policyfilter

package

v0.10.0-pre.0 Latest Latest Go to latest Published: Apr 4, 2023 License: Apache-2.0 Imports: 22 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cilium/tetragon

Documentation ¶

Overview ¶

SPDX-License-Identifier: Apache-2.0 Copyright Authors of Tetragon

Index ¶

Constants
func New() (*state, error)
func ResetStateOnlyForTesting()
type CgroupID
type PfMap
- func OpenMap(fname string) (PfMap, error)
- func (m PfMap) Dump() (map[PolicyID]map[CgroupID]struct{}, error)
type PodID
- func (i PodID) String() string
type PolicyID
type State
- func GetState() (State, error)

Constants ¶

View Source

const (
	// we reserve 0 as a special value to indicate no filtering
	NoFilterPolicyID         = 0
	NoFilterID               = PolicyID(NoFilterPolicyID)
	FirstValidFilterPolicyID = NoFilterPolicyID + 1
)

View Source

const (
	MapName = "policy_filter_maps"
)

Variables ¶

This section is empty.

Functions ¶

func New ¶

func New() (*state, error)

New creates a new State of the policy filter code. Callers should call Close() to release allocated resources (namely the bpf map).

func ResetStateOnlyForTesting ¶

func ResetStateOnlyForTesting()

ResetStateOnlyForTesting resets the global policyfilter state. As the name states, it should only be used for testing. We need this because GetState() depends on the option.Config.EnablePolicyFilter global and this is only initialized once. Callers for this should ensure that no race happens.

Types ¶

type CgroupID ¶

type CgroupID uint64

type PfMap ¶

type PfMap struct {
	*ebpf.Map
}

PfMap is a simple wrapper for ebpf.Map so that we can write methods for it

func OpenMap ¶

func OpenMap(fname string) (PfMap, error)

func (PfMap) Dump ¶

func (m PfMap) Dump() (map[PolicyID]map[CgroupID]struct{}, error)

type PodID ¶

type PodID uuid.UUID

func (PodID) String ¶

func (i PodID) String() string

type PolicyID ¶

type PolicyID uint32

type State ¶

type State interface {
	// AddPolicy adds a policy to the state
	AddPolicy(polID PolicyID, namespace string) error
	// DelPolicy removes a policy from the state
	DelPolicy(polID PolicyID) error

	// AddPodContainer informs policyfilter about a new container in a pod.
	// if the cgroup id of the container is known, cgID is not nil and it contains its value.
	//
	// The pod might or might not have been encountered before.
	AddPodContainer(podID PodID, namespace string, containerID string, cgIDp *CgroupID) error
	// DelPodContainer informs policyfilter that a container was deleted from a pod
	DelPodContainer(podID PodID, containerID string) error
	// DelPod informs policyfilter that a pod has been deleted
	DelPod(podID PodID) error

	// RegisterPodHandlers can be used to register appropriate pod handlers to a pod informer
	// that for keeping the policy filter state up-to-date.
	RegisterPodHandlers(podInformer cache.SharedIndexInformer)

	// Close releases resources allocated by the Manager. Specifically, we close and unpin the
	// policy filter map.
	Close() error
}

State is the policyfilter state interface It handles two things:

policies being added and removed
pod containers being added and deleted.

func GetState ¶

func GetState() (State, error)

GetState returns global state for policyfilter

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
rthooks

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL