Documentation ¶
Overview ¶
Package identity contains code for managing security identities in Cilium. +groupName=pkg
Index ¶
- Constants
- Variables
- func AddUserDefinedNumericIdentity(identity NumericIdentity, label string) error
- func AddUserDefinedNumericIdentitySet(m map[string]string) error
- func DelReservedNumericIdentity(identity NumericIdentity) error
- func GetClusterIDShift() uint32
- func IdentityAllocationIsLocal(lbls labels.Labels) bool
- func InitWellKnownIdentities(c Configuration, cinfo cmtypes.ClusterInfo) int
- func IsUserReservedIdentity(id NumericIdentity) bool
- func IsWellKnownIdentity(id NumericIdentity) bool
- func IterateReservedIdentities(f func(_ NumericIdentity, _ *Identity))
- func RequiresGlobalIdentity(lbls labels.Labels) bool
- func SetLocalNodeID(nodeid uint32)
- type Configuration
- type IPIdentityPair
- type Identity
- func AddReservedIdentity(ni NumericIdentity, lbl string) *Identity
- func AddReservedIdentityWithLabels(ni NumericIdentity, lbls labels.Labels) *Identity
- func LookupReservedIdentity(ni NumericIdentity) *Identity
- func LookupReservedIdentityByLabels(lbls labels.Labels) *Identity
- func NewIdentity(id NumericIdentity, lbls labels.Labels) *Identity
- func NewIdentityFromLabelArray(id NumericIdentity, lblArray labels.LabelArray) *Identity
- type IdentityMap
- type NamedPort
- type NumericIdentity
- func GetAllReservedIdentities() []NumericIdentity
- func GetLocalNodeID() NumericIdentity
- func GetMaximumAllocationIdentity(clusterID uint32) NumericIdentity
- func GetMinimalAllocationIdentity(clusterID uint32) NumericIdentity
- func GetReservedID(name string) NumericIdentity
- func GetWorldIdentityFromIP(addr netip.Addr) NumericIdentity
- func ParseNumericIdentity(id string) (NumericIdentity, error)
- func ScopeForLabels(lbls labels.Labels) NumericIdentity
- func (id NumericIdentity) ClusterID() uint32
- func (id NumericIdentity) HasLocalScope() bool
- func (id NumericIdentity) HasRemoteNodeScope() bool
- func (id NumericIdentity) IsCluster() bool
- func (id NumericIdentity) IsReservedIdentity() bool
- func (id NumericIdentity) IsWorld() bool
- func (id NumericIdentity) Scope() NumericIdentity
- func (id NumericIdentity) String() string
- func (id NumericIdentity) StringID() string
- func (id NumericIdentity) Uint32() uint32
- type NumericIdentitySlice
- type UpdateIdentities
Constants ¶
const ( NodeLocalIdentityType = "node_local" ReservedIdentityType = "reserved" ClusterLocalIdentityType = "cluster_local" WellKnownIdentityType = "well_known" RemoteNodeIdentityType = "remote_node" )
const ( // IdentityScopeMask is the top 8 bits of the 32 bit identity IdentityScopeMask = NumericIdentity(0xFF_00_00_00) // IdentityScopeGlobal is the identity scope used by global and reserved identities. IdentityScopeGlobal = NumericIdentity(0) // IdentityScopeLocal is the tag in the numeric identity that identifies // a numeric identity to have local (CIDR) scope. IdentityScopeLocal = NumericIdentity(1 << 24) // IdentityScopeRemoteNode is the tag in the numeric identity that identifies // an identity to be a remote in-cluster node. IdentityScopeRemoteNode = NumericIdentity(2 << 24) // MinAllocatorLocalIdentity represents the minimal numeric identity // that the localIdentityCache allocator can allocate for a local (CIDR) // identity. // // Note that this does not represents the minimal value for a local // identity, as the allocated ID will then be bitwise OR'ed with // LocalIdentityFlag. MinAllocatorLocalIdentity = 1 // MinLocalIdentity represents the actual minimal numeric identity value // for a local (CIDR) identity. MinLocalIdentity = MinAllocatorLocalIdentity | IdentityScopeLocal // MaxAllocatorLocalIdentity represents the maximal numeric identity // that the localIdentityCache allocator can allocate for a local (CIDR) // identity. // // Note that this does not represents the maximal value for a local // identity, as the allocated ID will then be bitwise OR'ed with // LocalIdentityFlag. MaxAllocatorLocalIdentity = 0xFFFFFF // MaxLocalIdentity represents the actual maximal numeric identity value // for a local (CIDR) identity. MaxLocalIdentity = MaxAllocatorLocalIdentity | IdentityScopeLocal // MinimalNumericIdentity represents the minimal numeric identity not // used for reserved purposes. MinimalNumericIdentity = NumericIdentity(256) // UserReservedNumericIdentity represents the minimal numeric identity that // can be used by users for reserved purposes. UserReservedNumericIdentity = NumericIdentity(128) // InvalidIdentity is the identity assigned if the identity is invalid // or not determined yet InvalidIdentity = NumericIdentity(0) )
const MaxNumericIdentity = math.MaxUint32
MaxNumericIdentity is the maximum value of a NumericIdentity.
const NumericIdentityBitlength = 24
NumericIdentityBitlength is the number of bits used on the wire for a NumericIdentity
Variables ¶
var ( // WellKnown identities stores global state of all well-known identities. WellKnown = wellKnownIdentities{} // ErrNotUserIdentity is an error returned for an identity that is not user // reserved. ErrNotUserIdentity = errors.New("not a user reserved identity") )
Functions ¶
func AddUserDefinedNumericIdentity ¶
func AddUserDefinedNumericIdentity(identity NumericIdentity, label string) error
AddUserDefinedNumericIdentity adds the given numeric identity and respective label to the list of reservedIdentities. If the numeric identity is not between UserReservedNumericIdentity and MinimalNumericIdentity it will return ErrNotUserIdentity. Is not safe for concurrent use.
func AddUserDefinedNumericIdentitySet ¶
AddUserDefinedNumericIdentitySet adds all key-value pairs from the given map to the map of user defined numeric identities and reserved identities. The key-value pairs should map a numeric identity to a valid label. Is not safe for concurrent use.
func DelReservedNumericIdentity ¶
func DelReservedNumericIdentity(identity NumericIdentity) error
DelReservedNumericIdentity deletes the given Numeric Identity from the list of reservedIdentities. If the numeric identity is not between UserReservedNumericIdentity and MinimalNumericIdentity it will return ErrNotUserIdentity. Is not safe for concurrent use.
func GetClusterIDShift ¶ added in v1.15.0
func GetClusterIDShift() uint32
GetClusterIDShift returns the number of bits to shift a cluster ID in a numeric identity and is equal to the number of bits that represent a cluster-local identity. A sync.Once is used to ensure we only initialize clusterIDShift once.
func IdentityAllocationIsLocal ¶
IdentityAllocationIsLocal returns true if a call to AllocateIdentity with the given labels would not require accessing the KV store to allocate the identity. Currently, this function returns true only if the labels are those of a reserved identity, i.e. if the slice contains a single reserved "reserved:*" label.
func InitWellKnownIdentities ¶
func InitWellKnownIdentities(c Configuration, cinfo cmtypes.ClusterInfo) int
InitWellKnownIdentities establishes all well-known identities. Returns the number of well-known identities initialized.
func IsUserReservedIdentity ¶
func IsUserReservedIdentity(id NumericIdentity) bool
IsUserReservedIdentity returns true if the given NumericIdentity belongs to the space reserved for users.
func IsWellKnownIdentity ¶
func IsWellKnownIdentity(id NumericIdentity) bool
IsWellKnownIdentity returns true if the identity represents a well-known identity, false otherwise.
func IterateReservedIdentities ¶
func IterateReservedIdentities(f func(_ NumericIdentity, _ *Identity))
IterateReservedIdentities iterates over all reserved identities and executes the given function for each identity.
func RequiresGlobalIdentity ¶
RequiresGlobalIdentity returns true if the label combination requires a global identity
func SetLocalNodeID ¶
func SetLocalNodeID(nodeid uint32)
SetLocalNodeID sets the local node id. Note that currently changes to the local node id only take effect during agent bootstrap
Types ¶
type Configuration ¶
type Configuration interface {
CiliumNamespaceName() string
}
type IPIdentityPair ¶
type IPIdentityPair struct { IP net.IP `json:"IP"` Mask net.IPMask `json:"Mask"` HostIP net.IP `json:"HostIP"` ID NumericIdentity `json:"ID"` Key uint8 `json:"Key"` Metadata string `json:"Metadata"` K8sNamespace string `json:"K8sNamespace,omitempty"` K8sPodName string `json:"K8sPodName,omitempty"` NamedPorts []NamedPort `json:"NamedPorts,omitempty"` }
IPIdentityPair is a pairing of an IP and the security identity to which that IP corresponds. May include an optional Mask which, if present, denotes that the IP represents a CIDR with the specified Mask.
WARNING - STABLE API This structure is written as JSON to the key-value store. Do NOT modify this structure in ways which are not JSON forward compatible.
func (*IPIdentityPair) GetKeyName ¶
func (pair *IPIdentityPair) GetKeyName() string
GetKeyName returns the kvstore key to be used for the IPIdentityPair
func (*IPIdentityPair) IsHost ¶
func (pair *IPIdentityPair) IsHost() bool
IsHost determines whether the IP in the pair represents a host (true) or a CIDR prefix (false)
func (*IPIdentityPair) Marshal ¶
func (pair *IPIdentityPair) Marshal() ([]byte, error)
Marshal returns the IPIdentityPair object as JSON byte slice
func (*IPIdentityPair) PrefixString ¶
func (pair *IPIdentityPair) PrefixString() string
PrefixString returns the IPIdentityPair's IP as either a host IP in the format w.x.y.z if 'host' is true, or as a prefix in the format the w.x.y.z/N if 'host' is false.
type Identity ¶
type Identity struct { // Identity's ID. ID NumericIdentity `json:"id"` // Set of labels that belong to this Identity. Labels labels.Labels `json:"labels"` // LabelArray contains the same labels as Labels in a form of a list, used // for faster lookup. LabelArray labels.LabelArray `json:"-"` // CIDRLabel is the primary identity label when the identity represents // a CIDR. The Labels field will consist of all matching prefixes, e.g. // 10.0.0.0/8 // 10.0.0.0/7 // 10.0.0.0/6 // [...] // reserved:world // // The CIDRLabel field will only contain 10.0.0.0/8 CIDRLabel labels.Labels `json:"-"` // ReferenceCount counts the number of references pointing to this // identity. This field is used by the owning cache of the identity. ReferenceCount int `json:"-"` }
Identity is the representation of the security context for a particular set of labels.
func AddReservedIdentity ¶
func AddReservedIdentity(ni NumericIdentity, lbl string) *Identity
AddReservedIdentity adds the reserved numeric identity with the respective label into the map of reserved identity cache, and returns the resulting Identity. This identity must not be mutated!
func AddReservedIdentityWithLabels ¶
func AddReservedIdentityWithLabels(ni NumericIdentity, lbls labels.Labels) *Identity
AddReservedIdentityWithLabels is the same as AddReservedIdentity but accepts multiple labels. Returns the resulting Identity. This identity must not be mutated!
func LookupReservedIdentity ¶
func LookupReservedIdentity(ni NumericIdentity) *Identity
LookupReservedIdentity looks up a reserved identity by its NumericIdentity and returns it if found. Returns nil if not found. This identity must not be mutated!
func LookupReservedIdentityByLabels ¶
LookupReservedIdentityByLabels looks up a reserved identity by its labels and returns it if found. Returns nil if not found.
func NewIdentity ¶
func NewIdentity(id NumericIdentity, lbls labels.Labels) *Identity
NewIdentity creates a new identity
func NewIdentityFromLabelArray ¶
func NewIdentityFromLabelArray(id NumericIdentity, lblArray labels.LabelArray) *Identity
NewIdentityFromLabelArray creates a new identity
func (*Identity) IsFixed ¶
IsFixed returns whether the identity represents a fixed identity (true), or not (false).
func (*Identity) IsReserved ¶
IsReserved returns whether the identity represents a reserved identity (true), or not (false).
func (*Identity) IsWellKnown ¶
IsWellKnown returns whether the identity represents a well known identity (true), or not (false).
func (*Identity) Sanitize ¶
func (id *Identity) Sanitize()
Sanitize takes a partially initialized Identity (for example, deserialized from json) and reconstitutes the full object from what has been restored.
type IdentityMap ¶ added in v1.16.0
type IdentityMap map[NumericIdentity]labels.LabelArray
func ListReservedIdentities ¶ added in v1.16.0
func ListReservedIdentities() IdentityMap
type NamedPort ¶
type NamedPort struct { Name string `json:"Name"` Port uint16 `json:"Port"` Protocol string `json:"Protocol"` }
NamedPort is a mapping from a port name to a port number and protocol.
WARNING - STABLE API This structure is written as JSON to the key-value store. Do NOT modify this structure in ways which are not JSON forward compatible.
type NumericIdentity ¶
type NumericIdentity uint32
NumericIdentity is the numeric representation of a security identity.
Bits:
0-15: identity identifier 16-23: cluster identifier 24: LocalIdentityFlag: Indicates that the identity has a local scope
const ( // IdentityUnknown represents an unknown identity IdentityUnknown NumericIdentity = iota // ReservedIdentityHost represents the local host ReservedIdentityHost // ReservedIdentityWorld represents any endpoint outside of the cluster ReservedIdentityWorld // ReservedIdentityUnmanaged represents unmanaged endpoints. ReservedIdentityUnmanaged // ReservedIdentityHealth represents the local cilium-health endpoint ReservedIdentityHealth // ReservedIdentityInit is the identity given to endpoints that have not // received any labels yet. ReservedIdentityInit // ReservedIdentityRemoteNode is the identity given to all nodes in // local and remote clusters except for the local node. ReservedIdentityRemoteNode // ReservedIdentityKubeAPIServer is the identity given to remote node(s) which // have backend(s) serving the kube-apiserver running. ReservedIdentityKubeAPIServer // ReservedIdentityIngress is the identity given to the IP used as the source // address for connections from Ingress proxies. ReservedIdentityIngress // ReservedIdentityWorldIPv4 represents any endpoint outside of the cluster // for IPv4 address only. ReservedIdentityWorldIPv4 // ReservedIdentityWorldIPv6 represents any endpoint outside of the cluster // for IPv6 address only. ReservedIdentityWorldIPv6 // ReservedEncryptedOverlay represents overlay traffic which must be IPSec // encrypted before it leaves the host ReservedEncryptedOverlay )
const ( // ReservedETCDOperator is the reserved identity used for the etcd-operator // managed by Cilium. ReservedETCDOperator NumericIdentity = iota + 100 // ReservedCiliumKVStore is the reserved identity used for the kvstore // managed by Cilium (etcd-operator). ReservedCiliumKVStore // ReservedKubeDNS is the reserved identity used for kube-dns. ReservedKubeDNS // ReservedEKSKubeDNS is the reserved identity used for kube-dns on EKS ReservedEKSKubeDNS // ReservedCoreDNS is the reserved identity used for CoreDNS ReservedCoreDNS // ReservedCiliumOperator is the reserved identity used for the Cilium operator ReservedCiliumOperator // ReservedEKSCoreDNS is the reserved identity used for CoreDNS on EKS ReservedEKSCoreDNS // ReservedCiliumEtcdOperator is the reserved identity used for the Cilium etcd operator ReservedCiliumEtcdOperator // Second identities for all above components ReservedETCDOperator2 ReservedCiliumKVStore2 ReservedKubeDNS2 ReservedEKSKubeDNS2 ReservedCoreDNS2 ReservedCiliumOperator2 ReservedEKSCoreDNS2 ReservedCiliumEtcdOperator2 )
Special identities for well-known cluster components Each component has two identities. The first one is used for Kubernetes <1.21 or when the NamespaceDefaultLabelName feature gate is disabled. The second one is used for Kubernetes >= 1.21 and when the NamespaceDefaultLabelName is enabled.
func GetAllReservedIdentities ¶
func GetAllReservedIdentities() []NumericIdentity
GetAllReservedIdentities returns a list of all reserved numeric identities in ascending order. NOTE: While this func is unused from the cilium repository, is it imported and called by the hubble cli.
func GetLocalNodeID ¶
func GetLocalNodeID() NumericIdentity
GetLocalNodeID returns the configured local node numeric identity that is set in tunnel headers when encapsulating packets originating from the local node.
func GetMaximumAllocationIdentity ¶ added in v1.15.0
func GetMaximumAllocationIdentity(clusterID uint32) NumericIdentity
GetMaximumAllocationIdentity returns the maximum numeric identity that should be handed out by the identity allocator.
func GetMinimalAllocationIdentity ¶ added in v1.15.0
func GetMinimalAllocationIdentity(clusterID uint32) NumericIdentity
GetMinimalNumericIdentity returns the minimal numeric identity not used for reserved purposes.
func GetReservedID ¶
func GetReservedID(name string) NumericIdentity
func GetWorldIdentityFromIP ¶
func GetWorldIdentityFromIP(addr netip.Addr) NumericIdentity
GetWorldIdentityFromIP gets the correct world identity based on the IP address version. If Cilium is not in dual-stack mode then ReservedIdentityWorld will always be returned.
func ParseNumericIdentity ¶
func ParseNumericIdentity(id string) (NumericIdentity, error)
func ScopeForLabels ¶ added in v1.15.0
func ScopeForLabels(lbls labels.Labels) NumericIdentity
ScopeForLabels returns the identity scope to be used for the label set. If all labels are either CIDR or reserved, then returns the CIDR scope. Note: This assumes the caller has already called LookupReservedIdentityByLabels; it does not handle that case.
func (NumericIdentity) ClusterID ¶
func (id NumericIdentity) ClusterID() uint32
ClusterID returns the cluster ID associated with the identity
func (NumericIdentity) HasLocalScope ¶
func (id NumericIdentity) HasLocalScope() bool
HasLocalScope returns true if the identity is in the Local (CIDR) scope
func (NumericIdentity) HasRemoteNodeScope ¶ added in v1.15.0
func (id NumericIdentity) HasRemoteNodeScope() bool
func (NumericIdentity) IsCluster ¶ added in v1.12.18
func (id NumericIdentity) IsCluster() bool
IsCluster returns true if the identity is a cluster identity by excluding all identities that are known to be non-cluster identities. NOTE: keep this and bpf identity_is_cluster() in sync!
func (NumericIdentity) IsReservedIdentity ¶
func (id NumericIdentity) IsReservedIdentity() bool
IsReservedIdentity returns whether id is one of the special reserved identities.
func (NumericIdentity) IsWorld ¶
func (id NumericIdentity) IsWorld() bool
IsWorld returns true if the identity is one of the world identities
func (NumericIdentity) Scope ¶ added in v1.15.0
func (id NumericIdentity) Scope() NumericIdentity
Scope returns the identity scope of this given numeric ID.
func (NumericIdentity) String ¶
func (id NumericIdentity) String() string
func (NumericIdentity) StringID ¶
func (id NumericIdentity) StringID() string
func (NumericIdentity) Uint32 ¶
func (id NumericIdentity) Uint32() uint32
Uint32 normalizes the ID for use in BPF program.
type NumericIdentitySlice ¶ added in v1.15.0
type NumericIdentitySlice []NumericIdentity
func (NumericIdentitySlice) AsUint32Slice ¶ added in v1.15.0
func (nids NumericIdentitySlice) AsUint32Slice() []uint32
AsUint32Slice returns the NumericIdentitySlice as a slice of uint32 without copying any data. This is safe as long as the underlying type stays as uint32.
type UpdateIdentities ¶
type UpdateIdentities interface {
UpdateIdentities(added, deleted IdentityMap, wg *sync.WaitGroup)
}
UpdateIdentities is an interface to be called when identities change
Directories ¶
Path | Synopsis |
---|---|
Package identitymanager tracks which global identities are being used by the currently running cilium-agent
|
Package identitymanager tracks which global identities are being used by the currently running cilium-agent |