Affected by GO-2022-0393 and 12 other vulnerabilities

GO-2022-0393: Network policy may be bypassed by some ICMP Echo Requests in github.com/cilium/cilium

GO-2022-0457: Access to Unix domain socket can lead to privileges escalation in Cilium in github.com/cilium/cilium

GO-2022-0458: Improper Privilege Management in Cilium in github.com/cilium/cilium

GO-2022-0959: Network Policies & (Clusterwide) Cilium Network Policies with namespace label selectors may unexpectedly select pods with maliciously crafted labels in github.com/cilium/cilium

GO-2023-1643: Potential network policy bypass when routing IPv6 traffic in github.com/cilium/cilium

GO-2023-1730: Debug mode leaks confidential data in Cilium in github.com/cilium/cilium

GO-2023-1785: Potential HTTP policy bypass when using header rules in Cilium in github.com/cilium/cilium

GO-2023-2078: Kubernetes users may update Pod labels to bypass network policy in github.com/cilium/cilium

GO-2023-2079: Specific Cilium configurations vulnerable to DoS via Kubernetes annotations in github.com/cilium/cilium

GO-2023-2080: Cilium vulnerable to bypass of namespace restrictions in CiliumNetworkPolicy in github.com/cilium/cilium

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

client

package

v1.8.3 Latest Latest Go to latest Published: Sep 4, 2020 License: Apache-2.0 Imports: 16 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Open Source Insights

Documentation ¶

Index ¶

Variables
func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error

Constants ¶

This section is empty.

Variables ¶

View Source

var (
	CCNPCRV = initCCNPCRV()

	CNPCRV = &apiextensionsv1beta1.CustomResourceValidation{
		OpenAPIV3Schema: &apiextensionsv1beta1.JSONSchemaProps{

			Type:       "object",
			Properties: properties,
		},
	}

	CIDR = apiextensionsv1beta1.JSONSchemaProps{
		Description: "CIDR is a CIDR prefix / IP Block.",
		Type:        "string",
		OneOf: []apiextensionsv1beta1.JSONSchemaProps{
			{

				Pattern: `^(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4]` +
					`[0-9]|[01]?[0-9][0-9]?)\/([0-9]|[1-2][0-9]|3[0-2])$`,
			},
			{

				Pattern: `^s*((([0-9A-Fa-f]{1,4}:){7}(:|([0-9A-Fa-f]{1,4})))` +
					`|(([0-9A-Fa-f]{1,4}:){6}:([0-9A-Fa-f]{1,4})?)` +
					`|(([0-9A-Fa-f]{1,4}:){5}(((:[0-9A-Fa-f]{1,4}){0,1}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){4}(((:[0-9A-Fa-f]{1,4}){0,2}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){3}(((:[0-9A-Fa-f]{1,4}){0,3}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){2}(((:[0-9A-Fa-f]{1,4}){0,4}):([0-9A-Fa-f]{1,4})?))` +
					`|(([0-9A-Fa-f]{1,4}:){1}(((:[0-9A-Fa-f]{1,4}){0,5}):([0-9A-Fa-f]{1,4})?))` +
					`|(:(:|((:[0-9A-Fa-f]{1,4}){1,7}))))` +
					`(%.+)?s*/([0-9]|[1-9][0-9]|1[0-1][0-9]|12[0-8])$`,
			},
		},
	}

	CIDRRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "CIDRRule is a rule that specifies a CIDR prefix to/from which outside " +
			"communication is allowed, along with an optional list of subnets within that CIDR " +
			"prefix to/from which outside communication is not allowed.",
		Required: []string{
			"cidr",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"cidr": CIDR,
			"except": {
				Description: "ExceptCIDRs is a list of IP blocks which the endpoint subject to " +
					"the rule is not allowed to initiate connections to. These CIDR prefixes " +
					"should be contained within Cidr. These exceptions are only applied to the " +
					"Cidr in this CIDRRule, and do not apply to any other CIDR prefixes in any " +
					"other CIDRRules.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
		},
	}

	EgressRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "EgressRule contains all rule types which can be applied at egress, i.e. " +
			"network traffic that originates inside the endpoint and exits the endpoint " +
			"selected by the endpointSelector.\n\n- All members of this structure are optional. " +
			"If omitted or empty, the\n  member will have no effect on the rule.\n\n- For now, " +
			"combining ToPorts and ToCIDR in the same rule is not supported\n  and such rules " +
			"will be rejected. In the future, this will be supported and\n  if if multiple " +
			"members of the structure are specified, then all members\n  must match in order " +
			"for the rule to take effect.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"toCIDR": {
				Description: "ToCIDR is a list of IP blocks which the endpoint subject to the " +
					"rule is allowed to initiate connections. This will match on the " +
					"destination IP address of outgoing connections. Adding a prefix into " +
					"ToCIDR or into ToCIDRSet with no ExcludeCIDRs is equivalent. Overlaps are " +
					"allowed between ToCIDR and ToCIDRSet.\n\nExample: Any endpoint with the " +
					"label \"app=database-proxy\" is allowed to initiate connections to " +
					"10.2.3.0/24",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
			"toCIDRSet": {
				Description: "ToCIDRSet is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to initiate connections to in addition to connections " +
					"which are allowed via FromEndpoints, along with a list of subnets " +
					"contained within their corresponding IP block to which traffic should not " +
					"be allowed. This will match on the destination IP address of outgoing " +
					"connections. Adding a prefix into ToCIDR or into ToCIDRSet with no " +
					"ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and " +
					"ToCIDRSet.\n\nExample: Any endpoint with the label \"app=database-proxy\" " +
					"is allowed to initiate connections to 10.2.3.0/24 except from IPs in " +
					"subnet 10.2.3.0/28.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDRRule,
				},
			},
			"toEntities": {
				Description: "ToEntities is a list of special entities to which the endpoint " +
					"subject to the rule is allowed to initiate connections. Supported " +
					"entities are `world`, `cluster` and `host`",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"toPorts": {
				Description: "ToPorts is a list of destination ports identified by port number " +
					"and protocol which the endpoint subject to the rule is allowed to connect " +
					"to.\n\nExample: Any endpoint with the label \"role=frontend\" is allowed " +
					"to initiate connections to destination port 8080/tcp",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRule,
				},
			},
			"toServices": {
				Description: "ToServices is a list of services to which the endpoint subject " +
					"to the rule is allowed to initiate connections.\n\nExample: Any endpoint " +
					"with the label \"app=backend-app\" is allowed to initiate connections to " +
					"all cidrs backing the \"external-service\" service",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &Service,
				},
			},
			"toEndpoints": {
				Description: "ToEndpoints is a list of endpoints identified by an " +
					"EndpointSelector to which the endpoint subject to the rule" +
					"is allowed to communicate.\n\nExample: Any endpoint with the label " +
					"\"role=frontend\" can be consumed by any endpoint carrying the label " +
					"\"role=backend\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toRequires": {
				Description: "ToRequires is a list of additional constraints which must be " +
					"met in order for the selected endpoints to be able to reach other " +
					"endpoints. These additional constraints do not by themselves grant access " +
					"privileges and must always be accompanied with at least one matching " +
					"FromEndpoints.\n\nExample: Any Endpoint with the label \"team=A\" " +
					"requires any endpoint to which it communicates to also carry the label " +
					"\"team=A\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toGroups": {
				Type: "array",
				Description: `ToGroups is a list of constraints that will
				gather data from third-party providers and create a new
				derived policy.`,
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "object",
						Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
							"aws": AWSGroup,
						},
					},
				},
			},
			"toFQDNs": {
				Description: `ToFQDNs is a list of rules matching fqdns that endpoint
				is allowed to communicate with`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &FQDNRule,
				},
			},
		},
	}

	FQDNRule = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchName":    MatchFQDNName,
			"matchPattern": MatchFQDNPattern,
		},
	}

	MatchFQDNName = apiextensionsv1beta1.JSONSchemaProps{
		Description: `MatchName matches fqdn name`,
		Type:        "string",
		Pattern:     fqdnNameRegex,
	}

	MatchFQDNPattern = apiextensionsv1beta1.JSONSchemaProps{
		Description: `MatchPattern matches fqdn by pattern`,
		Type:        "string",
		Pattern:     fqdnPatternRegex,
	}

	AWSGroup = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"securityGroupsIds": {
				Description: `SecurityGroupsIds is the list of AWS security
				group IDs that will filter the instances IPs from the AWS API`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"securityGroupsNames": {
				Description: `SecurityGroupsNames is the list of  AWS security
				group names that will filter the instances IPs from the AWS API`,
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"region": {
				Description: `Region is the key that will filter the AWS EC2
				instances in the given region`,
				Type: "string",
			},
		},
	}

	EndpointSelector = initEndpointSelector()
	NodeSelector     = *LabelSelector.DeepCopy()

	IngressRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "IngressRule contains all rule types which can be applied at ingress, " +
			"i.e. network traffic that originates outside of the endpoint and is entering " +
			"the endpoint selected by the endpointSelector.\n\n- All members of this structure " +
			"are optional. If omitted or empty, the\n  member will have no effect on the rule." +
			"\n\n- If multiple members are set, all of them need to match in order for\n  " +
			"the rule to take effect. The exception to this rule is FromRequires field;\n  " +
			"the effects of any Requires field in any rule will apply to all other\n  rules " +
			"as well.\n\n- For now, combining ToPorts, FromCIDR, and FromEndpoints in the same " +
			"rule\n  is not supported and any such rules will be rejected. In the future, " +
			"this\n  will be supported and if multiple members of this structure are specified," +
			"\n then all members must match in order for the rule to take effect. The\n  " +
			"exception to this rule is the Requires field, the effects of any Requires\n  " +
			"field in any rule will apply to all other rules as well.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"fromCIDR": {
				Description: "FromCIDR is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to receive connections from. This will match on the " +
					"source IP address of incoming connections. Adding  a prefix into FromCIDR " +
					"or into FromCIDRSet with no ExcludeCIDRs is  equivalent. Overlaps are " +
					"allowed between FromCIDR and FromCIDRSet.\n\nExample: Any endpoint with " +
					"the label \"app=my-legacy-pet\" is allowed to receive connections from " +
					"10.3.9.1",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDR,
				},
			},
			"fromCIDRSet": {
				Description: "FromCIDRSet is a list of IP blocks which the endpoint subject to " +
					"the rule is allowed to receive connections from in addition to " +
					"FromEndpoints, along with a list of subnets contained within their " +
					"corresponding IP block from which traffic should not be allowed. This " +
					"will match on the source IP address of incoming connections. Adding a " +
					"prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is " +
					"equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet." +
					"\n\nExample: Any endpoint with the label \"app=my-legacy-pet\" is allowed " +
					"to receive connections from 10.0.0.0/8 except from IPs in subnet " +
					"10.96.0.0/12.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &CIDRRule,
				},
			},
			"fromEndpoints": {
				Description: "FromEndpoints is a list of endpoints identified by an " +
					"EndpointSelector which are allowed to communicate with the endpoint " +
					"subject to the rule.\n\nExample: Any endpoint with the label " +
					"\"role=backend\" can be consumed by any endpoint carrying the label " +
					"\"role=frontend\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"fromEntities": {
				Description: "FromEntities is a list of special entities which the endpoint " +
					"subject to the rule is allowed to receive connections from. Supported " +
					"entities are `world`, `cluster`, `host`, and `init`",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"fromRequires": {
				Description: "FromRequires is a list of additional constraints which must be " +
					"met in order for the selected endpoints to be reachable. These additional " +
					"constraints do no by itself grant access privileges and must always be " +
					"accompanied with at least one matching FromEndpoints.\n\nExample: Any " +
					"Endpoint with the label \"team=A\" requires consuming endpoint to also " +
					"carry the label \"team=A\".",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EndpointSelector,
				},
			},
			"toPorts": {
				Description: "ToPorts is a list of destination ports identified by port number " +
					"and protocol which the endpoint subject to the rule is allowed to receive " +
					"connections on.\n\nExample: Any endpoint with the label \"app=httpd\" can " +
					"only accept incoming connections on port 80/tcp.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRule,
				},
			},
		},
	}

	K8sServiceNamespace = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "K8sServiceNamespace is an abstraction for the k8s service + namespace " +
			"types.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"namespace": {
				Type: "string",
			},
			"serviceName": {
				Type: "string",
			},
		},
	}

	L7Rules = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "L7Rules is a union of port level rule types. Mixing of different port " +
			"level rule types is disallowed, so exactly one of the following must be set. If " +
			"none are specified, then no additional port level rules are applied.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"http": {
				Description: "HTTP specific rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleHTTP,
				},
			},
			"kafka": {
				Description: "Kafka-specific rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleKafka,
				},
			},
			"l7proto": {
				Description: "Parser type name that uses Key-Value pair rules.",
				Type:        "string",
			},
			"l7": {
				Description: "Generic Key-Value pair rules.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleL7,
				},
			},
			"dns": {
				Description: "DNS specific rules",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortRuleDNS,
				},
			},
		},
	}

	PortRuleDNS = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: `FQDNRule is a rule that specifies an fully qualified domain name to which outside communication is allowed`,
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchName":    MatchFQDNName,
			"matchPattern": MatchFQDNPattern,
		},
	}

	Label = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "Label is the cilium's representation of a container label.",
		Required: []string{
			"key",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"key": {
				Type: "string",
			},
			"source": {
				Description: "Source can be one of the values present in const.go " +
					"(e.g.: LabelSourceContainer)",
				Type: "string",
			},
			"value": {
				Type: "string",
			},
		},
	}

	LabelSelector = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "A label selector is a label query over a set of resources. The result " +
			"of matchLabels and matchExpressions are ANDed. An empty label selector matches " +
			"all objects. A null label selector matches no objects.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"matchLabels": {
				Description: "matchLabels is a map of {key,value} pairs. A single {key,value} " +
					"in the matchLabels map is equivalent to an element of matchExpressions, " +
					"whose key field is \"key\", the operator is \"In\", and the values array " +
					"contains only \"value\". The requirements are ANDed.",
				Type: "object",
				AdditionalProperties: &apiextensionsv1beta1.JSONSchemaPropsOrBool{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type:      "string",
						MaxLength: getInt64(63),
						Pattern:   `^(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])?$`,
					},
				},
			},
			"matchExpressions": {
				Description: "matchExpressions is a list of label selector requirements. " +
					"The requirements are ANDed.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &LabelSelectorRequirement,
				},
			},
		},
	}

	LabelSelectorRequirement = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "A label selector requirement is a selector that contains values, a key, " +
			"and an operator that relates the key and values.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"key": {
				Description: "key is the label key that the selector applies to.",
				Type:        "string",
			},
			"operator": {
				Description: "operator represents a key's relationship to a set of values. " +
					"Valid operators are In, NotIn, Exists and DoesNotExist.",
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"In"`),
					},
					{
						Raw: []byte(`"NotIn"`),
					},
					{
						Raw: []byte(`"Exists"`),
					},
					{
						Raw: []byte(`"DoesNotExist"`),
					},
				},
			},
			"values": {
				Description: "values is an array of string values. If the operator is In or " +
					"NotIn, the values array must be non-empty. If the operator is Exists or " +
					"DoesNotExist, the values array must be empty. This array is replaced " +
					"during a strategic merge patch.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
		},
		Required: []string{"key", "operator"},
	}

	PortProtocol = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "PortProtocol specifies an L4 port with an optional transport protocol",
		Required: []string{
			"port",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"port": {
				Description: "Port is an L4 port number or a port name. For now the string will be strictly " +
					"parsed as a single uint16 or a valid port name, which consists of at most 15 alphanumeric " +
					"characters of which at least one is not a number, as well as non-consecutive dashes " +
					"('-') except for in the beginning or the end. In the future, this field may support ranges " +
					"in the form \"1024-2048",
				Type: "string",

				Pattern: `^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|` +
					`[1-5][0-9]{4}|[0-9]{1,4}|` +
					`([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*)$`,
			},
			"protocol": {
				Description: `Protocol is the L4 protocol. If omitted or empty, any protocol ` +
					`matches. Accepted values: "TCP", "UDP", ""/"ANY"\n\nMatching on ` +
					`ICMP is not supported.`,
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"TCP"`),
					},
					{
						Raw: []byte(`"UDP"`),
					},
					{
						Raw: []byte(`"ANY"`),
					},
				},
			},
		},
	}

	Secret = map[string]apiextensionsv1beta1.JSONSchemaProps{
		"namespace": {
			Description: "Namespace is the namespace in which the secret exists. If " +
				"namespace is omitted, the namespace of the enclosing rule is assumed, " +
				"or \"\", if none applies.",
			Type: "string",
		},
		"name": {
			Description: "Name is the name of the secret.",
			Type:        "string",
		},
	}

	TLSContext = map[string]apiextensionsv1beta1.JSONSchemaProps{
		"secret": {
			Description: "Secret contains the certificates and private key for the TLS context.",
			Type:        "object",
			Properties:  Secret,
			Required: []string{
				"name",
			},
		},
		"certificate": {
			Description: "Certificate is the file name or secret item name for the certificate chain. " +
				"If omitted, 'tls.crt' is assumed, if it exists. If given, the item must exist." +
				"If specified for an originating TLS context, then this is used as a " +
				"client certificate.",
			Type: "string",
		},
		"privateKey": {
			Description: "PrivateKey is the file name or secret item name for the private key matching " +
				"the certificate chain. If omitted, 'tls.key' is assumed, if it exists. " +
				"If given, the item must exist.",
			Type: "string",
		},
		"trustedCA": {
			Description: "TrustedCA is the file name or secret item name for the trusted CA used to verify " +
				"the certificate of the remote party. If specified for a terminating " +
				"TLS context, then a client certificate is required. " +
				"If omitted, 'ca.crt' is assumed, if it exists. If given, the item must exist.",
			Type: "string",
		},
	}

	PortRule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRule is a list of ports/protocol combinations with optional Layer 7 " +
			"rules which must be met.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"ports": {
				Description: "Ports is a list of L4 port/protocol.",
				Type:        "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &PortProtocol,
				},
			},
			"terminatingTLS": {
				Description: "TerminatingTLS is the TLS context for the connection terminated by " +
					"the L7 proxy.  For egress policy this specifies the server-side TLS " +
					"parameters to be applied on the connections originated from the local " +
					"POD and terminated by the L7 proxy. For ingress policy this specifies " +
					"the server-side TLS parameters to be applied on the connections " +
					"originated from a remote source and terminated by the L7 proxy.",
				Type:       "object",
				Properties: TLSContext,
				Required: []string{
					"secret",
				},
			},
			"originatingTLS": {
				Description: "OriginatingTLS is the TLS context for the connections originated by " +
					"the L7 proxy.  For egress policy this specifies the client-side TLS " +
					"parameters for the upstream connection originating from the L7 proxy " +
					"to the remote destination. For ingress policy this specifies the " +
					"client-side TLS parameters for the connection from the L7 proxy to " +
					"the local POD.",
				Type:       "object",
				Properties: TLSContext,
				Required: []string{
					"secret",
				},
			},
			"rules": initPortRule(),
		},
	}

	HeaderMatch = map[string]apiextensionsv1beta1.JSONSchemaProps{
		"mismatch": {
			Description: "Mismatch identifies what to do in case there is no match. The " +
				"default is to drop the request. Otherwise the overall rule is still " +
				"considered as matching, but the mismatches are logged in the access log.",
			Type: "string",
			Enum: []apiextensionsv1beta1.JSON{
				{
					Raw: []byte(`"LOG"`),
				},
				{
					Raw: []byte(`"ADD"`),
				},
				{
					Raw: []byte(`"DELETE"`),
				},
				{
					Raw: []byte(`"REPLACE"`),
				},
			},
		},
		"name": {
			Description: "Name identifies the header.",
			Type:        "string",
		},
		"secret": {
			Description: "Secret refers to a secret that contains the value that must be present in the request.",
			Type:        "object",
			Properties:  Secret,
			Required: []string{
				"name",
			},
		},
		"value": {
			Description: "Value contains the header value that must be present in the request. If both Secret " +
				"and Value are specified, " +
				"the Secret takes precedence, if it exists; i.e., the Value will only be used if " +
				"the Secret cannot be found or accessed.",
			Type: "string",
		},
	}

	PortRuleHTTP = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleHTTP is a list of HTTP protocol constraints. All fields are " +
			"optional, if all fields are empty or missing, the rule does not have any effect." +
			"\n\nAll fields of this type are extended POSIX regex as defined by " +
			"IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) " +
			"matched against the path of an incoming request. Currently it can contain " +
			"characters disallowed from the conventional \"path\" part of a URL as defined by " +
			"RFC 3986.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"headerMatches": {
				Description: "HeaderMatches is a list of HTTP headers which must be present and match " +
					"against the given or referenced values or expressions. If omitted or empty, " +
					"requests are allowed regardless of headers present.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type:       "object",
						Properties: HeaderMatch,
						Required: []string{
							"name",
						},
					},
				},
			},
			"headers": {
				Description: "Headers is a list of HTTP headers which must be present in the " +
					"request. If omitted or empty, requests are allowed regardless of headers " +
					"present.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &apiextensionsv1beta1.JSONSchemaProps{
						Type: "string",
					},
				},
			},
			"host": {
				Description: "Host is an extended POSIX regex matched against the host header " +
					"of a request, e.g. \"foo.com\"\n\nIf omitted or empty, the value of the " +
					"host header is ignored.",
				Type:   "string",
				Format: "idn-hostname",
			},
			"method": {
				Description: "Method is an extended POSIX regex matched against the method of " +
					"a request, e.g. \"GET\", \"POST\", \"PUT\", \"PATCH\", \"DELETE\", ...\n\n" +
					"If omitted or empty, all methods are allowed.",
				Type: "string",
			},
			"path": {
				Description: "Path is an extended POSIX regex matched against the path of a " +
					"request. Currently it can contain characters disallowed from the " +
					"conventional \"path\" part of a URL as defined by RFC 3986.\n\n" +
					"If omitted or empty, all paths are all allowed.",
				Type: "string",
			},
		},
	}

	PortRuleKafka = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleKafka is a list of Kafka protocol constraints. All fields are " +
			"optional, if all fields are empty or missing, the rule will match all Kafka " +
			"messages.",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"role": {
				Description: "Role is a case-insensitive string and describes a group of API keys" +
					"necessary to perform certain higher level Kafka operations such as" +
					"\"produce\" or \"consume\". An APIGroup automatically expands into all APIKeys" +
					"required to perform the specified higher level operation." +
					"The following values are supported:" +
					"- \"produce\": Allow producing to the topics specified in the rule" +
					"- \"consume\": Allow consuming from the topics specified in the rule" +
					"This field is incompatible with the APIKey field, either APIKey or Role" +
					"may be specified. If omitted or empty, the field has no effect and the " +
					"logic of the APIKey field applies.",
				Type: "string",
				Enum: []apiextensionsv1beta1.JSON{
					{
						Raw: []byte(`"produce"`),
					},
					{
						Raw: []byte(`"consume"`),
					},
				},
			},
			"apiKey": {
				Description: "APIKey is a case-insensitive string matched against the key of " +
					"a request, e.g. \"produce\", \"fetch\", \"createtopic\", \"deletetopic\", " +
					"et al Reference: https://kafka.apache.org/protocol#protocol_api_keys\n\n" +
					"If omitted or empty, all keys are allowed.",
				Type: "string",
			},
			"apiVersion": {
				Description: "APIVersion is the version matched against the api version of the " +
					"Kafka message. If set, it has to be a string representing a positive " +
					"integer.\n\nIf omitted or empty, all versions are allowed.",
				Type: "string",
			},
			"clientID": {
				Description: "ClientID is the client identifier as provided in the request.\n\n" +
					"From Kafka protocol documentation: This is a user supplied identifier for " +
					"the client application. The user can use any identifier they like and it " +
					"will be used when logging errors, monitoring aggregates, etc. For " +
					"example, one might want to monitor not just the requests per second " +
					"overall, but the number coming from each client application (each of " +
					"which could reside on multiple servers). This id acts as a logical " +
					"grouping across all requests from a particular client.\n\nIf omitted or " +
					"empty, all client identifiers are allowed.",
				Type: "string",
			},
			"topic": {
				Description: "Topic is the topic name contained in the message. If a Kafka " +
					"request contains multiple topics, then all topics must be allowed or the " +
					"message will be rejected.\n\nThis constraint is ignored if the matched " +
					"request message type doesn't contain any topic. Maximum size of Topic can " +
					"be 249 characters as per recent Kafka spec and allowed characters are " +
					"a-z, A-Z, 0-9, -, . and _ Older Kafka versions had longer topic lengths " +
					"of 255, but in Kafka 0.10 version the length was changed from 255 to 249. " +
					"For compatibility reasons we are using 255\n\nIf omitted or empty, all " +
					"topics are allowed.",
				Type:      "string",
				MaxLength: getInt64(255),
			},
		},
	}

	PortRuleL7 = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "PortRuleL7 is a map of {key,value} pairs which is passed to the " +
			"parser referenced in l7proto. It is up to the parser to define what to " +
			"do with the map data. If omitted or empty, all requests are allowed. " +
			"Both keys and values must be strings.",
	}

	Rule = apiextensionsv1beta1.JSONSchemaProps{
		Type: "object",
		Description: "Rule is a policy rule which must be applied to all endpoints which match " +
			"the labels contained in the endpointSelector or all nodes which match the labels " +
			"contained in the nodeSelector.\n\nEach rule is split into an ingress section " +
			"which contains all rules applicable at ingress, and an egress section applicable " +
			"at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both " +
			"ingress and egress, both ingress and egress side have to either specifically allow " +
			"the connection or one side has to be omitted.\n\nEither ingress, egress, or both " +
			"can be provided. If both ingress and egress are omitted, the rule has no effect.",
		Required: []string{"endpointSelector"},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"Description": {
				Description: "Description is a free form string, it can be used by the creator " +
					"of the rule to store human readable explanation of the purpose of this " +
					"rule. Rules cannot be identified by comment.",
				Type: "string",
			},
			"egress": {
				Description: "Egress is a list of EgressRule which are enforced at egress. If " +
					"omitted or empty, this rule does not apply at egress.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &EgressRule,
				},
			},
			"endpointSelector": initRuleEndpointSelector(),
			"ingress": {
				Description: "Ingress is a list of IngressRule which are enforced at ingress. " +
					"If omitted or empty, this rule does not apply at ingress.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &IngressRule,
				},
			},
			"labels": {
				Description: "Labels is a list of optional strings which can be used to " +
					"re-identify the rule or to store metadata. It is possible to lookup or " +
					"delete strings based on labels. Labels are not required to be unique, " +
					"multiple rules can have overlapping or identical labels.",
				Type: "array",
				Items: &apiextensionsv1beta1.JSONSchemaPropsOrArray{
					Schema: &Label,
				},
			},
		},
	}

	Service = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "Service wraps around selectors for services",
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"k8sService":         K8sServiceNamespace,
			"k8sServiceSelector": initK8sServiceSelector(),
		},
	}

	ServiceSelector = apiextensionsv1beta1.JSONSchemaProps{
		Type:        "object",
		Description: "ServiceSelector is a label selector for k8s services",
		Required: []string{
			"selector",
		},
		Properties: map[string]apiextensionsv1beta1.JSONSchemaProps{
			"selector": EndpointSelector,
			"namespace": {
				Type: "string",
			},
		},
	}
)

Functions ¶

func CreateCustomResourceDefinitions ¶

func CreateCustomResourceDefinitions(clientset apiextensionsclient.Interface) error

CreateCustomResourceDefinitions creates our CRD objects in the kubernetes cluster

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL