policy

package
v1.2.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 28, 2018 License: Apache-2.0 Imports: 4 Imported by: 43

Documentation

Overview

Package policy is a generated protocol buffer package.

Package policy defines data model for Kubernetes Network Policy.

It is generated from these files:

policy.proto

It has these top-level messages:

Policy

Index

Constants

View Source
const (
	// PolicyKeyword defines the keyword identifying Network policy data.
	PolicyKeyword = "policy"
)

Variables

View Source
var Policy_LabelSelector_LabelExpression_Operator_name = map[int32]string{
	0: "IN",
	1: "NOT_IN",
	2: "EXISTS",
	3: "DOES_NOT_EXIST",
}
View Source
var Policy_LabelSelector_LabelExpression_Operator_value = map[string]int32{
	"IN":             0,
	"NOT_IN":         1,
	"EXISTS":         2,
	"DOES_NOT_EXIST": 3,
}
View Source
var Policy_PolicyType_name = map[int32]string{
	0: "DEFAULT",
	1: "INGRESS",
	2: "EGRESS",
	3: "INGRESS_AND_EGRESS",
}
View Source
var Policy_PolicyType_value = map[string]int32{
	"DEFAULT":            0,
	"INGRESS":            1,
	"EGRESS":             2,
	"INGRESS_AND_EGRESS": 3,
}
View Source
var Policy_Port_PortNameOrNumber_Type_name = map[int32]string{
	0: "NUMBER",
	1: "NAME",
}
View Source
var Policy_Port_PortNameOrNumber_Type_value = map[string]int32{
	"NUMBER": 0,
	"NAME":   1,
}
View Source
var Policy_Port_Protocol_name = map[int32]string{
	0: "TCP",
	1: "UDP",
}
View Source
var Policy_Port_Protocol_value = map[string]int32{
	"TCP": 0,
	"UDP": 1,
}

Functions

func Key

func Key(name string, namespace string) string

Key returns the key under which a given K8s policy is stored in the data store.

func KeyPrefix

func KeyPrefix() string

KeyPrefix returns the key prefix identifying all K8s policies in the data store.

func ParsePolicyFromKey

func ParsePolicyFromKey(key string) (policy string, namespace string, err error)

ParsePolicyFromKey parses policy and namespace ids from the associated data-store key.

Types

type ID

type ID struct {
	Name      string
	Namespace string
}

ID used to uniquely represent a K8s Policy.

func GetID

func GetID(policy *Policy) ID

GetID returns ID of a policy.

func (ID) String

func (id ID) String() string

String returns a string representation of a policy ID.

type Policy

type Policy struct {
	// Name of the policy unique within the namespace.
	// Cannot be updated.
	Name string `protobuf:"bytes,1,opt,name=name" json:"name,omitempty"`
	// Namespace the policy is inserted into.
	// An empty namespace is equivalent to the "default" namespace, but "default"
	// is the canonical representation used in the key for a key-value store.
	// Cannot be updated.
	Namespace string `protobuf:"bytes,2,opt,name=namespace" json:"namespace,omitempty"`
	// A list of labels attached to this policy.
	// +optional
	Label []*Policy_Label `protobuf:"bytes,3,rep,name=label" json:"label,omitempty"`
	// Pods to which this policy applies. The array of ingress rules is applied
	// to all pods selected by this field. Multiple network policies can select
	// the same set of pods. In such case, the ingress rules for each are combined
	// additively.
	// This field is NOT optional and follows standard label selector semantics.
	// An empty selector matches all pods in this namespace.
	Pods       *Policy_LabelSelector `protobuf:"bytes,4,opt,name=pods" json:"pods,omitempty"`
	PolicyType Policy_PolicyType     `protobuf:"varint,5,opt,name=policy_type,json=policyType,enum=policy.Policy_PolicyType" json:"policy_type,omitempty"`
	// List of ingress rules applied to the selected pods.
	// Traffic is allowed to a pod if there are no network policies selecting the pod
	// OR if the traffic source is the pod's local node,
	// OR if the traffic matches at least one ingress rule across all of the network
	// policies applied to the pod.
	// If there are no ingress rules then this network policy does not allow
	// any traffic (and serves solely to ensure that the selected pods are isolated
	// by default).
	// +optional
	IngressRule []*Policy_IngressRule `protobuf:"bytes,6,rep,name=ingress_rule,json=ingressRule" json:"ingress_rule,omitempty"`
	// List of egress rules to be applied to the selected pods.
	// Outgoing traffic is allowed if there are no network policies selecting
	// the pod OR if the traffic matches at least one egress rule across
	// all of the network policies applied to the pod.
	// If there are no egress rules then this network policy does not allow
	// any outgoing traffic (and serves solely to ensure that the selected pods
	// are isolated by default).
	// This field is beta-level in Kubernetes 1.8.
	// +optional
	EgressRule []*Policy_EgressRule `protobuf:"bytes,7,rep,name=egress_rule,json=egressRule" json:"egress_rule,omitempty"`
}

