policyfilter

package
v0.11.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 1, 2023 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Overview

nolint:revive // prevent unused-parameter alert, disabled method obviously don't use args

SPDX-License-Identifier: Apache-2.0 Copyright Authors of Tetragon

Index

Constants

View Source
const (
	// we reserve 0 as a special value to indicate no filtering
	NoFilterPolicyID         = 0
	NoFilterID               = PolicyID(NoFilterPolicyID)
	FirstValidFilterPolicyID = NoFilterPolicyID + 1
)
View Source
const (
	MapName = "policy_filter_maps"
)

Variables

This section is empty.

Functions

func New

func New() (*state, error)

New creates a new State of the policy filter code. Callers should call Close() to release allocated resources (namely the bpf map).

func TestingDisableAndReset added in v0.10.0

func TestingDisableAndReset(t *testing.T)

TestingDisableAndReset disable policy filter for tests (see ResetStateOnlyForTesting)

func TestingEnableAndReset added in v0.10.0

func TestingEnableAndReset(t *testing.T)

TestingEnableAndReset enables policy filter for tests (see ResetStateOnlyForTesting)

Types

type CgroupID

type CgroupID uint64

type PfMap

type PfMap struct {
	*ebpf.Map
}

PfMap is a simple wrapper for ebpf.Map so that we can write methods for it

func OpenMap

func OpenMap(fname string) (PfMap, error)

func (PfMap) Dump

func (m PfMap) Dump() (map[PolicyID]map[CgroupID]struct{}, error)

type PodID

type PodID uuid.UUID

func (PodID) String

func (i PodID) String() string

type PolicyID

type PolicyID uint32

type State

type State interface {
	// AddPolicy adds a policy to the policyfilter state.
	// This means that:
	//  - existing containers of pods that match this policy will be added to the policyfilter map (pfMap)
	//  - from now on, new containers of pods that match this policy will also be added to pfMap
	// pods are matched with:
	//  - namespace for namespaced pilicies (if namespace == "", then policy is not namespaced)
	//  - label selector
	AddPolicy(polID PolicyID, namespace string, podSelector *slimv1.LabelSelector) error

	// DelPolicy removes a policy from the state
	DelPolicy(polID PolicyID) error

	// AddPodContainer informs policyfilter about a new container and its cgroup id in a pod.
	// The pod might or might not have been encountered before.
	// This method is intended to update policyfilter state from container hooks
	AddPodContainer(podID PodID, namespace string, podLabels labels.Labels, containerID string, cgID CgroupID) error

	// UpdatePod updates the pod state for a pod, where containerIDs contains all the container ids for the given pod.
	// This method is intended to be used from k8s watchers (where no cgroup information is available)
	UpdatePod(podID PodID, namespace string, podLabels labels.Labels, containerIDs []string) error

	// DelPodContainer informs policyfilter that a container was deleted from a pod
	DelPodContainer(podID PodID, containerID string) error
	// DelPod informs policyfilter that a pod has been deleted
	DelPod(podID PodID) error

	// RegisterPodHandlers can be used to register appropriate pod handlers to a pod informer
	// that for keeping the policy filter state up-to-date.
	RegisterPodHandlers(podInformer cache.SharedIndexInformer)

	// Close releases resources allocated by the Manager. Specifically, we close and unpin the
	// policy filter map.
	Close() error
}

State is the policyfilter state interface It handles two things:

  • policies being added and removed
  • pod containers being added and deleted.

func DisabledState added in v0.10.0

func DisabledState() State

func GetState

func GetState() (State, error)

GetState returns global state for policyfilter

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL