Documentation
¶
Index ¶
- Constants
- func WorkloadSetOrSelectorListMatches(wsl *v1alpha1.WorkloadSetOrSelectorList, workloadAttrs WorkloadAttrs) (bool, error)
- type AccessPolicy
- type Decision
- type DestinationDecision
- type PDP
- func (pdp *PDP) AddOrUpdatePolicy(policy *AccessPolicy) error
- func (pdp *PDP) Decide(src, dest WorkloadAttrs, ns string) (*DestinationDecision, error)
- func (pdp *PDP) DeletePolicy(policyName types.NamespacedName, privileged bool) error
- func (pdp *PDP) DependsOnClientAttrs() bool
- func (pdp *PDP) GetPolicies() []v1alpha1.AccessPolicy
- func (pdp *PDP) GetPrivilegedPolicies() []v1alpha1.PrivilegedAccessPolicy
- type WorkloadAttrs
Constants ¶
const DefaultDenyPolicyName = "<default deny>"
Variables ¶
This section is empty.
Functions ¶
func WorkloadSetOrSelectorListMatches ¶
func WorkloadSetOrSelectorListMatches(wsl *v1alpha1.WorkloadSetOrSelectorList, workloadAttrs WorkloadAttrs) (bool, error)
checks whether a workload with the given labels matches any item in a slice of WorkloadSetOrSelectors.
Types ¶
type AccessPolicy ¶
type AccessPolicy struct {
// contains filtered or unexported fields
}
AccessPolicy is an opaque, PDP-internal, generalized representation of AccessPolicy and PrivilegedAccessPolicy CRDs.
func PolicyFromCR ¶
func PolicyFromCR(vap *v1alpha1.AccessPolicy) *AccessPolicy
PolicyFromCR converts the AccessPolicy Custom Resource into the PDP's AccessPolicy.
func PolicyFromPrivilegedCR ¶
func PolicyFromPrivilegedCR(vap *v1alpha1.PrivilegedAccessPolicy) *AccessPolicy
PolicyFromPrivilegedCR converts the PrivilegedAccessPolicy Custom Resource into the PDP's AccessPolicy.
type Decision ¶
type Decision int
Decision represents an AccessPolicy decision on a given connection.
type DestinationDecision ¶
type DestinationDecision struct {
Destination WorkloadAttrs
Decision Decision
MatchedBy string // The name of the policy that matched the connection and took the decision
PrivilegedMatch bool // Whether the policy that took the decision was privileged
}
DestinationDecision describes the PDP decision on a given destination (w.r.t, to a given source), including the deciding policy, if any. Calling PDP.Decide() with a source workload and a slice of destinations workloads, returns a slice of corresponding DestinationDecisions.
type PDP ¶
type PDP struct {
// contains filtered or unexported fields
}
PDP is the main object to maintain a set of access policies and decide whether a given connection is allowed or denied by these policies.
func (*PDP) AddOrUpdatePolicy ¶
func (pdp *PDP) AddOrUpdatePolicy(policy *AccessPolicy) error
AddOrUpdatePolicy adds an AccessPolicy to the PDP. If a policy with the same name already exists in the PDP, it is updated (including updating the Action field). Invalid policies return an error.
func (*PDP) Decide ¶
func (pdp *PDP) Decide(src, dest WorkloadAttrs, ns string) (*DestinationDecision, error)
Decide makes allow/deny decisions for the queried connection between src and dest. The decision, as well as the deciding policy, is recorded in the returned DestinationDecision struct.
func (*PDP) DeletePolicy ¶
func (pdp *PDP) DeletePolicy(policyName types.NamespacedName, privileged bool) error
DeletePolicy deletes an AccessPolicy with the given name and privilege from the PDP. If no such AccessPolicy exists in the PDP, an error is returned.
func (*PDP) DependsOnClientAttrs ¶ added in v0.4.0
DependsOnClientAttrs returns whether the PDP holds a policy which depends on attributes the client workload (From field) may or may not have.
func (*PDP) GetPolicies ¶
func (pdp *PDP) GetPolicies() []v1alpha1.AccessPolicy
GetPolicies returns a slice of copies of the non-privileged policies stored in the PDP.
func (*PDP) GetPrivilegedPolicies ¶
func (pdp *PDP) GetPrivilegedPolicies() []v1alpha1.PrivilegedAccessPolicy
GetPrivilegedPolicies returns a slice of copies of the non-privileged policies stored in the PDP.
type WorkloadAttrs ¶
WorkloadAttrs are the actual key-value attributes attached to any given workload.
Source Files