Policy describes what network traffic is allowed for a set of Pods.

func (*Policy) Descriptor

func (*Policy) Descriptor() ([]byte, []int)

func (*Policy) GetEgressRule

func (m *Policy) GetEgressRule() []*Policy_EgressRule

func (*Policy) GetIngressRule

func (m *Policy) GetIngressRule() []*Policy_IngressRule

func (*Policy) GetLabel

func (m *Policy) GetLabel() []*Policy_Label

func (*Policy) GetName

func (m *Policy) GetName() string

func (*Policy) GetNamespace

func (m *Policy) GetNamespace() string

func (*Policy) GetPods

func (m *Policy) GetPods() *Policy_LabelSelector

func (*Policy) GetPolicyType

func (m *Policy) GetPolicyType() Policy_PolicyType

func (*Policy) ProtoMessage

func (*Policy) ProtoMessage()

func (*Policy) Reset

func (m *Policy) Reset()

func (*Policy) String

func (m *Policy) String() string

type Policy_EgressRule

type Policy_EgressRule struct {
	// List of destination ports for outgoing traffic.
	// Each item in this list is combined using a logical OR.
	// If the array is empty or null, then this egress rule matches all ports
	// (traffic not restricted by port).
	// If the array is non-empty, then this egress rule allows traffic
	// only if the traffic matches at least one port in the list.
	// +optional
	Port []*Policy_Port `protobuf:"bytes,1,rep,name=port" json:"port,omitempty"`
	// List of destinations for outgoing traffic of pods selected for this policy.
	// Items in this list are combined using a logical OR operation.
	// If the array is empty or null, this egress rule matches all destinations
	// (traffic not restricted by destination).
	// If the array is non-empty, then this egress rule allows traffic only
	// if the traffic matches at least one item in the to list.
	// +optional
	To []*Policy_Peer `protobuf:"bytes,2,rep,name=to" json:"to,omitempty"`
}

Egress rule matches traffic if and only if the traffic matches both port-s AND to. This field is beta-level in Kubernetes 1.8.

func (*Policy_EgressRule) Descriptor

func (*Policy_EgressRule) Descriptor() ([]byte, []int)

func (*Policy_EgressRule) GetPort

func (m *Policy_EgressRule) GetPort() []*Policy_Port

func (*Policy_EgressRule) GetTo

func (m *Policy_EgressRule) GetTo() []*Policy_Peer

func (*Policy_EgressRule) ProtoMessage

func (*Policy_EgressRule) ProtoMessage()

func (*Policy_EgressRule) Reset

func (m *Policy_EgressRule) Reset()

func (*Policy_EgressRule) String

func (m *Policy_EgressRule) String() string

type Policy_IngressRule

type Policy_IngressRule struct {
	// List of ports made accessible on the pods selected for this policy.
	// Each item in this list is combined using a logical OR.
	// If the array is empty or null, then this ingress rule matches all ports
	// (traffic not restricted by port).
	// If the array is non-empty, then this ingress rule allows traffic
	// only if the traffic matches at least one port in the list.
	// +optional
	Port []*Policy_Port `protobuf:"bytes,1,rep,name=port" json:"port,omitempty"`
	// List of sources which are able to access the pods selected for this
	// policy.
	// Items in this list are combined using a logical OR operation.
	// If the array is empty or null, then this ingress rule matches all sources
	// (traffic not restricted by source).
	// If the array is non-empty, then this ingress rule allows traffic only
	// if the traffic matches at least one item in the from list.
	// +optional
	From []*Policy_Peer `protobuf:"bytes,2,rep,name=from" json:"from,omitempty"`
}

Ingress rule matches traffic if and only if the traffic matches both port-s AND from.

func (*Policy_IngressRule) Descriptor

func (*Policy_IngressRule) Descriptor() ([]byte, []int)

func (*Policy_IngressRule) GetFrom

func (m *Policy_IngressRule) GetFrom() []*Policy_Peer

func (*Policy_IngressRule) GetPort

func (m *Policy_IngressRule) GetPort() []*Policy_Port

func (*Policy_IngressRule) ProtoMessage

func (*Policy_IngressRule) ProtoMessage()

func (*Policy_IngressRule) Reset

func (m *Policy_IngressRule) Reset()

func (*Policy_IngressRule) String

func (m *Policy_IngressRule) String() string

type Policy_Label

type Policy_Label struct {
	Key   string `protobuf:"bytes,1,opt,name=key" json:"key,omitempty"`
	Value string `protobuf:"bytes,2,opt,name=value" json:"value,omitempty"`
}

Label is a key/value pair attached to an object (namespace in this case). Labels are used to organize and to select subsets of objects.

func (*Policy_Label) Descriptor

func (*Policy_Label) Descriptor() ([]byte, []int)

func (*Policy_Label) GetKey

func (m *Policy_Label) GetKey() string

func (*Policy_Label) GetValue

func (m *Policy_Label) GetValue() string

func (*Policy_Label) ProtoMessage

func (*Policy_Label) ProtoMessage()

func (*Policy_Label) Reset

func (m *Policy_Label) Reset()

func (*Policy_Label) String

func (m *Policy_Label) String() string

type Policy_LabelSelector

type Policy_LabelSelector struct {
	// A list of labels that a resource needs to have attached in order to get
	// selected.
	// +optional
	MatchLabel []*Policy_Label `protobuf:"bytes,1,rep,name=match_label,json=matchLabel" json:"match_label,omitempty"`
	// A list of key-value expressions applied to labels.
	// For a given resource and its labels, all expressions must evaluate
	// to TRUE for the resource to get selected.
	MatchExpression []*Policy_LabelSelector_LabelExpression `protobuf:"bytes,2,rep,name=match_expression,json=matchExpression" json:"match_expression,omitempty"`
}

A label selector is a label query over a set of resources. The result of match_label-s and match_expression-s are ANDed. An empty label selector matches all objects. A null label selector matches no objects.

func (*Policy_LabelSelector) Descriptor

func (*Policy_LabelSelector) Descriptor() ([]byte, []int)

func (*Policy_LabelSelector) GetMatchExpression

func (*Policy_LabelSelector) GetMatchLabel

func (m *Policy_LabelSelector) GetMatchLabel() []*Policy_Label

func (*Policy_LabelSelector) ProtoMessage

func (*Policy_LabelSelector) ProtoMessage()

func (*Policy_LabelSelector) Reset

func (m *Policy_LabelSelector) Reset()

func (*Policy_LabelSelector) String

func (m *Policy_LabelSelector) String() string

type Policy_LabelSelector_LabelExpression

type Policy_LabelSelector_LabelExpression struct {
	// Key is the label key that the expression applies to.
	Key      string                                        `protobuf:"bytes,1,opt,name=key" json:"key,omitempty"`
	Operator Policy_LabelSelector_LabelExpression_Operator `protobuf:"varint,2,opt,name=operator,enum=policy.Policy_LabelSelector_LabelExpression_Operator" json:"operator,omitempty"`
	// An array of string values.
	// If the operator is IN or NOT_IN, the values array must be non-empty.
	// If the operator is EXISTS or DOES_NOT_EXIST, the values array
	// must be empty.
	// +optional
	Value []string `protobuf:"bytes,3,rep,name=value" json:"value,omitempty"`
}

An expression that contains values, a label key, and an operator that relates the key and values.

func (*Policy_LabelSelector_LabelExpression) Descriptor

func (*Policy_LabelSelector_LabelExpression) Descriptor() ([]byte, []int)

func (*Policy_LabelSelector_LabelExpression) GetKey

func (*Policy_LabelSelector_LabelExpression) GetOperator

func (*Policy_LabelSelector_LabelExpression) GetValue

func (*Policy_LabelSelector_LabelExpression) ProtoMessage

func (*Policy_LabelSelector_LabelExpression) ProtoMessage()

func (*Policy_LabelSelector_LabelExpression) Reset

func (*Policy_LabelSelector_LabelExpression) String

type Policy_LabelSelector_LabelExpression_Operator

type Policy_LabelSelector_LabelExpression_Operator int32

Operator represents a key's relationship to a set of values.

const (
	Policy_LabelSelector_LabelExpression_IN             Policy_LabelSelector_LabelExpression_Operator = 0
	Policy_LabelSelector_LabelExpression_NOT_IN         Policy_LabelSelector_LabelExpression_Operator = 1
	Policy_LabelSelector_LabelExpression_EXISTS         Policy_LabelSelector_LabelExpression_Operator = 2
	Policy_LabelSelector_LabelExpression_DOES_NOT_EXIST Policy_LabelSelector_LabelExpression_Operator = 3
)

func (Policy_LabelSelector_LabelExpression_Operator) EnumDescriptor

func (Policy_LabelSelector_LabelExpression_Operator) EnumDescriptor() ([]byte, []int)

func (Policy_LabelSelector_LabelExpression_Operator) String

type Policy_Peer

type Policy_Peer struct {
	// This is a label selector which selects Pods in this namespace.
	// If present but empty, this selector selects all pods in this namespace.
	// +optional
	Pods *Policy_LabelSelector `protobuf:"bytes,1,opt,name=pods" json:"pods,omitempty"`
	// Selects namespaces using cluster scoped-labels.
	// This matches all pods in all namespaces selected by this label selector.
	// If present but empty, this selector selects all namespaces.
	// +optional
	Namespaces *Policy_LabelSelector `protobuf:"bytes,2,opt,name=namespaces" json:"namespaces,omitempty"`
	IpBlock    *Policy_Peer_IPBlock  `protobuf:"bytes,3,opt,name=ip_block,json=ipBlock" json:"ip_block,omitempty"`
}

A selector for a set of pods.

func (*Policy_Peer) Descriptor

func (*Policy_Peer) Descriptor() ([]byte, []int)

func (*Policy_Peer) GetIpBlock

func (m *Policy_Peer) GetIpBlock() *Policy_Peer_IPBlock

func (*Policy_Peer) GetNamespaces

func (m *Policy_Peer) GetNamespaces() *Policy_LabelSelector

func (*Policy_Peer) GetPods

func (m *Policy_Peer) GetPods() *Policy_LabelSelector

func (*Policy_Peer) ProtoMessage

func (*Policy_Peer) ProtoMessage()

func (*Policy_Peer) Reset

func (m *Policy_Peer) Reset()

func (*Policy_Peer) String

func (m *Policy_Peer) String() string

type Policy_Peer_IPBlock

type Policy_Peer_IPBlock struct {
	// CIDR is a string representing the IP Block.
	// Valid examples are "192.168.1.1/24".
	Cidr string `protobuf:"bytes,1,opt,name=cidr" json:"cidr,omitempty"`
	// Except is a slice of CIDRs that should not be included within an IP Block
	// Valid examples are "192.168.1.1/24".
	// Except values are inside the CIDR range.
	// +optional
	Except []string `protobuf:"bytes,2,rep,name=except" json:"except,omitempty"`
}

IPBlock describes a particular CIDR (Ex. "192.168.1.1/24") that is allowed to/from the pods selected for this network policy. The except entries describe CIDRs that should not be included within this rule.

func (*Policy_Peer_IPBlock) Descriptor

func (*Policy_Peer_IPBlock) Descriptor() ([]byte, []int)

func (*Policy_Peer_IPBlock) GetCidr

func (m *Policy_Peer_IPBlock) GetCidr() string

func (*Policy_Peer_IPBlock) GetExcept

func (m *Policy_Peer_IPBlock) GetExcept() []string

func (*Policy_Peer_IPBlock) ProtoMessage

func (*Policy_Peer_IPBlock) ProtoMessage()

func (*Policy_Peer_IPBlock) Reset

func (m *Policy_Peer_IPBlock) Reset()

func (*Policy_Peer_IPBlock) String

func (m *Policy_Peer_IPBlock) String() string

type Policy_PolicyType

type Policy_PolicyType int32

PolicyType selects the rule types that the network policy relates to. By default, rule types are determined based on the existence of Ingress or Egress rules: policies that contain an Egress section are assumed to affect Egress, and all policies (whether or not they contain an Ingress section) are assumed to affect Ingress. For example, policies are egress-only if and only if policyType is set to EGRESS. Likewise, policies blocking all egress traffic are either EGRESS or INGRESS_AND_EGRESS as they do not include an Egress section and would otherwise default to just INGRESS. This field is beta-level in Kubernetes 1.8. +optional

const (
	Policy_DEFAULT            Policy_PolicyType = 0
	Policy_INGRESS            Policy_PolicyType = 1
	Policy_EGRESS             Policy_PolicyType = 2
	Policy_INGRESS_AND_EGRESS Policy_PolicyType = 3
)

func (Policy_PolicyType) EnumDescriptor

func (Policy_PolicyType) EnumDescriptor() ([]byte, []int)

func (Policy_PolicyType) String

func (x Policy_PolicyType) String() string

type Policy_Port

type Policy_Port struct {
	Protocol Policy_Port_Protocol `protobuf:"varint,3,opt,name=protocol,enum=policy.Policy_Port_Protocol" json:"protocol,omitempty"`
	// If specified, the port on the given protocol.
	// This can either be a numerical or named port on a pod.
	// If this field is not provided, the rule matches all port names and
	// numbers.
	// If present, only traffic on the specified protocol AND port
	// will be matched.
	// +optional
	Port *Policy_Port_PortNameOrNumber `protobuf:"bytes,1,opt,name=port" json:"port,omitempty"`
}

A port selector.

func (*Policy_Port) Descriptor

func (*Policy_Port) Descriptor() ([]byte, []int)

func (*Policy_Port) GetPort

func (*Policy_Port) GetProtocol

func (m *Policy_Port) GetProtocol() Policy_Port_Protocol

func (*Policy_Port) ProtoMessage

func (*Policy_Port) ProtoMessage()

func (*Policy_Port) Reset

func (m *Policy_Port) Reset()

func (*Policy_Port) String

func (m *Policy_Port) String() string

type Policy_Port_PortNameOrNumber

type Policy_Port_PortNameOrNumber struct {
	Type Policy_Port_PortNameOrNumber_Type `protobuf:"varint,1,opt,name=type,enum=policy.Policy_Port_PortNameOrNumber_Type" json:"type,omitempty"`
	// Port number from the range: 0 < x < 65536.
	Number int32 `protobuf:"varint,2,opt,name=number" json:"number,omitempty"`
	// Port name as defined by containers in the pod.
	Name string `protobuf:"bytes,3,opt,name=name" json:"name,omitempty"`
}

Numerical or named port.

func (*Policy_Port_PortNameOrNumber) Descriptor

func (*Policy_Port_PortNameOrNumber) Descriptor() ([]byte, []int)

func (*Policy_Port_PortNameOrNumber) GetName

func (m *Policy_Port_PortNameOrNumber) GetName() string

func (*Policy_Port_PortNameOrNumber) GetNumber

func (m *Policy_Port_PortNameOrNumber) GetNumber() int32

func (*Policy_Port_PortNameOrNumber) GetType

func (*Policy_Port_PortNameOrNumber) ProtoMessage

func (*Policy_Port_PortNameOrNumber) ProtoMessage()

func (*Policy_Port_PortNameOrNumber) Reset

func (m *Policy_Port_PortNameOrNumber) Reset()

func (*Policy_Port_PortNameOrNumber) String

type Policy_Port_PortNameOrNumber_Type

type Policy_Port_PortNameOrNumber_Type int32

Port reference type.

const (
	Policy_Port_PortNameOrNumber_NUMBER Policy_Port_PortNameOrNumber_Type = 0
	Policy_Port_PortNameOrNumber_NAME   Policy_Port_PortNameOrNumber_Type = 1
)

func (Policy_Port_PortNameOrNumber_Type) EnumDescriptor

func (Policy_Port_PortNameOrNumber_Type) EnumDescriptor() ([]byte, []int)

func (Policy_Port_PortNameOrNumber_Type) String

type Policy_Port_Protocol

type Policy_Port_Protocol int32

The protocol (TCP or UDP) which traffic must match. If not specified, this field defaults to TCP. +optional

const (
	Policy_Port_TCP Policy_Port_Protocol = 0
	Policy_Port_UDP Policy_Port_Protocol = 1
)

func (Policy_Port_Protocol) EnumDescriptor

func (Policy_Port_Protocol) EnumDescriptor() ([]byte, []int)

func (Policy_Port_Protocol) String

func (x Policy_Port_Protocol) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL