policy

package
v1.17.0-pre.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 2, 2024 License: Apache-2.0 Imports: 53 Imported by: 131

Documentation

Index

Constants

View Source 
const (
	LabelKeyPolicyDerivedFrom  = "io.cilium.policy.derived-from"
	LabelAllowLocalHostIngress = "allow-localhost-ingress"
	LabelAllowAnyIngress       = "allow-any-ingress"
	LabelAllowAnyEgress        = "allow-any-egress"
)
View Source 
const (
	// LabelSelectorClass indicates the class of selector being measured
	LabelSelectorClass = "class"

	// LabelValueSCFQDN is used for regular security identities
	// shared between all nodes in the cluster.
	LabelValueSCFQDN = "fqdn"

	// LabelValueSCCluster is used for the cluster entity.
	LabelValueSCCluster = "cluster"

	// LabelValueSCWorld is used for the world entity.
	LabelValueSCWorld = "world"

	// LabelValueSCOther is used for security identities allocated locally
	// on the current node.
	LabelValueSCOther = "other"
)
View Source 
const NoAuthRequirement = types.NoAuthRequirement

Variables

View Source 
var (
	LabelsAllowAnyIngress = labels.LabelArray{
		labels.NewLabel(LabelKeyPolicyDerivedFrom, LabelAllowAnyIngress, labels.LabelSourceReserved)}
	LabelsAllowAnyEgress = labels.LabelArray{
		labels.NewLabel(LabelKeyPolicyDerivedFrom, LabelAllowAnyEgress, labels.LabelSourceReserved)}
	LabelsLocalHostIngress = labels.LabelArray{
		labels.NewLabel(LabelKeyPolicyDerivedFrom, LabelAllowLocalHostIngress, labels.LabelSourceReserved)}
)

Functions

func EgressKey 

func EgressKey() types.Key

func GetCIDRPrefixes added in v0.15.7 

func GetCIDRPrefixes(rules api.Rules) []netip.Prefix

GetCIDRPrefixes runs through the specified 'rules' to find every reference to a CIDR in the rules, and returns a slice containing all of these CIDRs.

Includes prefixes referenced solely by "ExceptCIDRs" entries.

Assumes that validation already occurred on 'rules'.

func GetPolicyEnabled added in v0.15.7 

func GetPolicyEnabled() string

GetPolicyEnabled returns the policy enablement configuration

func GetPrefixesFromCIDRSet added in v0.15.7 

func GetPrefixesFromCIDRSet(rules api.CIDRRuleSlice) []netip.Prefix

GetPrefixesFromCIDRSet fetches all CIDRs referred to by the specified slice and returns them as regular golang CIDR objects. Includes CIDRs listed in ExceptCIDRs fields.

Assumes that validation already occurred on 'rules'.

func IngressKey 

func IngressKey() types.Key

func JSONMarshalRules added in v0.9.0 

func JSONMarshalRules(rules api.Rules) string

JSONMarshalRules returns a slice of policy rules as string in JSON representation

func JoinPath 

func JoinPath(a, b string) string

JoinPath returns a joined path from a and b.

func ParseProxyID added in v0.15.7 

func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, listener string, err error)

ParseProxyID parses a proxy ID returned by ProxyID and returns its components.

func ProxyID added in v0.15.7 

func ProxyID(endpointID uint16, ingress bool, protocol string, port uint16, listener string) string

ProxyID returns a unique string to identify a proxy mapping.

func ProxyIDFromKey added in v0.15.7 

func ProxyIDFromKey(endpointID uint16, key Key, listener string) string

ProxyIDFromKey returns a unique string to identify a proxy mapping.

func ProxyStatsKey added in v1.16.0 

func ProxyStatsKey(ingress bool, protocol string, port, proxyPort uint16) string

ProxyStatsKey returns a key for endpoint's proxy stats, which may aggregate stats from multiple proxy redirects on the same port.

func SetPolicyEnabled added in v0.15.7 

func SetPolicyEnabled(val string)

SetPolicyEnabled sets the policy enablement configuration. Valid values are: - endpoint.AlwaysEnforce - endpoint.NeverEnforce - endpoint.DefaultEnforcement

Types

type AddOptions added in v0.15.7 

type AddOptions struct {
	// Replace if true indicates that existing rules with identical labels should be replaced
	Replace bool
	// ReplaceWithLabels if present indicates that existing rules with the
	// given LabelArray should be deleted.
	ReplaceWithLabels labels.LabelArray

	// Generated should be set as true to signalize a the policy being inserted
	// was generated by cilium-agent, e.g. dns poller.
	Generated bool

	// The source of this policy, one of api, fqdn or k8s
	Source source.Source

	// The time the policy initially began to be processed in Cilium, such as when the
	// policy was received from the API server.
	ProcessingStartTime time.Time

	// Resource provides the object ID for the underlying object that backs
	// this information from 'source'.
	Resource ipcacheTypes.ResourceID

	// ReplaceByResource indicates the policy repository should replace any
	// rules owned by the given Resource with the new set of rules
	ReplaceByResource bool
}

AddOptions are options which can be passed to PolicyAdd

type AuthRequirement 

type AuthRequirement = types.AuthRequirement

type AuthType added in v0.15.7 

type AuthType = types.AuthType

type AuthTypes added in v0.15.7 

type AuthTypes = types.AuthTypes

type CachedSelectionUser added in v0.15.7 

type CachedSelectionUser types.CachedSelectionUser

type CachedSelector added in v0.15.7 

type CachedSelector types.CachedSelector

type CachedSelectorSlice added in v0.15.7 

type CachedSelectorSlice types.CachedSelectorSlice

type ChangeState added in v0.15.7 

type ChangeState struct {
	Adds    Keys // Added or modified keys, if not nil
	Deletes Keys // deleted keys, if not nil
	// contains filtered or unexported fields
}

ChangeState allows caller to revert changes made by (multiple) toMapState call(s) All fields are maps so we can pass this by value.

func NewRevertState 

func NewRevertState() ChangeState

NewRevertState returns an empty ChangeState suitable for reverting MapState changes. The private 'old' field is initialized so that old state can be restored if need be.

func (*ChangeState) Empty 

func (c *ChangeState) Empty() bool

type DeleteOptions added in v0.15.7 

type DeleteOptions struct {
	// The source of this policy, one of api, fqdn or k8s
	Source source.Source

	// Resource provides the object ID for the underlying object that backs
	// this information from 'source'.
	Resource ipcacheTypes.ResourceID

	// DeleteByResource should be true if the resource should be used to identify
	// which rules should be deleted.
	DeleteByResource bool
}

DeleteOptions are options which can be passed to PolicyDelete

type Endpoint added in v0.15.7 

type Endpoint interface {
	GetID16() uint16
	GetSecurityIdentity() (*identity.Identity, error)
	PolicyRevisionBumpEvent(rev uint64)
	IsHost() bool
	GetOpLabels() []string
	GetK8sNamespace() string
}

Endpoint refers to any structure which has the following properties: * a node-local ID stored as a uint16 * a security identity * a means of incrementing its policy revision * a means of checking if it represents a node or a pod. * a set of labels * a kubernetes namespace

type EndpointPolicy added in v0.15.7 

type EndpointPolicy struct {

	// VersionHandle represents the version of the SelectorCache 'policyMapState' was generated
	// from.
	// Changes after this version appear in 'policyMapChanges'.
	// This is updated when incremental changes are applied.
	VersionHandle *versioned.VersionHandle

	// PolicyOwner describes any type which consumes this EndpointPolicy object.
	PolicyOwner PolicyOwner

	// Redirects contains the proxy ports needed for this EndpointPolicy.
	// If any redirects are missing a new policy will be computed to rectify it, so this is
	// constant for the lifetime of this EndpointPolicy.
	Redirects map[string]uint16
	// contains filtered or unexported fields
}

EndpointPolicy is a structure which contains the resolved policy across all layers (L3, L4, and L7), distilled against a set of identities.

func NewEndpointPolicy added in v0.15.7 

func NewEndpointPolicy(repo PolicyRepository) *EndpointPolicy

NewEndpointPolicy returns an empty EndpointPolicy stub.

func (EndpointPolicy) Attach added in v0.15.7 

func (p EndpointPolicy) Attach(ctx PolicyContext)

func (*EndpointPolicy) ConsumeMapChanges added in v0.15.7 

func (p *EndpointPolicy) ConsumeMapChanges() (closer func(), changes ChangeState)

ConsumeMapChanges transfers the changes from MapChanges to the caller. SelectorCache used as Identities interface which only has GetPrefix() that needs no lock. Endpoints explicitly wait for a WaitGroup signaling completion of AccumulatePolicyMapChanges calls before calling ConsumeMapChanges so that if we see any partial changes here, there will be another call after to cover for the rest. PolicyOwner (aka Endpoint) is locked during this call. Caller is responsible for calling the returned 'closer' to release resources held for the new version! 'closer' may not be called while selector cache is locked!

func (*EndpointPolicy) Detach added in v0.15.7 

func (p *EndpointPolicy) Detach()

Detach removes EndpointPolicy references from selectorPolicy to allow the EndpointPolicy to be GC'd. PolicyOwner (aka Endpoint) is also locked during this call.

func (*EndpointPolicy) Diff 

func (p *EndpointPolicy) Diff(expected MapStateMap) string

func (EndpointPolicy) DistillPolicy added in v0.15.7 

func (p EndpointPolicy) DistillPolicy(policyOwner PolicyOwner, redirects map[string]uint16) *EndpointPolicy

DistillPolicy filters down the specified selectorPolicy (which acts upon selectors) into a set of concrete map entries based on the SelectorCache. These can subsequently be plumbed into the datapath.

Called without holding the Selector cache or Repository locks. PolicyOwner (aka Endpoint) is also unlocked during this call, but the Endpoint's build mutex is held.

func (*EndpointPolicy) Empty 

func (p *EndpointPolicy) Empty() bool

func (*EndpointPolicy) Entries 

func (p *EndpointPolicy) Entries() iter.Seq2[Key, MapStateEntry]

func (*EndpointPolicy) Equals 

func (p *EndpointPolicy) Equals(other MapStateMap) bool

func (*EndpointPolicy) Get 

func (p *EndpointPolicy) Get(key Key) (MapStateEntry, bool)

func (*EndpointPolicy) GetRuleLabels 

func (p *EndpointPolicy) GetRuleLabels(k Key) (labels.LabelArrayList, error)

GetRuleLabels returns the list of labels of the rules that contributed to the entry at this key. The returned LabelArrayList is shallow-copied and therefore must not be mutated.

func (*EndpointPolicy) Len 

func (p *EndpointPolicy) Len() int

func (*EndpointPolicy) LookupRedirectPort 

func (p *EndpointPolicy) LookupRedirectPort(ingress bool, protocol string, port uint16, listener string) (uint16, error)

LookupRedirectPort returns the redirect L4 proxy port for the given input parameters. Returns 0 if not found or the filter doesn't require a redirect. Returns an error if the redirect port can not be found. This is called when accumulating incremental map changes, endpoint lock must not be taken.

func (*EndpointPolicy) Missing 

func (p *EndpointPolicy) Missing(realized *EndpointPolicy) iter.Seq2[Key, MapStateEntry]

Missing returns an iterator for all key/entry pairs in 'realized' that missing from 'p'. Here 'realized' is another EndpointPolicy. This can be used to figure out which entries in 'realised' need to be deleted.

func (*EndpointPolicy) MissingMap 

func (p *EndpointPolicy) MissingMap(realized MapStateMap) iter.Seq2[Key, MapStateEntry]

Missing returns an iterator for all key/entry pairs in 'realized' that missing from 'p'. Here 'realized' is MapStateMap. This can be used to figure out which entries in 'realised' need to be deleted.

func (*EndpointPolicy) Ready 

func (p *EndpointPolicy) Ready() (err error)

Ready releases the handle on a selector cache version so that stale state can be released. This should be called when the policy has been realized.

func (EndpointPolicy) RedirectFilters 

func (p EndpointPolicy) RedirectFilters() iter.Seq2[*L4Filter, *PerSelectorPolicy]

RedirectFilters returns an iterator for each L4Filter with a redirect in the policy.

func (*EndpointPolicy) RevertChanges 

func (p *EndpointPolicy) RevertChanges(changes ChangeState)

func (*EndpointPolicy) Updated 

func (p *EndpointPolicy) Updated(realized *EndpointPolicy) iter.Seq2[Key, MapStateEntry]

Updated returns an iterator for all key/entry pairs in 'p' that are either new or updated compared to the entries in 'realized'. Here 'realized' is another EndpointPolicy. This can be used to figure out which entries need to be added to or updated in 'realised'.

func (*EndpointPolicy) UpdatedMap 

func (p *EndpointPolicy) UpdatedMap(realized MapStateMap) iter.Seq2[Key, MapStateEntry]

UpdatedMap returns an iterator for all key/entry pairs in 'p' that are either new or updated compared to the entries in 'realized'. Here 'realized' is MapStateMap. This can be used to figure out which entries need to be added to or updated in 'realised'.

type EndpointSet added in v0.15.7 

type EndpointSet struct {
	// contains filtered or unexported fields
}

EndpointSet is used to be able to group together a given set of Endpoints that need to have a specific operation performed upon them (e.g., policy revision updates).

func NewEndpointSet added in v0.15.7 

func NewEndpointSet(m map[Endpoint]struct{}) *EndpointSet

NewEndpointSet returns an EndpointSet with the given Endpoints map

func (*EndpointSet) Delete added in v0.15.7 

func (e *EndpointSet) Delete(ep Endpoint)

Delete removes ep from the EndpointSet.

func (*EndpointSet) ForEachGo added in v0.15.7 

func (e *EndpointSet) ForEachGo(wg *sync.WaitGroup, epFunc func(epp Endpoint))

ForEachGo runs epFunc asynchronously inside a goroutine for each endpoint in the EndpointSet. It signals to the provided WaitGroup when epFunc has been executed for each endpoint.

func (*EndpointSet) Insert added in v0.15.7 

func (e *EndpointSet) Insert(ep Endpoint)

Insert adds ep to the EndpointSet.

func (*EndpointSet) Len added in v0.15.7 

func (e *EndpointSet) Len() (nElem int)

Len returns the number of elements in the EndpointSet.

type GetPolicyStatistics 

type GetPolicyStatistics interface {
	WaitingForPolicyRepository() *spanstat.SpanStat
	PolicyCalculation() *spanstat.SpanStat
}

type IDSet added in v1.5.0 

type IDSet map[identity.NumericIdentity]struct{}

type Key added in v0.15.7 

type Key = types.Key

Key and Keys are types used both internally and externally. The types have been lifted out, but an alias is being used so we don't have to change all the code everywhere.

Do not use these types outside of pkg/policy or pkg/endpoint, lest ye find yourself with hundreds of unnecessary imports.

func KeyForDirection 

func KeyForDirection(direction trafficdirection.TrafficDirection) Key

type Keys added in v0.15.7 

type Keys = types.Keys

type L4DirectionPolicy added in v0.15.7 

type L4DirectionPolicy struct {
	PortRules L4PolicyMap
	// contains filtered or unexported fields
}

func (L4DirectionPolicy) Detach added in v0.15.7 

func (l4 L4DirectionPolicy) Detach(selectorCache *SelectorCache)

Detach removes the cached selectors held by L4PolicyMap from the selectorCache, allowing the map to be garbage collected when there are no more references to it.

type L4Filter 

type L4Filter struct {
	// Port is the destination port to allow. Port 0 indicates that all traffic
	// is allowed at L4.
	Port uint16 `json:"port"`
	// EndPort is zero for a singular port
	EndPort  uint16 `json:"endPort,omitempty"`
	PortName string `json:"port-name,omitempty"`
	// Protocol is the L4 protocol to allow or NONE
	Protocol api.L4Proto `json:"protocol"`
	// U8Proto is the Protocol in numeric format, or 0 for NONE
	U8Proto u8proto.U8proto `json:"-"`

	// PerSelectorPolicies is a map of policies for selectors, including any L7 rules passed to
	// the L7 proxy. nil values represent cached selectors that have selector-specific policy
	// restriction (such as no L7 rules). Holds references to the cached selectors, which must
	// be released!
	PerSelectorPolicies L7DataMap `json:"l7-rules,omitempty"`
	// L7Parser specifies the L7 protocol parser (optional). If specified as
	// an empty string, then means that no L7 proxy redirect is performed.
	L7Parser L7ParserType `json:"-"`
	// Ingress is true if filter applies at ingress; false if it applies at egress.
	Ingress bool `json:"-"`
	// RuleOrigin tracks which policy rules (identified by labels) are the origin for this L3/L4
	// (i.e. selector and port) filter. This information is used when distilling a policy to an
	// EndpointPolicy, to track which policy rules were involved for a specific verdict.
	// Each LabelArrayList is in sorted order.
	RuleOrigin map[CachedSelector]labels.LabelArrayList `json:"-"`
	// contains filtered or unexported fields
}

L4Filter represents the policy (allowed remote sources / destinations of traffic) that applies at a specific L4 port/protocol combination (including all ports and protocols), at either ingress or egress. The policy here is specified in terms of selectors that are mapped to security identities via the selector cache.

func (*L4Filter) CopyL7RulesPerEndpoint added in v0.15.7 

func (l4 *L4Filter) CopyL7RulesPerEndpoint() L7DataMap

CopyL7RulesPerEndpoint returns a shallow copy of the PerSelectorPolicies of the L4Filter.

func (*L4Filter) Equals added in v1.16.0 

func (l4 *L4Filter) Equals(bL4 *L4Filter) bool

Equals returns true if two L4Filters are equal

func (*L4Filter) GetIngress added in v0.15.7 

func (l4 *L4Filter) GetIngress() bool

GetIngress returns whether the L4Filter applies at ingress or egress.

func (*L4Filter) GetL7Parser added in v0.15.7 

func (l4 *L4Filter) GetL7Parser() L7ParserType

GetL7Parser returns the L7ParserType of the L4Filter.

func (*L4Filter) GetPort added in v0.15.7 

func (l4 *L4Filter) GetPort() uint16

GetPort returns the port at which the L4Filter applies as a uint16.

func (*L4Filter) IdentitySelectionCommit 

func (l4 *L4Filter) IdentitySelectionCommit(txn *versioned.Tx)

func (*L4Filter) IdentitySelectionUpdated added in v0.15.7 

func (l4 *L4Filter) IdentitySelectionUpdated(cs types.CachedSelector, added, deleted []identity.NumericIdentity)

IdentitySelectionUpdated implements CachedSelectionUser interface This call is made from a single goroutine in FIFO order to keep add and delete events ordered properly. No locks are held.

The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.

func (*L4Filter) IsPeerSelector 

func (l4 *L4Filter) IsPeerSelector() bool

func (*L4Filter) IsRedirect 

func (l4 *L4Filter) IsRedirect() bool

IsRedirect returns true if the L4 filter contains a port redirection

func (*L4Filter) Marshal added in v0.15.7 

func (l4 *L4Filter) Marshal() string

Marshal returns the `L4Filter` in a JSON string.

func (*L4Filter) SelectsAllEndpoints added in v0.15.7 

func (l4 *L4Filter) SelectsAllEndpoints() bool

SelectsAllEndpoints returns whether the L4Filter selects all endpoints, which is true if the wildcard endpoint selector is present in the map.

func (*L4Filter) String 

func (l4 *L4Filter) String() string

String returns the `L4Filter` in a human-readable string.

type L4Policy 

type L4Policy struct {
	Ingress L4DirectionPolicy
	Egress  L4DirectionPolicy

	// Revision is the repository revision used to generate this policy.
	Revision uint64
	// contains filtered or unexported fields
}

func NewL4Policy 

func NewL4Policy(revision uint64) L4Policy

NewL4Policy creates a new L4Policy

func (*L4Policy) AccumulateMapChanges added in v0.15.7 

func (l4Policy *L4Policy) AccumulateMapChanges(l4 *L4Filter, cs CachedSelector, adds, deletes []identity.NumericIdentity)

AccumulateMapChanges distributes the given changes to the registered users.

The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.

func (*L4Policy) Attach added in v0.15.7 

func (l4 *L4Policy) Attach(ctx PolicyContext)

Attach makes all the L4Filters to point back to the L4Policy that contains them. This is done before the L4Policy is exposed to concurrent access.

func (*L4Policy) Detach added in v0.15.7 

func (l4 *L4Policy) Detach(selectorCache *SelectorCache)

Detach makes the L4Policy ready for garbage collection, removing circular pointer references. Note that the L4Policy itself is not modified in any way, so that it may still be used concurrently.

func (*L4Policy) GetModel 

func (l4 *L4Policy) GetModel() *models.L4Policy

func (*L4Policy) HasEnvoyRedirect added in v0.15.7 

func (l4 *L4Policy) HasEnvoyRedirect() bool

HasEnvoyRedirect returns true if the L4 policy contains at least one port redirection to Envoy

func (*L4Policy) HasProxylibRedirect added in v0.15.7 

func (l4 *L4Policy) HasProxylibRedirect() bool

HasProxylibRedirect returns true if the L4 policy contains at least one port redirection to Proxylib

func (*L4Policy) HasRedirect 

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

func (*L4Policy) SyncMapChanges 

func (l4Policy *L4Policy) SyncMapChanges(l4 *L4Filter, txn *versioned.Tx)

SyncMapChanges marks earlier updates as completed

type L4PolicyMap 

type L4PolicyMap interface {
	Upsert(port string, endPort uint16, protocol string, l4 *L4Filter)
	Delete(port string, endPort uint16, protocol string)
	ExactLookup(port string, endPort uint16, protocol string) *L4Filter
	MatchesLabels(port, protocol string, labels labels.LabelArray) (match, isDeny bool)
	Detach(selectorCache *SelectorCache)
	IngressCoversContext(ctx *SearchContext) api.Decision
	EgressCoversContext(ctx *SearchContext) api.Decision
	ForEach(func(l4 *L4Filter) bool)
	TestingOnlyEquals(bMap L4PolicyMap) bool
	TestingOnlyDiff(expectedMap L4PolicyMap) string
	Len() int
}

L4PolicyMap is a list of L4 filters indexable by port/endport/protocol

func NewL4PolicyMap added in v1.16.0 

func NewL4PolicyMap() L4PolicyMap

NewL4PolicyMap creates an new L4PolicMap.

func NewL4PolicyMapWithValues added in v1.16.0 

func NewL4PolicyMapWithValues(initMap map[string]*L4Filter) L4PolicyMap

NewL4PolicyMapWithValues creates an new L4PolicMap, with an initial set of values. The initMap argument does not support port ranges.

type L7DataMap added in v0.15.7 

type L7DataMap map[CachedSelector]*PerSelectorPolicy

L7DataMap contains a map of L7 rules per endpoint where key is a CachedSelector

func (L7DataMap) MarshalJSON added in v0.15.7 

func (l7 L7DataMap) MarshalJSON() ([]byte, error)

func (L7DataMap) ShallowCopy added in v0.15.7 

func (l7 L7DataMap) ShallowCopy() L7DataMap

ShallowCopy returns a shallow copy of the L7DataMap.

type L7ParserType added in v0.15.7 

type L7ParserType string

L7ParserType is the type used to indicate what L7 parser to use. Consts are defined for all well known L7 parsers. Unknown string values are created for key-value pair policies, which are then transparently used in redirect configuration. 

const (
	// ParserTypeNone represents the case where no parser type is provided.
	ParserTypeNone L7ParserType = ""
	// ParserTypeTLS is used for TLS origination, termination, or SNI filtering without any L7
	// parsing. If TLS policies are used with HTTP rules, ParserTypeHTTP is used instead.
	ParserTypeTLS L7ParserType = "tls"
	// ParserTypeCRD is used with a custom CiliumEnvoyConfig redirection. Incompatible with any
	// parser type with L7 enforcement (HTTP, Kafka, proxylib), as the custom Listener generally
	// does not support them.
	ParserTypeCRD L7ParserType = "crd"
	// ParserTypeHTTP specifies a HTTP parser type
	ParserTypeHTTP L7ParserType = "http"
	// ParserTypeKafka specifies a Kafka parser type
	ParserTypeKafka L7ParserType = "kafka"
	// ParserTypeDNS specifies a DNS parser type
	ParserTypeDNS L7ParserType = "dns"
)

func (L7ParserType) Merge added in v0.15.7 

func (a L7ParserType) Merge(b L7ParserType) (L7ParserType, error)

Merge ParserTypes 'a' to 'b' if possible

func (L7ParserType) String added in v0.15.7 

func (l7 L7ParserType) String() string

type MapChange added in v0.15.7 

type MapChange struct {
	Add   bool // false deletes
	Key   Key
	Value MapStateEntry
}

type MapChanges added in v0.15.7 

type MapChanges struct {
	// contains filtered or unexported fields
}

MapChanges collects updates to the endpoint policy on the granularity of individual mapstate key-value pairs for both adds and deletes. 'mutex' must be held for any access.

func (*MapChanges) AccumulateMapChanges added in v0.15.7 

func (mc *MapChanges) AccumulateMapChanges(adds, deletes []identity.NumericIdentity, keys []Key, value mapStateEntry)

AccumulateMapChanges accumulates the given changes to the MapChanges.

The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.

func (*MapChanges) SyncMapChanges 

func (mc *MapChanges) SyncMapChanges(txn *versioned.Tx)

SyncMapChanges moves the current batch of changes to 'synced' to be consumed as a unit

type MapStateEntry added in v0.15.7 

type MapStateEntry struct {
	// The proxy port, in host byte order.
	// If 0 (default), there is no proxy redirection for the corresponding
	// Key. Any other value signifies proxy redirection.
	ProxyPort uint16

	// IsDeny is true when the policy should be denied.
	IsDeny bool

	// Invalid is only set to mark the current entry for update when syncing entries to datapath
	Invalid bool

	// AuthRequirement is non-zero when authentication is required for the traffic to be
	// allowed, except for when it explicitly defines authentication is not required.
	AuthRequirement AuthRequirement
}

MapStateEntry is the configuration associated with a Key in a MapState. This is a minimized version of policymap.PolicyEntry.

func (*MapStateEntry) IsRedirectEntry added in v0.15.7 

func (e *MapStateEntry) IsRedirectEntry() bool

IsRedirectEntry returns true if the entry redirects to a proxy port

func (MapStateEntry) String added in v0.15.7 

func (e MapStateEntry) String() string

String returns a string representation of the MapStateEntry

type MapStateMap 

type MapStateMap map[Key]MapStateEntry

Map type for external use. Internally we have more detail in private 'mapSteteEntry' type, as well as more extensive indexing via tries.

type MapStateOwner added in v0.15.7 

type MapStateOwner = types.CachedSelector

type MaskedPort added in v1.16.0 

type MaskedPort struct {
	// contains filtered or unexported fields
}

MaskedPort is a port with a wild card mask value. The port range is represented by a masked port because we need to use masks for policy Keys that are indexed in the datapath by a bitwise longest-prefix-match trie.

func PortRangeToMaskedPorts added in v1.16.0 

func PortRangeToMaskedPorts(start uint16, end uint16) (ports []MaskedPort)

PortRangeToMaskedPorts returns a slice of masked ports for the given port range. If the end port is equal to or less then the start port than the start port is returned, as a fully masked port. Ports are not returned in any particular order, so testing code needs to sort them for consistency.

func (MaskedPort) String added in v1.16.0 

func (m MaskedPort) String() string

type PerSelectorPolicy added in v0.15.7 

type PerSelectorPolicy struct {
	// TerminatingTLS is the TLS context for the connection terminated by
	// the L7 proxy.  For egress policy this specifies the server-side TLS
	// parameters to be applied on the connections originated from the local
	// POD and terminated by the L7 proxy. For ingress policy this specifies
	// the server-side TLS parameters to be applied on the connections
	// originated from a remote source and terminated by the L7 proxy.
	TerminatingTLS *TLSContext `json:"terminatingTLS,omitempty"`

	// OriginatingTLS is the TLS context for the connections originated by
	// the L7 proxy.  For egress policy this specifies the client-side TLS
	// parameters for the upstream connection originating from the L7 proxy
	// to the remote destination. For ingress policy this specifies the
	// client-side TLS parameters for the connection from the L7 proxy to
	// the local POD.
	OriginatingTLS *TLSContext `json:"originatingTLS,omitempty"`

	// ServerNames is a list of allowed TLS SNI values. If not empty, then
	// TLS must be present and one of the provided SNIs must be indicated in the
	// TLS handshake.
	ServerNames StringSet `json:"serverNames,omitempty"`

	// Listener is an optional fully qualified name of a Envoy Listner defined in a CiliumEnvoyConfig CRD that should be
	// used for this traffic instead of the default listener
	Listener string `json:"listener,omitempty"`

	// Priority of the listener used when multiple listeners would apply to the same
	// MapStateEntry.
	// Lower numbers indicate higher priority. If left out, the proxy
	// port number (10000-20000) is used as priority, so that traffic will be consistently
	// redirected to the same listener.  If higher priority desired, a low unique number like 1,
	// 2, or 3 should be explicitly specified here.  If a lower than default priority is needed,
	// then a unique number higher than 20000 should be explicitly specified. Numbers on the
	// default range (10000-20000) are not allowed.
	Priority uint16 `json:"priority,omitempty"`

	// Pre-computed HTTP rules, computed after rule merging is complete
	EnvoyHTTPRules *cilium.HttpNetworkPolicyRules `json:"-"`

	// CanShortCircuit is true if all 'EnvoyHTTPRules' may be
	// short-circuited by other matches.
	CanShortCircuit bool `json:"-"`

	api.L7Rules

	// Authentication is the kind of cryptographic authentication required for the traffic to be allowed
	// at L3, if any.
	Authentication *api.Authentication `json:"auth,omitempty"`

	// IsDeny is set if this L4Filter contains should be denied
	IsDeny bool `json:",omitempty"`
	// contains filtered or unexported fields
}

PerSelectorPolicy contains policy rules for a CachedSelector, i.e. for a selection of numerical identities.

func (*PerSelectorPolicy) Equal added in v0.15.7 

func (a *PerSelectorPolicy) Equal(b *PerSelectorPolicy) bool

Equal returns true if 'a' and 'b' represent the same L7 Rules

func (*PerSelectorPolicy) GetListener added in v1.16.0 

func (a *PerSelectorPolicy) GetListener() string

GetListener returns the listener of the PerSelectorPolicy.

func (*PerSelectorPolicy) GetPriority added in v1.16.0 

func (a *PerSelectorPolicy) GetPriority() uint16

GetPriority returns the pritority of the listener of the PerSelectorPolicy.

func (*PerSelectorPolicy) HasL7Rules added in v0.15.7 

func (a *PerSelectorPolicy) HasL7Rules() bool

HasL7Rules returns whether the `L7Rules` contains any L7 rules.

func (*PerSelectorPolicy) IsRedirect added in v0.15.7 

func (a *PerSelectorPolicy) IsRedirect() bool

IsRedirect returns true if the L7Rules are a redirect.

type PolicyContext added in v0.15.7 

type PolicyContext interface {
	// return the namespace in which the policy rule is being resolved
	GetNamespace() string

	// return the SelectorCache
	GetSelectorCache() *SelectorCache

	// GetTLSContext resolves the given 'api.TLSContext' into CA
	// certs and the public and private keys, using secrets from
	// k8s or from the local file system.
	GetTLSContext(tls *api.TLSContext) (ca, public, private string, inlineSecrets bool, err error)

	// GetEnvoyHTTPRules translates the given 'api.L7Rules' into
	// the protobuf representation the Envoy can consume. The bool
	// return parameter tells whether the rule enforcement can
	// be short-circuited upon the first allowing rule. This is
	// false if any of the rules has side-effects, requiring all
	// such rules being evaluated.
	GetEnvoyHTTPRules(l7Rules *api.L7Rules) (*cilium.HttpNetworkPolicyRules, bool)

	// IsDeny returns true if the policy computation should be done for the
	// policy deny case. This function returns different values depending on the
	// code path as it can be changed during the policy calculation.
	IsDeny() bool

	// SetDeny sets the Deny field of the PolicyContext and returns the old
	// value stored.
	SetDeny(newValue bool) (oldValue bool)
}

PolicyContext is an interface policy resolution functions use to access the Repository. This way testing code can run without mocking a full Repository.

type PolicyOwner added in v0.15.7 

type PolicyOwner interface {
	GetID() uint64
	GetNamedPort(ingress bool, name string, proto u8proto.U8proto) uint16
	PolicyDebug(fields logrus.Fields, msg string)
	IsHost() bool
}

PolicyOwner is anything which consumes a EndpointPolicy.

type PolicyRepository 

type PolicyRepository interface {
	RepositoryLock

	AddListLocked(rules api.Rules) (ruleSlice, uint64)
	BumpRevision() uint64
	DeleteByLabelsLocked(lbls labels.LabelArray) (ruleSlice, uint64, int)
	DeleteByResourceLocked(rid ipcachetypes.ResourceID) (ruleSlice, uint64)
	GetAuthTypes(localID identity.NumericIdentity, remoteID identity.NumericIdentity) AuthTypes
	GetEnvoyHTTPRules(l7Rules *api.L7Rules, ns string) (*cilium.HttpNetworkPolicyRules, bool)

	// GetSelectorPolicy computes the SelectorPolicy for a given identity.
	//
	// It returns nil if skipRevision is >= than the already calculated version.
	// This is used to skip policy calculation when a certain revision delta is
	// known to not affect the given identity. Pass a skipRevision of 0 to force
	// calculation.
	GetSelectorPolicy(id *identity.Identity, skipRevision uint64, stats GetPolicyStatistics) (SelectorPolicy, uint64, error)

	GetRevision() uint64
	GetRulesList() *models.Policy
	GetSelectorCache() *SelectorCache
	GetRepositoryChangeQueue() *eventqueue.EventQueue
	GetRuleReactionQueue() *eventqueue.EventQueue
	Iterate(f func(rule *api.Rule))
	Release(rs ruleSlice)
	ReplaceByResourceLocked(rules api.Rules, resource ipcachetypes.ResourceID) (newRules ruleSlice, oldRules ruleSlice, revision uint64)
	SearchRLocked(lbls labels.LabelArray) api.Rules
	SetEnvoyRulesFunc(f func(certificatemanager.SecretManager, *api.L7Rules, string, string) (*cilium.HttpNetworkPolicyRules, bool))
	Start()
}

type ProxyPolicy added in v0.15.7 

type ProxyPolicy interface {
	CopyL7RulesPerEndpoint() L7DataMap
	GetL7Parser() L7ParserType
	GetIngress() bool
	GetPort() uint16
	GetProtocol() u8proto.U8proto
	GetListener() string
}

ProxyPolicy is any type which encodes state needed to redirect to an L7 proxy.

type Repository added in v0.9.0 

type Repository struct {
	// contains filtered or unexported fields
}

Repository is a list of policy rules which in combination form the security policy. A policy repository can be

func NewPolicyRepository added in v0.9.0 

func NewPolicyRepository(
	initialIDs identity.IdentityMap,
	certManager certificatemanager.CertificateManager,
	secretManager certificatemanager.SecretManager,
	idmgr identitymanager.IDManager,
) *Repository

NewPolicyRepository creates a new policy repository. Only used for unit tests.

func NewStoppedPolicyRepository added in v0.15.7 

func NewStoppedPolicyRepository(
	initialIDs identity.IdentityMap,
	certManager certificatemanager.CertificateManager,
	secretManager certificatemanager.SecretManager,
	idmgr identitymanager.IDManager,
) *Repository

NewStoppedPolicyRepository creates a new policy repository without starting queues.

Qeues must be allocated via Repository.Start. The function serves to satisfy hive invariants.

func (*Repository) AddListLocked added in v0.9.0 

func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64)

AddListLocked inserts a rule into the policy repository with the repository already locked Expects that the entire rule list has already been sanitized.

func (*Repository) AllowsEgressRLocked added in v0.15.7 

func (p *Repository) AllowsEgressRLocked(ctx *SearchContext) api.Decision

AllowsEgressRLocked evaluates the policy repository for the provided search context and returns the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

NOTE: This is only called from unit tests, but from multiple packages.

func (*Repository) AllowsIngressRLocked added in v0.15.7 

func (p *Repository) AllowsIngressRLocked(ctx *SearchContext) api.Decision

AllowsIngressRLocked evaluates the policy repository for the provided search context and returns the verdict for ingress. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

NOTE: This is only called from unit tests, but from multiple packages.

func (*Repository) BumpRevision added in v0.15.7 

func (p *Repository) BumpRevision() uint64

BumpRevision allows forcing policy regeneration

func (*Repository) DeleteByLabels added in v0.9.0 

func (p *Repository) DeleteByLabels(lbls labels.LabelArray) (uint64, int)

DeleteByLabels deletes all rules in the policy repository which contain the specified labels

func (*Repository) DeleteByLabelsLocked added in v0.9.0 

func (p *Repository) DeleteByLabelsLocked(lbls labels.LabelArray) (ruleSlice, uint64, int)

DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels. Returns the revision of the policy repository after deleting the rules, as well as now many rules were deleted.

func (*Repository) DeleteByResourceLocked added in v1.16.0 

func (p *Repository) DeleteByResourceLocked(rid ipcachetypes.ResourceID) (ruleSlice, uint64)

func (*Repository) GetAuthTypes added in v0.15.7 

func (p *Repository) GetAuthTypes(localID, remoteID identity.NumericIdentity) AuthTypes

GetAuthTypes returns the AuthTypes required by the policy between the localID and remoteID

func (*Repository) GetEnvoyHTTPRules added in v0.15.7 

func (p *Repository) GetEnvoyHTTPRules(l7Rules *api.L7Rules, ns string) (*cilium.HttpNetworkPolicyRules, bool)

func (*Repository) GetRepositoryChangeQueue 

func (p *Repository) GetRepositoryChangeQueue() *eventqueue.EventQueue

func (*Repository) GetRevision added in v0.10.0 

func (p *Repository) GetRevision() uint64

GetRevision returns the revision of the policy repository

func (*Repository) GetRuleReactionQueue 

func (p *Repository) GetRuleReactionQueue() *eventqueue.EventQueue

func (*Repository) GetRulesList added in v0.15.7 

func (p *Repository) GetRulesList() *models.Policy

GetRulesList returns the current policy

func (*Repository) GetRulesMatching added in v0.9.0 

func (p *Repository) GetRulesMatching(lbls labels.LabelArray) (ingressMatch bool, egressMatch bool)

GetRulesMatching returns whether any of the rules in a repository contain a rule with labels matching the labels in the provided LabelArray.

Must be called with p.mutex held

func (*Repository) GetSelectorCache added in v0.15.7 

func (p *Repository) GetSelectorCache() *SelectorCache

GetSelectorCache() returns the selector cache used by the Repository

func (*Repository) GetSelectorPolicy 

func (r *Repository) GetSelectorPolicy(id *identity.Identity, skipRevision uint64, stats GetPolicyStatistics) (SelectorPolicy, uint64, error)

GetSelectorPolicy computes the SelectorPolicy for a given identity.

It returns nil if skipRevision is >= than the already calculated version. This is used to skip policy calculation when a certain revision delta is known to not affect the given identity. Pass a skipRevision of 0 to force calculation.

func (*Repository) Iterate added in v0.15.7 

func (p *Repository) Iterate(f func(rule *api.Rule))

Iterate iterates the policy repository, calling f for each rule. It is safe to execute Iterate concurrently.

func (*Repository) Lock 

func (p *Repository) Lock()

Lock acquiers the lock of the whole policy tree.

func (*Repository) MustAddList added in v1.16.0 

func (p *Repository) MustAddList(rules api.Rules) (ruleSlice, uint64)

MustAddList inserts a rule into the policy repository. It is used for unit-testing purposes only. Panics if the rule is invalid

func (*Repository) RLock 

func (p *Repository) RLock()

RLock acquiers the read lock of the whole policy tree.

func (*Repository) RUnlock 

func (p *Repository) RUnlock()

RUnlock releases the read lock of the whole policy tree.

func (*Repository) Release added in v1.16.0 

func (p *Repository) Release(rs ruleSlice)

Release releases resources owned by a given rule slice. This is needed because we need to evaluate deleted rules after they are removed from the repository, so we must allow for a specific lifecycle

func (*Repository) ReplaceByResourceLocked added in v1.16.0 

func (p *Repository) ReplaceByResourceLocked(rules api.Rules, resource ipcachetypes.ResourceID) (newRules ruleSlice, oldRules ruleSlice, revision uint64)

ReplaceByResourceLocked replaces all rules that belong to a given resource with a new set. The set of rules added and removed is returned, along with the new revision number. Resource must not be empty

func (*Repository) ResolveL4EgressPolicy added in v0.15.7 

func (p *Repository) ResolveL4EgressPolicy(ctx *SearchContext) (L4PolicyMap, error)

ResolveL4EgressPolicy resolves the L4 egress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.From`. `ctx.To` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

Caller must release resources by calling Detach() on the returned map!

NOTE: This is only called from unit tests, but from multiple packages.

func (*Repository) ResolveL4IngressPolicy added in v0.15.7 

func (p *Repository) ResolveL4IngressPolicy(ctx *SearchContext) (L4PolicyMap, error)

ResolveL4IngressPolicy resolves the L4 ingress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

TODO: Coalesce l7 rules?

Caller must release resources by calling Detach() on the returned map!

NOTE: This is only called from unit tests, but from multiple packages.

func (*Repository) SearchRLocked added in v0.9.0 

func (p *Repository) SearchRLocked(lbls labels.LabelArray) api.Rules

SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.

func (*Repository) SetEnvoyRulesFunc added in v0.15.7 

func (p *Repository) SetEnvoyRulesFunc(f func(certificatemanager.SecretManager, *api.L7Rules, string, string) (*cilium.HttpNetworkPolicyRules, bool))

func (*Repository) Start added in v0.15.7 

func (p *Repository) Start()

Start allocates and starts various queues used by the Repository.

Must only be called if using NewStoppedPolicyRepository

func (*Repository) Unlock 

func (p *Repository) Unlock()

Unlock releases the lock of the whole policy tree.

type RepositoryLock 

type RepositoryLock interface {
	Lock()
	Unlock()
	RLock()
	RUnlock()
}

RepositoryLock exposes methods to protect the whole policy tree.

type SearchContext 

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *stdlog.Logger
	From    labels.LabelArray
	To      labels.LabelArray
	DPorts  []*models.Port
	// contains filtered or unexported fields
}

SearchContext defines the context while evaluating policy

func (*SearchContext) CallDepth 

func (s *SearchContext) CallDepth() string

func (*SearchContext) PolicyTrace added in v0.9.0 

func (s *SearchContext) PolicyTrace(format string, a ...interface{})

PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) PolicyTraceVerbose added in v0.9.0 

func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})

PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) String 

func (s *SearchContext) String() string

func (*SearchContext) TraceEnabled added in v0.15.7 

func (s *SearchContext) TraceEnabled() bool

TraceEnabled returns true if the SearchContext requests tracing.

func (*SearchContext) WithLogger added in v0.15.7 

func (s *SearchContext) WithLogger(log io.Writer) *SearchContext

WithLogger returns a shallow copy of the received SearchContext with the logging set to write to 'log'.

type SelectorCache added in v0.15.7 

type SelectorCache struct {
	// contains filtered or unexported fields
}

SelectorCache caches identities, identity selectors, and the subsets of identities each selector selects.

func NewSelectorCache added in v0.15.7 

func NewSelectorCache(ids identity.IdentityMap) *SelectorCache

NewSelectorCache creates a new SelectorCache with the given identities.

func (*SelectorCache) AddFQDNSelector added in v0.15.7 

func (sc *SelectorCache) AddFQDNSelector(user CachedSelectionUser, lbls labels.LabelArray, fqdnSelec api.FQDNSelector) (cachedSelector types.CachedSelector, added bool)

AddFQDNSelector adds the given api.FQDNSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding types.CachedSelector is returned, otherwise one is created and added to the cache.

func (*SelectorCache) AddIdentitySelector added in v0.15.7 

func (sc *SelectorCache) AddIdentitySelector(user types.CachedSelectionUser, lbls labels.LabelArray, selector api.EndpointSelector) (cachedSelector types.CachedSelector, added bool)

AddIdentitySelector adds the given api.EndpointSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding types.CachedSelector is returned, otherwise one is created and added to the cache.

func (*SelectorCache) ChangeUser added in v0.15.7 

func (sc *SelectorCache) ChangeUser(selector types.CachedSelector, from, to CachedSelectionUser)

ChangeUser changes the CachedSelectionUser that gets updates on the updates on the cached selector.

func (*SelectorCache) FindCachedIdentitySelector added in v0.15.7 

func (sc *SelectorCache) FindCachedIdentitySelector(selector api.EndpointSelector) types.CachedSelector

FindCachedIdentitySelector finds the given api.EndpointSelector in the selector cache, returning nil if one can not be found.

func (*SelectorCache) GetModel added in v0.15.7 

func (sc *SelectorCache) GetModel() models.SelectorCache

GetModel returns the API model of the SelectorCache.

func (*SelectorCache) GetVersionHandle 

func (sc *SelectorCache) GetVersionHandle() *versioned.VersionHandle

GetVersionHandle returns a VersoionHandle for the current version. The returned VersionHandle must be closed with Close()

func (*SelectorCache) GetVersionHandleFunc 

func (sc *SelectorCache) GetVersionHandleFunc(f func(*versioned.VersionHandle))

GetVersionHandleFunc calls the given function with a versioned.VersionHandle for the current version of SelectorCache selections while selector cache is locked for writing, so that the caller may get ready for getting incremental updates that are possible right after the lock is released. This should only be used with trivial functions that can not lock or sleep. Use the plain 'GetVersionHandle' whenever possible, as it does not lock the selector cache. VersionHandle passed to 'f' must be closed with Close().

func (*SelectorCache) RegisterMetrics 

func (sc *SelectorCache) RegisterMetrics()

func (*SelectorCache) RemoveSelector added in v0.15.7 

func (sc *SelectorCache) RemoveSelector(selector types.CachedSelector, user CachedSelectionUser)

RemoveSelector removes types.CachedSelector for the user.

func (*SelectorCache) RemoveSelectors added in v0.15.7 

func (sc *SelectorCache) RemoveSelectors(selectors types.CachedSelectorSlice, user CachedSelectionUser)

RemoveSelectors removes types.CachedSelectorSlice for the user.

func (*SelectorCache) SetLocalIdentityNotifier added in v0.15.7 

func (sc *SelectorCache) SetLocalIdentityNotifier(pop identityNotifier)

SetLocalIdentityNotifier injects the provided identityNotifier into the SelectorCache. Currently, this is used to inject the FQDN subsystem into the SelectorCache so the SelectorCache can notify the FQDN subsystem when it should be aware of a given FQDNSelector for which CIDR identities need to be provided upon DNS lookups which corespond to said FQDNSelector.

func (*SelectorCache) Stats 

func (sc *SelectorCache) Stats() selectorStats

func (*SelectorCache) UpdateIdentities added in v0.15.7 

func (sc *SelectorCache) UpdateIdentities(added, deleted identity.IdentityMap, wg *sync.WaitGroup)

UpdateIdentities propagates identity updates to selectors

The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.

Caller should Wait() on the returned sync.WaitGroup before triggering any policy updates. Policy updates may need Endpoint locks, so this Wait() can deadlock if the caller is holding any endpoint locks.

type SelectorPolicy added in v0.15.7 

type SelectorPolicy interface {
	// CreateRedirects is used to ensure the endpoint has created all the needed redirects
	// before a new EndpointPolicy is created.
	RedirectFilters() iter.Seq2[*L4Filter, *PerSelectorPolicy]

	// DistillPolicy returns the policy in terms of connectivity to peer
	// Identities.
	DistillPolicy(owner PolicyOwner, redirects map[string]uint16) *EndpointPolicy
}

SelectorPolicy represents a selectorPolicy, previously resolved from the policy repository and ready to be distilled against a set of identities to compute datapath-level policy configuration.

type StringSet added in v0.15.7 

type StringSet map[string]struct{}

func NewStringSet added in v0.15.7 

func NewStringSet(from []string) StringSet

NewStringSet returns a StringSet initialized from slice of strings. Returns nil for an empty slice

func (StringSet) Equal added in v0.15.7 

func (a StringSet) Equal(b StringSet) bool

func (StringSet) Merge added in v0.15.7 

func (a StringSet) Merge(b StringSet) StringSet

Merge returns StringSet with strings from both a and b. Returns a or b, possibly with modifications.

type TLSContext added in v0.15.7 

type TLSContext struct {
	TrustedCA        string `json:"trustedCA,omitempty"`
	CertificateChain string `json:"certificateChain,omitempty"`
	PrivateKey       string `json:"privateKey,omitempty"`
	// Secret holds the name of the Secret that was referenced in the Policy
	Secret k8sTypes.NamespacedName
	// FromFile is true if the values in the keys above were read from the filesystem
	// and not a Kubernetes Secret
	FromFile bool
}

TLS context holds the secret values resolved from an 'api.TLSContext'

func (*TLSContext) Equal added in v0.15.7 

func (a *TLSContext) Equal(b *TLSContext) bool

Equal returns true if 'a' and 'b' have the same contents.

func (*TLSContext) MarshalJSON added in v0.15.7 

func (t *TLSContext) MarshalJSON() ([]byte, error)

MarshalJSON marsahls a redacted version of the TLSContext. We want to see which fields are present, but not reveal their values in any logs, etc.

type TLSDirection added in v0.15.7 

type TLSDirection string
const (
	TerminatingTLS TLSDirection = "terminating"
	OriginatingTLS TLSDirection = "originating"
)

type Tracing 

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

type TriggerMetrics added in v0.15.7 

type TriggerMetrics struct{}

TriggerMetrics handles the metrics for trigger policy recalculations.

func (*TriggerMetrics) PostRun added in v0.15.7 

func (p *TriggerMetrics) PostRun(duration, latency time.Duration, folds int)

func (*TriggerMetrics) QueueEvent added in v0.15.7 

func (p *TriggerMetrics) QueueEvent(reason string)

type Updater added in v0.15.7 

type Updater struct {
	*trigger.Trigger
	// contains filtered or unexported fields
}

Updater is responsible for triggering policy updates, in order to perform policy recalculation.

func NewUpdater added in v0.15.7 

func NewUpdater(r PolicyRepository, regen regenerator) *Updater

NewUpdater returns a new Updater instance to handle triggering policy updates ready for use.

func (*Updater) TriggerPolicyUpdates added in v0.15.7 

func (u *Updater) TriggerPolicyUpdates(force bool, reason string)

TriggerPolicyUpdates triggers the policy update trigger.

To follow what the trigger does, see NewUpdater.

Source Files

View all Source files

Directories

Path Synopsis
Package api defines the API of the Cilium network policy interface +groupName=policy
 Package api defines the API of the Cilium network policy interface +groupName=policy
aws
package trafficdirection specifies the directionality of policy in a numeric representation.
 package trafficdirection specifies the directionality of policy in a numeric representation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.