Documentation ¶
Index ¶
- Constants
- Variables
- func EnableTracing()
- func GetCiliumHttpFilter() *envoy_config_http.HttpFilter
- func GetEnvoyHTTPRules(secretManager certificatemanager.SecretManager, l7Rules *api.L7Rules, ...) (*cilium.HttpNetworkPolicyRules, bool)
- func GetFlowType(m *cilium.LogEntry) accesslog.FlowType
- func GetLocalListenerAddresses(port uint16, ipv4, ipv6 bool) (*envoy_config_core.Address, []*envoy_config_listener.AdditionalAddress)
- func GetNetHttpHeaders(httpHeaders []*cilium.KeyValue) http.Header
- func GetProtocol(httpProtocol cilium.HttpProtocol) string
- func GetSocketDir(runDir string) string
- func GetUpstreamCodecFilter() *envoy_config_http.HttpFilter
- func GetVerdict(m *cilium.LogEntry) accesslog.FlowVerdict
- func HTTPNetworkPolicyRuleLess(r1, r2 *cilium.HttpNetworkPolicyRule) bool
- func HeaderMatcherLess(m1, m2 *envoy_config_route.HeaderMatcher) bool
- func ParseURL(scheme, host, path string) *url.URL
- func PortNetworkPolicyRuleLess(r1, r2 *cilium.PortNetworkPolicyRule) bool
- func SortHTTPNetworkPolicyRules(rules []*cilium.HttpNetworkPolicyRule)
- func SortHeaderMatchers(headers []*envoy_config_route.HeaderMatcher)
- func SortPortNetworkPolicies(policies []*cilium.PortNetworkPolicy) []*cilium.PortNetworkPolicy
- func SortPortNetworkPolicyRules(rules []*cilium.PortNetworkPolicyRule) []*cilium.PortNetworkPolicyRule
- type AccessLogServer
- type ArtifactCopier
- type EmbeddedEnvoy
- type EnvoyAdminClient
- type HTTPNetworkPolicyRuleSlice
- type HeaderMatcherSlice
- type IPCacheEventSource
- type LocalEndpointStore
- type NPHDSCache
- func (cache *NPHDSCache) HandleResourceVersionAck(ackVersion uint64, nackVersion uint64, nodeIP string, resourceNames []string, ...)
- func (cache *NPHDSCache) MarkRestoreCompleted()
- func (cache *NPHDSCache) MarkRestorePending()
- func (cache *NPHDSCache) OnIPIdentityCacheChange(modType ipcache.CacheModification, cidrCluster cmtypes.PrefixCluster, ...)
- type PortNetworkPolicyRuleSlice
- type PortNetworkPolicySlice
- type Resources
- type XDSServer
Constants ¶
const ( // ListenerTypeURL is the type URL of Listener resources. ListenerTypeURL = "type.googleapis.com/envoy.config.listener.v3.Listener" // RouteTypeURL is the type URL of HTTP Route resources. RouteTypeURL = "type.googleapis.com/envoy.config.route.v3.RouteConfiguration" // ClusterTypeURL is the type URL of Cluster resources. ClusterTypeURL = "type.googleapis.com/envoy.config.cluster.v3.Cluster" // HttpConnectionManagerTypeURL is the type URL of HttpConnectionManager filter. HttpConnectionManagerTypeURL = "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager" // TCPProxyTypeURL is the type URL of TCPProxy filter. TCPProxyTypeURL = "type.googleapis.com/envoy.extensions.filters.network.tcp_proxy.v3.TcpProxy" // EndpointTypeURL is the type URL of Endpoint resources. EndpointTypeURL = "type.googleapis.com/envoy.config.endpoint.v3.ClusterLoadAssignment" // SecretTypeURL is the type URL of Endpoint resources. SecretTypeURL = "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.Secret" // NetworkPolicyTypeURL is the type URL of NetworkPolicy resources. NetworkPolicyTypeURL = "type.googleapis.com/cilium.NetworkPolicy" // NetworkPolicyHostsTypeURL is the type URL of NetworkPolicyHosts resources. NetworkPolicyHostsTypeURL = "type.googleapis.com/cilium.NetworkPolicyHosts" // HealthCheckSinkPipeTypeURL is the type URL of NetworkPolicyHosts resources. HealthCheckSinkPipeTypeURL = "type.googleapis.com/cilium.health_check.event_sink.pipe" // DownstreamTlsContextURL is the type URL of DownstreamTlsContext DownstreamTlsContextURL = "type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext" )
const (
CiliumXDSClusterName = "xds-grpc-cilium"
)
Variables ¶
var Cell = cell.Module( "envoy-proxy", "Envoy proxy and control-plane", cell.Config(envoyProxyConfig{}), cell.Config(secretSyncConfig{}), cell.Provide(newEnvoyXDSServer), cell.Provide(newEnvoyAdminClient), cell.ProvidePrivate(newEnvoyAccessLogServer), cell.ProvidePrivate(newLocalEndpointStore), cell.ProvidePrivate(newArtifactCopier), cell.Invoke(registerEnvoyVersionCheck), cell.Invoke(registerSecretSyncer), )
Cell initializes and manages the Envoy proxy and its control-plane components like xDS- and accesslog server. It is used to provide support for Ingress, GatewayAPI and L7 network policies (e.g. HTTP).
var CiliumXDSConfigSource = &envoy_config_core.ConfigSource{ InitialFetchTimeout: &durationpb.Duration{Seconds: 30}, ResourceApiVersion: envoy_config_core.ApiVersion_V3, ConfigSourceSpecifier: &envoy_config_core.ConfigSource_ApiConfigSource{ ApiConfigSource: &envoy_config_core.ApiConfigSource{ ApiType: envoy_config_core.ApiConfigSource_GRPC, TransportApiVersion: envoy_config_core.ApiVersion_V3, SetNodeOnFirstMessageOnly: true, GrpcServices: []*envoy_config_core.GrpcService{ { TargetSpecifier: &envoy_config_core.GrpcService_EnvoyGrpc_{ EnvoyGrpc: &envoy_config_core.GrpcService_EnvoyGrpc{ ClusterName: CiliumXDSClusterName, }, }, }, }, }, }, }
var ( // ErrNotImplemented is the error returned by gRPC methods that are not // implemented by Cilium. ErrNotImplemented = errors.New("not implemented") )
Functions ¶
func EnableTracing ¶
func EnableTracing()
EnableTracing changes Envoy log level to "trace", producing the most logs.
func GetCiliumHttpFilter ¶ added in v1.16.0
func GetCiliumHttpFilter() *envoy_config_http.HttpFilter
func GetEnvoyHTTPRules ¶
func GetEnvoyHTTPRules(secretManager certificatemanager.SecretManager, l7Rules *api.L7Rules, ns string, policySecretsNamespace string) (*cilium.HttpNetworkPolicyRules, bool)
func GetFlowType ¶
GetFlowType returns the type of flow (request|response)
func GetLocalListenerAddresses ¶ added in v1.16.0
func GetLocalListenerAddresses(port uint16, ipv4, ipv6 bool) (*envoy_config_core.Address, []*envoy_config_listener.AdditionalAddress)
func GetNetHttpHeaders ¶
getNetHttpHeaders returns the Headers as net.http.Header
func GetProtocol ¶
func GetProtocol(httpProtocol cilium.HttpProtocol) string
getProtocol returns the HTTP protocol in the format that Cilium understands
func GetSocketDir ¶
func GetUpstreamCodecFilter ¶ added in v1.14.15
func GetUpstreamCodecFilter() *envoy_config_http.HttpFilter
func GetVerdict ¶
func GetVerdict(m *cilium.LogEntry) accesslog.FlowVerdict
GetVerdict returns the verdict performed on the flow (forwarded|denied)
func HTTPNetworkPolicyRuleLess ¶
func HTTPNetworkPolicyRuleLess(r1, r2 *cilium.HttpNetworkPolicyRule) bool
HTTPNetworkPolicyRuleLess reports whether the r1 rule should sort before the r2 rule.
func HeaderMatcherLess ¶
func HeaderMatcherLess(m1, m2 *envoy_config_route.HeaderMatcher) bool
HeaderMatcherLess reports whether the m1 matcher should sort before the m2 matcher.
func PortNetworkPolicyRuleLess ¶
func PortNetworkPolicyRuleLess(r1, r2 *cilium.PortNetworkPolicyRule) bool
PortNetworkPolicyRuleLess reports whether the r1 rule should sort before the r2 rule. L3-L4-only rules are less than L7 rules.
func SortHTTPNetworkPolicyRules ¶
func SortHTTPNetworkPolicyRules(rules []*cilium.HttpNetworkPolicyRule)
SortHTTPNetworkPolicyRules sorts the given slice.
func SortHeaderMatchers ¶
func SortHeaderMatchers(headers []*envoy_config_route.HeaderMatcher)
SortHeaderMatchers sorts the given slice.
func SortPortNetworkPolicies ¶
func SortPortNetworkPolicies(policies []*cilium.PortNetworkPolicy) []*cilium.PortNetworkPolicy
SortPortNetworkPolicies sorts the given slice in place and returns the sorted slice for convenience.
func SortPortNetworkPolicyRules ¶
func SortPortNetworkPolicyRules(rules []*cilium.PortNetworkPolicyRule) []*cilium.PortNetworkPolicyRule
SortPortNetworkPolicyRules sorts the given slice in place and returns the sorted slice for convenience.
Types ¶
type AccessLogServer ¶
type AccessLogServer struct {
// contains filtered or unexported fields
}
type ArtifactCopier ¶ added in v1.15.0
type ArtifactCopier struct {
// contains filtered or unexported fields
}
ArtifactCopier provides support for copying artifacts from a given source directory to a target directory. This is mainly used to copy additional artifacts referenced by the Envoy proxy configuration from the Cilium agent container to the config directory that is shared with the Envoy container if Envoy is running in a dedicated DaemonSet.
func (*ArtifactCopier) Copy ¶ added in v1.15.0
func (r *ArtifactCopier) Copy() (err error)
Copy copies all files within the given sourcePath directory into the targetPath directory.
If targetPath already exists, all existing files within the directory are deleted before starting the copy process. If targetPath doesn't exist, it gets created automatically before starting the copy process.
type EmbeddedEnvoy ¶
type EmbeddedEnvoy struct {
// contains filtered or unexported fields
}
Envoy manages a running Envoy proxy instance via the ListenerDiscoveryService and RouteDiscoveryService gRPC APIs.
func (*EmbeddedEnvoy) GetAdminClient ¶
func (e *EmbeddedEnvoy) GetAdminClient() *EnvoyAdminClient
func (*EmbeddedEnvoy) Stop ¶
func (e *EmbeddedEnvoy) Stop() error
Stop kills the Envoy process started with startEmbeddedEnvoy. The gRPC API streams are terminated first.
type EnvoyAdminClient ¶
type EnvoyAdminClient struct {
// contains filtered or unexported fields
}
func NewEnvoyAdminClientForSocket ¶
func NewEnvoyAdminClientForSocket(envoySocketDir string, defaultLogLevel string) *EnvoyAdminClient
func (*EnvoyAdminClient) ChangeLogLevel ¶
func (a *EnvoyAdminClient) ChangeLogLevel(agentLogLevel logrus.Level) error
ChangeLogLevel changes Envoy log level to correspond to the logrus log level 'level'.
func (*EnvoyAdminClient) GetEnvoyVersion ¶
func (a *EnvoyAdminClient) GetEnvoyVersion() (string, error)
GetEnvoyVersion returns the envoy binary version string
type HTTPNetworkPolicyRuleSlice ¶
type HTTPNetworkPolicyRuleSlice []*cilium.HttpNetworkPolicyRule
HTTPNetworkPolicyRuleSlice implements sort.Interface to sort a slice of *cilium.HttpNetworkPolicyRule.
func (HTTPNetworkPolicyRuleSlice) Len ¶
func (s HTTPNetworkPolicyRuleSlice) Len() int
func (HTTPNetworkPolicyRuleSlice) Less ¶
func (s HTTPNetworkPolicyRuleSlice) Less(i, j int) bool
func (HTTPNetworkPolicyRuleSlice) Swap ¶
func (s HTTPNetworkPolicyRuleSlice) Swap(i, j int)
type HeaderMatcherSlice ¶
type HeaderMatcherSlice []*envoy_config_route.HeaderMatcher
HeaderMatcherSlice implements sort.Interface to sort a slice of *envoy_config_route.HeaderMatcher.
func (HeaderMatcherSlice) Len ¶
func (s HeaderMatcherSlice) Len() int
func (HeaderMatcherSlice) Less ¶
func (s HeaderMatcherSlice) Less(i, j int) bool
func (HeaderMatcherSlice) Swap ¶
func (s HeaderMatcherSlice) Swap(i, j int)
type IPCacheEventSource ¶
type IPCacheEventSource interface {
AddListener(ipcache.IPIdentityMappingListener)
}
type LocalEndpointStore ¶
type LocalEndpointStore struct {
// contains filtered or unexported fields
}
LocalEndpointStore tracks the mapping between a given endpoint IP and the actual local endpoint.
type NPHDSCache ¶
NPHDSCache is a cache of resources in the Network Policy Hosts Discovery Service.
NetworkPolicyHostsCache is the global cache of resources of type NetworkPolicyHosts. Resources in this cache must have the NetworkPolicyHostsTypeURL type URL.
func (*NPHDSCache) HandleResourceVersionAck ¶
func (cache *NPHDSCache) HandleResourceVersionAck(ackVersion uint64, nackVersion uint64, nodeIP string, resourceNames []string, typeURL string, detail string)
HandleResourceVersionAck is required to implement ResourceVersionAckObserver. We use this to start the IP Cache listener on the first ACK so that we only start the IP Cache listener if there is an Envoy node that uses NPHDS (e.g. Cilium host proxy running on kernel w/o LPM bpf map support).
func (*NPHDSCache) MarkRestoreCompleted ¶ added in v1.16.0
func (cache *NPHDSCache) MarkRestoreCompleted()
func (*NPHDSCache) MarkRestorePending ¶ added in v1.16.0
func (cache *NPHDSCache) MarkRestorePending()
func (*NPHDSCache) OnIPIdentityCacheChange ¶
func (cache *NPHDSCache) OnIPIdentityCacheChange(modType ipcache.CacheModification, cidrCluster cmtypes.PrefixCluster, oldHostIP, newHostIP net.IP, oldID *ipcache.Identity, newID ipcache.Identity, encryptKey uint8, k8sMeta *ipcache.K8sMetadata, )
OnIPIdentityCacheChange pushes modifications to the IP<->Identity mapping into the Network Policy Host Discovery Service (NPHDS).
Note that the caller is responsible for passing 'oldID' when 'cidrCluster' has been associated with a different ID before, as this function does not search for conflicting IP/ID mappings.
type PortNetworkPolicyRuleSlice ¶
type PortNetworkPolicyRuleSlice []*cilium.PortNetworkPolicyRule
PortNetworkPolicyRuleSlice implements sort.Interface to sort a slice of *cilium.PortNetworkPolicyRuleSlice.
func (PortNetworkPolicyRuleSlice) Len ¶
func (s PortNetworkPolicyRuleSlice) Len() int
func (PortNetworkPolicyRuleSlice) Less ¶
func (s PortNetworkPolicyRuleSlice) Less(i, j int) bool
func (PortNetworkPolicyRuleSlice) Swap ¶
func (s PortNetworkPolicyRuleSlice) Swap(i, j int)
type PortNetworkPolicySlice ¶
type PortNetworkPolicySlice []*cilium.PortNetworkPolicy
PortNetworkPolicySlice implements sort.Interface to sort a slice of *cilium.PortNetworkPolicy.
func (PortNetworkPolicySlice) Len ¶
func (s PortNetworkPolicySlice) Len() int
func (PortNetworkPolicySlice) Less ¶
func (s PortNetworkPolicySlice) Less(i, j int) bool
func (PortNetworkPolicySlice) Swap ¶
func (s PortNetworkPolicySlice) Swap(i, j int)
type Resources ¶
type Resources struct { Listeners []*envoy_config_listener.Listener Secrets []*envoy_config_tls.Secret Routes []*envoy_config_route.RouteConfiguration Clusters []*envoy_config_cluster.Cluster Endpoints []*envoy_config_endpoint.ClusterLoadAssignment // Callback functions that are called if the corresponding Listener change was successfully acked by Envoy PortAllocationCallbacks map[string]func(context.Context) error `json:"-"` }
Resources contains all Envoy resources parsed from a CiliumEnvoyConfig CRD
func (*Resources) ListenersAddedOrDeleted ¶
ListenersAddedOrDeleted returns 'true' if a listener is added or removed when updating from 'old' to 'new'
type XDSServer ¶
type XDSServer interface { // AddListener adds a listener to a running Envoy proxy. AddListener(name string, kind policy.L7ParserType, port uint16, isIngress bool, mayUseOriginalSourceAddr bool, wg *completion.WaitGroup) // AddAdminListener adds an Admin API listener to Envoy. AddAdminListener(port uint16, wg *completion.WaitGroup) // AddMetricsListener adds a prometheus metrics listener to Envoy. AddMetricsListener(port uint16, wg *completion.WaitGroup) // RemoveListener removes an existing Envoy Listener. RemoveListener(name string, wg *completion.WaitGroup) xds.AckingResourceMutatorRevertFunc // UpsertEnvoyResources inserts or updates Envoy resources in 'resources' to the xDS cache, // from where they will be delivered to Envoy via xDS streaming gRPC. UpsertEnvoyResources(ctx context.Context, resources Resources) error // UpdateEnvoyResources removes any resources in 'old' that are not // present in 'new' and then adds or updates all resources in 'new'. // Envoy does not support changing the listening port of an existing // listener, so if the port changes we have to delete the old listener // and then add the new one with the new port number. UpdateEnvoyResources(ctx context.Context, old, new Resources) error // DeleteEnvoyResources deletes all Envoy resources in 'resources'. DeleteEnvoyResources(ctx context.Context, resources Resources) error // GetNetworkPolicies returns the current version of the network policies with the given names. // If resourceNames is empty, all resources are returned. // // Only used for testing GetNetworkPolicies(resourceNames []string) (map[string]*cilium.NetworkPolicy, error) // UseCurrentNetworkPolicy waits for any pending update on NetworkPolicy to be acked. UseCurrentNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, wg *completion.WaitGroup) // UpdateNetworkPolicy adds or updates a network policy in the set published to L7 proxies. // When the proxy acknowledges the network policy update, it will result in // a subsequent call to the endpoint's OnProxyPolicyUpdate() function. UpdateNetworkPolicy(ep endpoint.EndpointUpdater, policy *policy.L4Policy, ingressPolicyEnforced, egressPolicyEnforced bool, wg *completion.WaitGroup) (error, func() error) // RemoveNetworkPolicy removes network policies relevant to the specified // endpoint from the set published to L7 proxies, and stops listening for // acks for policies on this endpoint. RemoveNetworkPolicy(ep endpoint.EndpointInfoSource) // RemoveAllNetworkPolicies removes all network policies from the set published // to L7 proxies. RemoveAllNetworkPolicies() }
XDSServer provides a high-lever interface to manage resources published using the xDS gRPC API.