authmap

package
v1.17.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 18, 2024 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package auth represents the BPF map used to keep track of authentication state between security identities. +groupName=maps

Index

Constants

View Source
const (
	MapName = "cilium_auth_map"
)

Variables

View Source
var Cell = cell.Module(
	"auth-map",
	"eBPF map which manages authenticated connections between identities",

	cell.Provide(newAuthMap),
)

Cell provides the auth.Map which contains the authentication state between Cilium security identities. Datapath checks the map for a valid authentication entry whenever authentication is demanded by a policy. If no or an expired entry is found the packet gets dropped and an authentication gets requested via auth.Manager.

Functions

This section is empty.

Types

type AuthInfo

type AuthInfo struct {
	Expiration utime.UTime `align:"expiration"`
}

AuthInfo implements the bpf.MapValue interface.

Must be in sync with struct auth_info in <bpf/lib/common.h>

func (*AuthInfo) String

func (r *AuthInfo) String() string

type AuthKey

type AuthKey struct {
	LocalIdentity  uint32 `align:"local_sec_label"`
	RemoteIdentity uint32 `align:"remote_sec_label"`
	RemoteNodeID   uint16 `align:"remote_node_id"`
	AuthType       uint8  `align:"auth_type"`
	Pad            uint8  `align:"pad"`
}

AuthKey implements the bpf.MapKey interface.

Must be in sync with struct auth_key in <bpf/lib/common.h>

func (*AuthKey) New

func (r *AuthKey) New() bpf.MapKey

func (*AuthKey) String

func (r *AuthKey) String() string

type IterateCallback

type IterateCallback func(*AuthKey, *AuthInfo)

IterateCallback represents the signature of the callback function expected by the IterateWithCallback method, which in turn is used to iterate all the keys/values of an auth map.

type Map

type Map interface {
	// Lookup returns the auth map object associated with the provided
	// (local identity, remote identity, remote host id, auth type) quadruple.
	Lookup(key AuthKey) (AuthInfo, error)

	// Update inserts or updates the auth map object associated with the provided
	// (local identity, remote identity, remote host id, auth type) quadruple.
	Update(key AuthKey, expiration utime.UTime) error

	// Delete deletes the auth map object associated with the provided
	// (local identity, remote identity, remote host id, auth type) quadruple.
	Delete(key AuthKey) error

	// IterateWithCallback iterates through all the keys/values of an auth map,
	// passing each key/value pair to the cb callback.
	IterateWithCallback(cb IterateCallback) error

	// MaxEntries returns the maximum number of entries the auth map can hold.
	MaxEntries() uint32
}

Map provides access to the eBPF map auth.

func LoadAuthMap

func LoadAuthMap() (Map, error)

LoadAuthMap loads the pre-initialized auth map for access. This should only be used from components which aren't capable of using hive - mainly the Cilium CLI. It needs to initialized beforehand via the Cilium Agent.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL