policyfilter

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 5, 2024 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

nolint:revive // prevent unused-parameter alert, disabled method obviously don't use args

Index

Constants

View Source
const (
	// we reserve 0 as a special value to indicate no filtering
	NoFilterPolicyID         = 0
	NoFilterID               = PolicyID(NoFilterPolicyID)
	FirstValidFilterPolicyID = NoFilterPolicyID + 1
)
View Source
const (
	CgrpNsMapName = "tg_cgroup_namespace_map"
)
View Source
const (
	MapName = "policy_filter_maps"
)

Variables

This section is empty.

Functions

func ErrorLabel added in v1.1.0

func ErrorLabel(err error) string

ErrorLabel returns an error label with a small cardinality so it can be used in metrics

func New

func New() (*state, error)

New creates a new State of the policy filter code. Callers should call Close() to release allocated resources (namely the bpf map).

func TestingDisableAndReset added in v0.10.0

func TestingDisableAndReset(t *testing.T)

TestingDisableAndReset disable policy filter for tests (see ResetStateOnlyForTesting)

func TestingEnableAndReset added in v0.10.0

func TestingEnableAndReset(t *testing.T)

TestingEnableAndReset enables policy filter for tests (see ResetStateOnlyForTesting)

Types

type CgroupID

type CgroupID uint64

type NSID added in v1.2.0

type NSID struct {
	Namespace string
	Workload  string
	Kind      string
}

type NamespaceMap added in v1.2.0

type NamespaceMap struct {
	// contains filtered or unexported fields
}

NamespaceMap is a simple wrapper for ebpf.Map so that we can write methods for it

type PfMap

type PfMap struct {
	*ebpf.Map
}

PfMap is a simple wrapper for ebpf.Map so that we can write methods for it

func OpenMap

func OpenMap(fname string) (PfMap, error)

func (PfMap) AddCgroup added in v1.0.0

func (m PfMap) AddCgroup(polID PolicyID, cgID CgroupID) error

func (PfMap) Dump

func (m PfMap) Dump() (map[PolicyID]map[CgroupID]struct{}, error)

type PodID

type PodID uuid.UUID

func (PodID) String

func (i PodID) String() string

type PolicyID

type PolicyID uint32

type State

type State interface {
	// AddPolicy adds a policy to the policyfilter state.
	// This means that:
	//  - existing containers of pods that match this policy will be added to the policyfilter map (pfMap)
	//  - from now on, new containers of pods that match this policy will also be added to pfMap
	// pods are matched with:
	//  - namespace for namespaced pilicies (if namespace == "", then policy is not namespaced)
	//  - label selector
	//  - container field selector
	AddPolicy(polID PolicyID, namespace string, podSelector *slimv1.LabelSelector,
		containerSelector *slimv1.LabelSelector) error

	// DelPolicy removes a policy from the state
	DelPolicy(polID PolicyID) error

	// AddPodContainer informs policyfilter about a new container and its cgroup id in a pod.
	// The pod might or might not have been encountered before.
	// This method is intended to update policyfilter state from container hooks
	AddPodContainer(podID PodID, namespace, workload, kind string, podLabels labels.Labels,
		containerID string, cgID CgroupID, containerName string) error

	// UpdatePod updates the pod state for a pod, where containerIDs contains all the container ids for the given pod.
	// This method is intended to be used from k8s watchers (where no cgroup information is available)
	UpdatePod(podID PodID, namespace, workload, kind string, podLabels labels.Labels,
		containerIDs []string, containerNames []string) error

	// DelPodContainer informs policyfilter that a container was deleted from a pod
	DelPodContainer(podID PodID, containerID string) error
	// DelPod informs policyfilter that a pod has been deleted
	DelPod(podID PodID) error

	// Report opaque cgroup ID to nsId mapping. This method is intended to allow inspecting
	// and reporting the state of the system to subsystems and tooling.
	GetNsId(stateID StateID) (*NSID, bool)

	GetIdNs(id NSID) (StateID, bool)

	// RegisterPodHandlers can be used to register appropriate pod handlers to a pod informer
	// that for keeping the policy filter state up-to-date.
	RegisterPodHandlers(podInformer cache.SharedIndexInformer)

	// Close releases resources allocated by the Manager. Specifically, we close and unpin the
	// policy filter map.
	Close() error
}

State is the policyfilter state interface It handles two things:

  • policies being added and removed
  • pod containers being added and deleted.

func DisabledState added in v0.10.0

func DisabledState() State

func GetState

func GetState() (State, error)

GetState returns global state for policyfilter

type StateID added in v1.2.0

type StateID uint64

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL