types

package
v1.18.0-pre.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 3, 2025 License: Apache-2.0 Imports: 14 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	MaxProxyPortPriority = 255
	MaxListenerPriority  = 100
)
View Source 
const MapStatePrefixLen = uint(32)

MapStatePrefixLen is the length, in bits, of the Key when converted to binary minus the sizeof the identity field (which is not indexed).

Variables

This section is empty.

Functions

This section is empty.

Types

type AuthRequirement added in v1.17.0 

type AuthRequirement AuthType

AuthRequirement is a combination of an AuthType with an 'explicit' flag on the highest bit This is defined in order to keep MapStateEntry smaller and to simplify code wiring this to the bpf datapath.

NOTE: This type is part of the bpf policy API.

This type reflects the layout of the 'auth_type' field in the bpf policy map and is used in pkg/maps/policymap. This layout must not be changed! 

const (
	NoAuthRequirement  AuthRequirement = 0
	AuthTypeIsExplicit AuthRequirement = 1 << 7
)

func (AuthRequirement) AsDerived added in v1.17.0 

func (a AuthRequirement) AsDerived() AuthRequirement

asDerived returns the auth requirement with the 'explicit' flag cleared.

func (AuthRequirement) AuthType added in v1.17.0 

func (a AuthRequirement) AuthType() AuthType

func (AuthRequirement) IsExplicit added in v1.17.0 

func (a AuthRequirement) IsExplicit() bool

type AuthType added in v1.17.0 

type AuthType uint8

AuthType enumerates the supported authentication types in api. Numerically higher type takes precedence in case of conflicting auth types. 

const (
	// AuthTypeDisabled means no authentication required
	AuthTypeDisabled AuthType = iota
	// AuthTypeSpire is a mutual auth type that uses SPIFFE identities with a SPIRE server
	AuthTypeSpire
	// AuthTypeAlwaysFail is a simple auth type that always denies the request
	AuthTypeAlwaysFail
)

func (AuthType) AsDerivedRequirement added in v1.17.0 

func (a AuthType) AsDerivedRequirement() AuthRequirement

func (AuthType) AsExplicitRequirement added in v1.17.0 

func (a AuthType) AsExplicitRequirement() AuthRequirement

func (AuthType) String added in v1.17.0 

func (a AuthType) String() string

String returns AuthType as a string. This must return the strings accepted for api.AuthType

func (AuthType) Uint8 added in v1.17.0 

func (a AuthType) Uint8() uint8

Uint8 returns AuthType as a uint8

type AuthTypes added in v1.17.0 

type AuthTypes map[AuthType]struct{}

AuthTypes is a set of AuthTypes, usually nil if empty

type CachedSelectionUser added in v1.17.0 

type CachedSelectionUser interface {
	// The caller is responsible for making sure the same identity is not
	// present in both 'added' and 'deleted'.
	IdentitySelectionUpdated(selector CachedSelector, added, deleted []identity.NumericIdentity)

	// IdentitySelectionCommit tells the user that all IdentitySelectionUpdated calls relating
	// to a specific added or removed identity have been made.
	IdentitySelectionCommit(*versioned.Tx)

	// IsPeerSelector returns true if the selector is used by the policy
	// engine for selecting traffic for remote peers. False if used for
	// selecting policy subjects.
	IsPeerSelector() bool
}

CachedSelectionUser inserts selectors into the cache and gets update callbacks whenever the set of selected numeric identities change for the CachedSelectors pushed by it. Callbacks are executed from a separate goroutine that does not take the selector cache lock, so the implemenations generally may call back to the selector cache.

type CachedSelector added in v1.17.0 

type CachedSelector interface {
	// GetSelections returns the cached set of numeric identities
	// selected by the CachedSelector.  The retuned slice must NOT
	// be modified, as it is shared among multiple users.
	GetSelections(*versioned.VersionHandle) identity.NumericIdentitySlice

	// GetMetadataLabels returns metadata labels for additional context
	// surrounding the selector. These are typically the labels associated with
	// Cilium rules.
	GetMetadataLabels() labels.LabelArray

	// Selects return 'true' if the CachedSelector selects the given
	// numeric identity.
	Selects(*versioned.VersionHandle, identity.NumericIdentity) bool

	// IsWildcard returns true if the endpoint selector selects
	// all endpoints.
	IsWildcard() bool

	// IsNone returns true if the selector never selects anything
	IsNone() bool

	// String returns the string representation of this selector.
	// Used as a map key.
	String() string
}

CachedSelector represents an identity selector owned by the selector cache

type CachedSelectorSlice added in v1.17.0 

type CachedSelectorSlice []CachedSelector

CachedSelectorSlice is a slice of CachedSelectors that can be sorted.

func (CachedSelectorSlice) Len added in v1.17.0 

func (s CachedSelectorSlice) Len() int

func (CachedSelectorSlice) Less added in v1.17.0 

func (s CachedSelectorSlice) Less(i, j int) bool

func (CachedSelectorSlice) MarshalJSON added in v1.17.0 

func (s CachedSelectorSlice) MarshalJSON() ([]byte, error)

MarshalJSON returns the CachedSelectors as JSON formatted buffer

func (CachedSelectorSlice) SelectsAllEndpoints added in v1.17.0 

func (s CachedSelectorSlice) SelectsAllEndpoints() bool

SelectsAllEndpoints returns whether the CachedSelectorSlice selects all endpoints, which is true if the wildcard endpoint selector is present in the slice.

func (CachedSelectorSlice) Swap added in v1.17.0 

func (s CachedSelectorSlice) Swap(i, j int)

type Key 

type Key struct {
	LPMKey
	// Identity is the numeric identity to / from which traffic is allowed.
	Identity identity.NumericIdentity
}

func EgressKey added in v1.17.0 

func EgressKey() Key

func IngressKey added in v1.17.0 

func IngressKey() Key

func KeyForDirection added in v1.17.0 

func KeyForDirection(direction trafficdirection.TrafficDirection) Key

func (Key) PortProtoIsBroader 

func (k Key) PortProtoIsBroader(c Key) bool

PortProtoIsBroader returns true if the receiver Key has broader port-protocol than the argument Key. That is a port-protocol that covers the argument Key's port-protocol and is larger. An equal port-protocol will return false.

func (Key) String 

func (k Key) String() string

String returns a string representation of the Key

func (Key) WithIdentity added in v1.17.0 

func (k Key) WithIdentity(nid identity.NumericIdentity) Key

func (Key) WithPort added in v1.17.0 

func (k Key) WithPort(port uint16) Key

func (Key) WithPortPrefix added in v1.17.0 

func (k Key) WithPortPrefix(port uint16, prefixLen uint8) Key

func (Key) WithPortProto added in v1.17.0 

func (k Key) WithPortProto(proto u8proto.U8proto, port uint16) Key

func (Key) WithPortProtoPrefix added in v1.17.0 

func (k Key) WithPortProtoPrefix(proto u8proto.U8proto, port uint16, prefixLen uint8) Key

func (Key) WithProto added in v1.17.0 

func (k Key) WithProto(proto u8proto.U8proto) Key

func (Key) WithSCTPPort added in v1.17.0 

func (k Key) WithSCTPPort(port uint16) Key

func (Key) WithSCTPPortPrefix added in v1.17.0 

func (k Key) WithSCTPPortPrefix(port uint16, prefixLen uint8) Key

func (Key) WithTCPPort added in v1.17.0 

func (k Key) WithTCPPort(port uint16) Key

func (Key) WithTCPPortPrefix added in v1.17.0 

func (k Key) WithTCPPortPrefix(port uint16, prefixLen uint8) Key

func (Key) WithUDPPort added in v1.17.0 

func (k Key) WithUDPPort(port uint16) Key

func (Key) WithUDPPortPrefix added in v1.17.0 

func (k Key) WithUDPPortPrefix(port uint16, prefixLen uint8) Key

type Keys 

type Keys map[Key]struct{}

type LPMKey added in v1.17.0 

type LPMKey struct {

	// NextHdr is the protocol which is allowed.
	Nexthdr u8proto.U8proto
	// DestPort is the port at L4 to / from which traffic is allowed, in
	// host-byte order.
	DestPort uint16
	// contains filtered or unexported fields
}

Key is the userspace representation of a policy key in BPF. It is intentionally duplicated from pkg/maps/policymap to avoid pulling in the BPF dependency to this package.

func (LPMKey) BitValueAt added in v1.17.0 

func (k LPMKey) BitValueAt(i uint) uint8

BitValueAt implements the BitValueAt method for the bitlpm.Key interface.

func (LPMKey) CommonPrefix added in v1.17.0 

func (k LPMKey) CommonPrefix(b LPMKey) uint

CommonPrefix implements the CommonPrefix method for the bitlpm.Key interface. Identity is not indexed and is instead, saved as a simple map per TrafficDirection-Protocol-Port index key.

func (LPMKey) EndPort added in v1.17.0 

func (k LPMKey) EndPort() uint16

EndPort returns the end-port of the Key based on the Mask.

func (LPMKey) HasPortWildcard added in v1.17.0 

func (k LPMKey) HasPortWildcard() bool

func (LPMKey) IsEgress added in v1.17.0 

func (k LPMKey) IsEgress() bool

IsEgress returns true if the key refers to an egress policy key

func (LPMKey) IsIngress added in v1.17.0 

func (k LPMKey) IsIngress() bool

IsIngress returns true if the key refers to an ingress policy key

func (LPMKey) PortIsBroader added in v1.17.0 

func (k LPMKey) PortIsBroader(c Key) bool

PortIsBroader returns true if the receiver Key's port range covers the argument Key's port range, but returns false if they are equal.

func (LPMKey) PortIsEqual added in v1.17.0 

func (k LPMKey) PortIsEqual(c Key) bool

PortIsEqual returns true if the port ranges between the two keys are exactly equal.

func (LPMKey) PortPrefixLen added in v1.17.0 

func (k LPMKey) PortPrefixLen() uint8

PortPrefixLen returns the length of the bitwise mask that should be applied to the DestPort.

func (LPMKey) PortProtoIsEqual added in v1.17.0 

func (k LPMKey) PortProtoIsEqual(c Key) bool

PortProtoIsEqual returns true if the port-protocols of the two keys are exactly equal.

func (LPMKey) PrefixLength added in v1.17.0 

func (k LPMKey) PrefixLength() uint

PrefixLength returns the prefix lenth of the key for indexing it for the userspace cache (not the BPF map or datapath).

func (LPMKey) TrafficDirection added in v1.17.0 

func (k LPMKey) TrafficDirection() trafficdirection.TrafficDirection

TrafficDirection() returns the direction of the Key, 0 == ingress, 1 == egress

type MapStateEntry added in v1.17.0 

type MapStateEntry struct {

	// ProxyPortPriority encodes the listener priority.
	ProxyPortPriority ProxyPortPriority

	// The proxy port, in host byte order.
	// If 0 (default), there is no proxy redirection for the corresponding
	// Key. Any other value signifies proxy redirection.
	ProxyPort uint16

	// Invalid is only set to mark the current entry for update when syncing entries to datapath
	Invalid bool

	// AuthRequirement is non-zero when authentication is required for the traffic to be
	// allowed, except for when it explicitly defines authentication is not required.
	AuthRequirement AuthRequirement
	// contains filtered or unexported fields
}

MapStateEntry is the configuration associated with a Key in a MapState. This is a minimized version of policymap.PolicyEntry.

func AllowEntry added in v1.17.0 

func AllowEntry() MapStateEntry

AllowEntry returns a MapStateEntry for an allow policy without a proxy redirect

func DenyEntry added in v1.17.0 

func DenyEntry() MapStateEntry

DenyEntry returns a MapStateEntry for a deny policy

func NewMapStateEntry added in v1.17.0 

func NewMapStateEntry(deny bool, proxyPort uint16, priority uint8, authReq AuthRequirement) MapStateEntry

NewMapStateEntry creeates a new MapStateEntry Listener 'priority' is encoded in ProxyPortPriority, inverted

func (MapStateEntry) IsDeny added in v1.17.0 

func (e MapStateEntry) IsDeny() bool

func (MapStateEntry) IsRedirectEntry added in v1.17.0 

func (e MapStateEntry) IsRedirectEntry() bool

IsRedirectEntry returns true if the entry redirects to a proxy port

func (*MapStateEntry) Merge added in v1.17.0 

func (e *MapStateEntry) Merge(entry MapStateEntry)

Merge is only called if both entries are denies or allows

func (MapStateEntry) String added in v1.17.0 

func (e MapStateEntry) String() string

String returns a string representation of the MapStateEntry

func (MapStateEntry) WithDeny added in v1.17.0 

func (e MapStateEntry) WithDeny(isDeny bool) MapStateEntry

WithDeny returns the entry 'e' with 'isDeny' set as indicated

func (MapStateEntry) WithProxyPort added in v1.17.0 

func (e MapStateEntry) WithProxyPort(proxyPort uint16) MapStateEntry

WithProxyPort return the MapStateEntry with proxy port set at the default precedence

func (MapStateEntry) WithProxyPriority added in v1.17.0 

func (e MapStateEntry) WithProxyPriority(priority uint8) MapStateEntry

WithProxyPriority returns a MapStateEntry with the given listener priority: 0 - default (low) priority for all proxy redirects 1 - highest listener priority .. 100 - lowest (non-default) listener priority

type MapStateMap 

type MapStateMap map[Key]MapStateEntry

func (MapStateMap) Diff 

func (obtained MapStateMap) Diff(expected MapStateMap) (res string)

Diff returns the string of differences between 'obtained' and 'expected' prefixed with '+ ' or '- ' for obtaining something unexpected, or not obtaining the expected, respectively. For use in debugging from other packages.

type PolicyUpdate added in v1.17.0 

type PolicyUpdate struct {
	// The set of rules to be added.
	// Set to nil to delete for the given resource or labels.
	Rules policyapi.Rules

	// Resource provides the object ID for the underlying object that backs
	// this information from 'source'.
	Resource ipcacheTypes.ResourceID

	// Replace if true indicates that existing rules with identical labels should be replaced,
	// and that the set of labels should be taken from the rules.
	ReplaceByLabels bool

	// ReplaceWithLabels, if present, indicates that existing rules with the
	// given LabelArray should be deleted.
	ReplaceWithLabels labels.LabelArray

	// The source of this policy, used for prefix allocation
	Source source.Source

	// The time the policy initially began to be processed in Cilium, such as when the
	// policy was received from the API server.
	ProcessingStartTime time.Time

	// DoneChan, if not nil, will have a single value emitted: the revision of the
	// policy repository when the update has been processed.
	// Thus must be a buffered channel!
	DoneChan chan<- uint64
}

PolicyUpdate is a proposed change to a policy in the PolicyRepository.

type ProxyPortPriority added in v1.17.0 

type ProxyPortPriority uint8

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.