPolicyBandwidthEvent contains all fields necessary to update the Pod's bandwidth policy.
func (*EndpointPolicyBandwidthEvent) Handle ¶ added in v0.15.7
func (ev *EndpointPolicyBandwidthEvent) Handle(res chan interface{})
Handle handles the policy bandwidth update.
type EndpointProxy ¶ added in v0.15.7
type EndpointProxy interface { CreateOrUpdateRedirect(ctx context.Context, l4 policy.ProxyPolicy, id string, localEndpoint endpoint.EndpointUpdater, wg *completion.WaitGroup) (proxyPort uint16, err error, finalizeFunc revert.FinalizeFunc, revertFunc revert.RevertFunc) RemoveRedirect(id string) UpdateNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, ingressPolicyEnforced, egressPolicyEnforced bool, wg *completion.WaitGroup) (error, func() error) UseCurrentNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, wg *completion.WaitGroup) RemoveNetworkPolicy(ep endpoint.EndpointInfoSource) }
EndpointProxy defines any L7 proxy with which an Endpoint must interact.
type EndpointRegenerationEvent ¶ added in v0.15.7
type EndpointRegenerationEvent struct {
// contains filtered or unexported fields
}
EndpointRegenerationEvent contains all fields necessary to regenerate an endpoint.
func (*EndpointRegenerationEvent) Handle ¶ added in v0.15.7
func (ev *EndpointRegenerationEvent) Handle(res chan interface{})
Handle handles the regeneration event for the endpoint.
type EndpointRegenerationResult ¶ added in v0.15.7
type EndpointRegenerationResult struct {
// contains filtered or unexported fields
}
EndpointRegenerationResult contains the results of an endpoint regeneration.
type EndpointRevisionBumpEvent ¶ added in v0.15.7
type EndpointRevisionBumpEvent struct { Rev uint64 // contains filtered or unexported fields }
EndpointRevisionBumpEvent contains all fields necessary to bump the policy revision of a given endpoint.
func (*EndpointRevisionBumpEvent) Handle ¶ added in v0.15.7
func (ev *EndpointRevisionBumpEvent) Handle(res chan interface{})
Handle handles the revision bump event for the Endpoint.
type EndpointStatus ¶
type EndpointStatus struct { // CurrentStatuses is the last status of a given priority. CurrentStatuses componentStatus `json:"current-status,omitempty"` // Contains the last maxLogs messages for this endpoint. Log statusLog `json:"log,omitempty"` // Index is the index in the statusLog, is used to keep track the next // available position to write a new log message. Index int `json:"index"` // contains filtered or unexported fields }
EndpointStatus represents the endpoint status.
func NewEndpointStatus ¶
func NewEndpointStatus() *EndpointStatus
func (*EndpointStatus) CurrentStatus ¶
func (e *EndpointStatus) CurrentStatus() StatusCode
func (*EndpointStatus) GetModel ¶
func (e *EndpointStatus) GetModel() []*models.EndpointStatusChange
func (*EndpointStatus) String ¶
func (e *EndpointStatus) String() string
type FakeEndpointProxy ¶ added in v0.15.7
type FakeEndpointProxy struct{}
FakeEndpointProxy is a stub proxy used for testing.
func (*FakeEndpointProxy) CreateOrUpdateRedirect ¶ added in v0.15.7
func (f *FakeEndpointProxy) CreateOrUpdateRedirect(ctx context.Context, l4 policy.ProxyPolicy, id string, localEndpoint endpoint.EndpointUpdater, wg *completion.WaitGroup) (proxyPort uint16, err error, finalizeFunc revert.FinalizeFunc, revertFunc revert.RevertFunc)
CreateOrUpdateRedirect does nothing.
func (*FakeEndpointProxy) RemoveNetworkPolicy ¶ added in v0.15.7
func (f *FakeEndpointProxy) RemoveNetworkPolicy(ep endpoint.EndpointInfoSource)
RemoveNetworkPolicy does nothing.
func (*FakeEndpointProxy) RemoveRedirect ¶ added in v0.15.7
func (f *FakeEndpointProxy) RemoveRedirect(id string)
RemoveRedirect does nothing.
func (*FakeEndpointProxy) UpdateNetworkPolicy ¶ added in v0.15.7
func (f *FakeEndpointProxy) UpdateNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, ingressPolicyEnforced, egressPolicyEnforced bool, wg *completion.WaitGroup) (error, func() error)
UpdateNetworkPolicy does nothing.
func (*FakeEndpointProxy) UseCurrentNetworkPolicy ¶ added in v1.7.0
func (f *FakeEndpointProxy) UseCurrentNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, wg *completion.WaitGroup)
UseCurrentNetworkPolicy does nothing.
type K8sMetadata ¶ added in v1.15.5
type K8sMetadata struct { ContainerPorts []slim_corev1.ContainerPort IdentityLabels labels.Labels InfoLabels labels.Labels Annotations map[string]string }
K8sMetadata is a collection of Kubernetes-related metadata that are fetched from Kubernetes.
type KVStoreNodesWaitFn ¶
KVStoreNodesWaitFn is the type of the function used to wait for synchronization of all nodes from the kvstore.
type MetadataResolverCB ¶ added in v0.15.7
type MetadataResolverCB func(ns, podName string) (pod *slim_corev1.Pod, k8sMetadata *K8sMetadata, err error)
MetadataResolverCB provides an implementation for resolving the endpoint metadata for an endpoint such as the associated labels and annotations.
type PolicyMapPressureEvent ¶ added in v0.15.7
PolicyMapPressureEvent represents an event for a policymap pressure metric update that is sent via the policyMapPressureUpdater interface.
type Regenerator ¶ added in v0.15.7
type Regenerator struct {
// contains filtered or unexported fields
}
Regenerator wraps additional functionalities for endpoint regeneration.
func (*Regenerator) WaitForClusterMeshIPIdentitiesSync ¶ added in v0.15.7
func (r *Regenerator) WaitForClusterMeshIPIdentitiesSync(ctx context.Context) error
func (*Regenerator) WaitForKVStoreNodesSync ¶
func (r *Regenerator) WaitForKVStoreNodesSync(ctx context.Context) error
type State ¶ added in v0.15.7
type State string
State is an enumeration for possible endpoint states.
type Status ¶
type Status struct { Code StatusCode `json:"code"` Msg string `json:"msg"` Type StatusType `json:"status-type"` State string `json:"state"` }
type StatusCode ¶
type StatusCode int
const ( OK StatusCode = 0 Warning StatusCode = -1 Failure StatusCode = -2 Disabled StatusCode = -3 )
func (StatusCode) String ¶
func (sc StatusCode) String() string
type StatusResponse ¶
type StatusType ¶
type StatusType int
StatusType represents the type for the given status, higher the value, higher the priority.
const ( BPF StatusType = 200 Policy StatusType = 100 Other StatusType = 0 )
type UpdateCompilationError ¶
type UpdateCompilationError struct {
// contains filtered or unexported fields
}
func (UpdateCompilationError) Error ¶
func (e UpdateCompilationError) Error() string
type UpdateStateChangeError ¶ added in v0.15.7
type UpdateStateChangeError struct {
// contains filtered or unexported fields
}
UpdateStateChangeError is an error that indicates that updating the state of an endpoint was unsuccessful. Implements error interface.
func (UpdateStateChangeError) Error ¶ added in v0.15.7
func (e UpdateStateChangeError) Error() string
type UpdateValidationError ¶
type UpdateValidationError struct {
// contains filtered or unexported fields
}
func (UpdateValidationError) Error ¶
func (e UpdateValidationError) Error() string