connectivitypdp

package

v0.2.0 Latest Latest Go to latest Published: Apr 30, 2024 License: Apache-2.0 Imports: 6 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/clusterlink-net/clusterlink

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
func WorkloadSetOrSelectorListMatches(wsl *v1alpha1.WorkloadSetOrSelectorList, workloadAttrs WorkloadAttrs) (bool, error)
type AccessPolicy
- func PolicyFromCR(vap *v1alpha1.AccessPolicy) *AccessPolicy
- func PolicyFromPrivilegedCR(vap *v1alpha1.PrivilegedAccessPolicy) *AccessPolicy
type ConnectionRequest
type ConnectionResponse
type Decision
type DestinationDecision
type Direction
type PDP
- func NewPDP() *PDP
type WorkloadAttrs

Constants ¶

View Source

const DefaultDenyPolicyName = "<default deny>"

Variables ¶

This section is empty.

Functions ¶

func WorkloadSetOrSelectorListMatches ¶ added in v0.1.0

func WorkloadSetOrSelectorListMatches(wsl *v1alpha1.WorkloadSetOrSelectorList, workloadAttrs WorkloadAttrs) (bool, error)

checks whether a workload with the given labels matches any item in a slice of WorkloadSetOrSelectors.

Types ¶

type AccessPolicy ¶ added in v0.2.0

type AccessPolicy struct {
	// contains filtered or unexported fields
}

AccessPolicy is an opaque, PDP-internal, generalized representation of AccessPolicy and PrivilegedAccessPolicy CRDs.

func PolicyFromCR ¶ added in v0.2.0

func PolicyFromCR(vap *v1alpha1.AccessPolicy) *AccessPolicy

PolicyFromCR converts the AccessPolicy Custom Resource into the PDP's AccessPolicy.

func PolicyFromPrivilegedCR ¶ added in v0.2.0

func PolicyFromPrivilegedCR(vap *v1alpha1.PrivilegedAccessPolicy) *AccessPolicy

PolicyFromPrivilegedCR converts the PrivilegedAccessPolicy Custom Resource into the PDP's AccessPolicy.

type ConnectionRequest ¶ added in v0.1.0

type ConnectionRequest struct {
	SrcWorkloadAttrs WorkloadAttrs
	DstSvcName       string
	DstSvcNamespace  string

	Direction Direction
}

ConnectionRequest encapsulates all the information needed to decide on a given incoming/outgoing connection.

type ConnectionResponse ¶ added in v0.1.0

type ConnectionResponse struct {
	Action       v1alpha1.AccessPolicyAction
	DstPeer      string
	DstName      string
	DstNamespace string
}

ConnectionResponse encapsulates the returned decision on a given incoming incoming/outgoing connection.

type Decision ¶ added in v0.1.0

type Decision int

Decision represents an AccessPolicy decision on a given connection.

const (
	DecisionUndecided Decision = iota
	DecisionAllow
	DecisionDeny
)

type DestinationDecision ¶

type DestinationDecision struct {
	Destination     WorkloadAttrs
	Decision        Decision
	MatchedBy       string // The name of the policy that matched the connection and took the decision
	PrivilegedMatch bool   // Whether the policy that took the decision was privileged
}

DestinationDecision describes the PDP decision on a given destination (w.r.t, to a given source), including the deciding policy, if any. Calling PDP.Decide() with a source workload and a slice of destinations workloads, returns a slice of corresponding DestinationDecisions.

type Direction ¶ added in v0.1.0

type Direction int

Direction indicates whether a given request is for an incoming or an outgoing connection.

const (
	Incoming Direction = iota
	Outgoing
)

type PDP ¶

type PDP struct {
	// contains filtered or unexported fields
}

PDP is the main object to maintain a set of access policies and decide whether a given connection is allowed or denied by these policies.

func NewPDP ¶

func NewPDP() *PDP

NewPDP constructs a new PDP.

func (*PDP) AddOrUpdatePolicy ¶

func (pdp *PDP) AddOrUpdatePolicy(policy *AccessPolicy) error

AddOrUpdatePolicy adds an AccessPolicy to the PDP. If a policy with the same name already exists in the PDP, it is updated (including updating the Action field). Invalid policies return an error.

func (*PDP) Decide ¶

func (pdp *PDP) Decide(src WorkloadAttrs, dests []WorkloadAttrs, ns string) ([]DestinationDecision, error)

Decide makes allow/deny decisions for the queried connections between src and each of destinations in dests. The decision, as well as the deciding policy, are recorded in the returned slice of DestinationDecision structs. The order of destinations in dests is preserved in the returned slice.

func (*PDP) DeletePolicy ¶

func (pdp *PDP) DeletePolicy(policyName types.NamespacedName, privileged bool) error

DeletePolicy deletes an AccessPolicy with the given name and privilege from the PDP. If no such AccessPolicy exists in the PDP, an error is returned.

func (*PDP) GetPolicies ¶

func (pdp *PDP) GetPolicies() []v1alpha1.AccessPolicy

Returns a slice of copies of the non-privileged policies stored in the PDP.

func (*PDP) GetPrivilegedPolicies ¶ added in v0.1.0

func (pdp *PDP) GetPrivilegedPolicies() []v1alpha1.PrivilegedAccessPolicy

Returns a slice of copies of the non-privileged policies stored in the PDP.

type WorkloadAttrs ¶ added in v0.1.0

type WorkloadAttrs map[string]string

WorkloadAttrs are the actual key-value attributes attached to any given workload.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL