Documentation ¶
Overview ¶
nolint:revive // prevent unused-parameter alert, disabled method obviously don't use args
Index ¶
Constants ¶
View Source
const ( // we reserve 0 as a special value to indicate no filtering NoFilterPolicyID = 0 NoFilterID = PolicyID(NoFilterPolicyID) FirstValidFilterPolicyID = NoFilterPolicyID + 1 )
View Source
const (
CgrpNsMapName = "tg_cgroup_namespace_map"
)
View Source
const (
MapName = "policy_filter_maps"
)
Variables ¶
This section is empty.
Functions ¶
func ErrorLabel ¶ added in v1.1.0
ErrorLabel returns an error label with a small cardinality so it can be used in metrics
func New ¶
func New() (*state, error)
New creates a new State of the policy filter code. Callers should call Close() to release allocated resources (namely the bpf map).
func TestingEnableAndReset ¶ added in v0.10.0
TestingEnableAndReset enables policy filter for tests (see ResetStateOnlyForTesting)
Types ¶
type NamespaceMap ¶ added in v1.2.0
type NamespaceMap struct {
// contains filtered or unexported fields
}
NamespaceMap is a simple wrapper for ebpf.Map so that we can write methods for it
type PfMap ¶
PfMap is a simple wrapper for ebpf.Map so that we can write methods for it
type State ¶
type State interface { // AddPolicy adds a policy to the policyfilter state. // This means that: // - existing containers of pods that match this policy will be added to the policyfilter map (pfMap) // - from now on, new containers of pods that match this policy will also be added to pfMap // pods are matched with: // - namespace for namespaced pilicies (if namespace == "", then policy is not namespaced) // - label selector // - container field selector AddPolicy(polID PolicyID, namespace string, podSelector *slimv1.LabelSelector, containerSelector *slimv1.LabelSelector) error // DelPolicy removes a policy from the state DelPolicy(polID PolicyID) error // AddPodContainer informs policyfilter about a new container and its cgroup id in a pod. // The pod might or might not have been encountered before. // This method is intended to update policyfilter state from container hooks AddPodContainer(podID PodID, namespace, workload, kind string, podLabels labels.Labels, containerID string, cgID CgroupID, containerName string) error // UpdatePod updates the pod state for a pod, where containerIDs contains all the container ids for the given pod. // This method is intended to be used from k8s watchers (where no cgroup information is available) UpdatePod(podID PodID, namespace, workload, kind string, podLabels labels.Labels, containerIDs []string, containerNames []string) error // DelPodContainer informs policyfilter that a container was deleted from a pod DelPodContainer(podID PodID, containerID string) error // DelPod informs policyfilter that a pod has been deleted DelPod(podID PodID) error // Report opaque cgroup ID to nsId mapping. This method is intended to allow inspecting // and reporting the state of the system to subsystems and tooling. GetNsId(stateID StateID) (*NSID, bool) GetIdNs(id NSID) (StateID, bool) // RegisterPodHandlers can be used to register appropriate pod handlers to a pod informer // that for keeping the policy filter state up-to-date. RegisterPodHandlers(podInformer cache.SharedIndexInformer) // Close releases resources allocated by the Manager. Specifically, we close and unpin the // policy filter map. Close() error }
State is the policyfilter state interface It handles two things:
- policies being added and removed
- pod containers being added and deleted.
func DisabledState ¶ added in v0.10.0
func DisabledState() State
Source Files ¶
Click to show internal directories.
Click to hide internal directories.