Documentation
¶
Index ¶
- Constants
- type ContivPolicies
- type ContivPolicy
- type ContivRules
- type Deps
- type IPAM
- type IPBlock
- type Match
- type MatchType
- type PeerPod
- type PodIPAddresses
- type PolicyConfigurator
- type PolicyConfiguratorAPI
- type PolicyConfiguratorTxn
- type PolicyType
- type Port
- type ProcessedPolicySet
- type ProtocolType
- type Txn
Constants ¶
const ( // PolicyIngress tells policy to apply to ingress only. PolicyIngress = iota // PolicyEgress tells policy to apply to egress only. PolicyEgress // PolicyAll tells policy to apply to both traffic directions. PolicyAll )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ContivPolicies ¶
type ContivPolicies []*ContivPolicy
ContivPolicies is a list of policies that can be ordered by policy ID.
func (ContivPolicies) Copy ¶
func (cp ContivPolicies) Copy() ContivPolicies
Copy creates a shallow copy of ContivPolicies.
func (ContivPolicies) Equals ¶
func (cp ContivPolicies) Equals(cp2 ContivPolicies) bool
Equals returns true for equal lists of policies.
func (ContivPolicies) Len ¶
func (cp ContivPolicies) Len() int
Len return the number of policies in the list.
func (ContivPolicies) Less ¶
func (cp ContivPolicies) Less(i, j int) bool
Less compares two policies by their IDs.
func (ContivPolicies) Swap ¶
func (cp ContivPolicies) Swap(i, j int)
Swap replaces order of two policies in the list.
type ContivPolicy ¶
type ContivPolicy struct {
// ID should uniquely identify policy across all namespaces.
ID policymodel.ID
// Type selects the rule types that the network policy relates to.
Type PolicyType
// Matches is an array of Match-es: predicates that select a subset of the
// traffic to be ALLOWED.
Matches []Match
}
ContivPolicy is a less-abstract, free of indirect references representation of K8s Network Policy. It has:
- expanded namespaces
- translated port names
- evaluated label selectors
- IP network addresses converted to net.IP
It is produced in this form and passed to Configurator by Policy Processor. Traffic matched by a Contiv policy should by ALLOWED. Traffic not matched by any policy from a **non-empty** set of policies assigned to the source/destination pod should be DENIED.
func (ContivPolicy) String ¶
func (cp ContivPolicy) String() string
String converts ContivPolicy into a human-readable string.
type ContivRules ¶
type ContivRules struct {
// contains filtered or unexported fields
}
ContivRules is a list of Contiv rules without duplicities.
func (*ContivRules) CopySlice ¶ added in v1.5.1
func (cr *ContivRules) CopySlice() []*renderer.ContivRule
CopySlice returns a deep-copied slice of all rules (in the order as inserted).
func (*ContivRules) Insert ¶ added in v1.5.1
func (cr *ContivRules) Insert(rule *renderer.ContivRule) bool
Insert inserts the rule into the list. Returns *true* if the rule was inserted, *false* if the same rule is already in the list.
type Deps ¶
type Deps struct {
Log logging.Logger
Cache cache.PolicyCacheAPI
IPAM IPAM
}
Deps lists dependencies of PolicyConfigurator.
type IPAM ¶
type IPAM interface {
// NatLoopbackIP returns the IP address of a virtual loopback, used to route
// traffic between clients and services via VPP even if the source and destination
// are the same IP addresses and would otherwise be routed locally.
NatLoopbackIP() net.IP
}
IPAM interface lists IPAM methods needed by Policy Configurator.
type Match ¶
type Match struct {
// Type selects the direction of the traffic.
Type MatchType
// Layer 3: destinations (egress) / sources (ingress)
// If both arrays are nils, then this predicate matches all
// sources(ingress) / destinations(egress). Otherwise, this predicate
// applies to a given traffic only if the traffic matches at least one item
// in one of the lists.
Pods []podmodel.ID
IPBlocks []IPBlock
// Layer 4: destination ports
// If the array is empty or nil, then this predicate matches all ports
// (traffic not restricted by port).
// If the array is non-empty, then this applies to a given traffic only
// if the traffic matches at least one port in the list.
Ports []Port
}
Match is a predicate that select a subset of the traffic.
type MatchType ¶
type MatchType int
MatchType selects the direction of the traffic to apply a Match to. The direction is from the Pod point of view!
type PodIPAddresses ¶
PodIPAddresses is a map used to remember IP address for each configured pod.
func (PodIPAddresses) Copy ¶
func (pa PodIPAddresses) Copy() PodIPAddresses
Copy creates a deep copy of PodIPAddresses.
type PolicyConfigurator ¶
type PolicyConfigurator struct {
Deps
// contains filtered or unexported fields
}
PolicyConfigurator translates a set of Contiv Policies into ingress and egress lists of Contiv Rules (n-tuples with the most basic policy rule definition) and applies them into the target vswitch via registered renderers. Allows to register multiple renderers for different network stacks. For the best performance, creates a shortest possible sequence of rules that implement a given policy. Furthermore, to allow renderers share a list of ingress or egress rules between interfaces, the same set of policies always results in the same list of rules.
func (*PolicyConfigurator) Close ¶
func (pc *PolicyConfigurator) Close() error
Close deallocates resource held by the configurator.
func (*PolicyConfigurator) Init ¶
func (pc *PolicyConfigurator) Init(parallelRendering bool) error
Init initializes policy configurator.
func (*PolicyConfigurator) NewTxn ¶
func (pc *PolicyConfigurator) NewTxn(resync bool) Txn
NewTxn starts a new transaction. The re-configuration executes only after Commit() is called. If <resync> is enabled, the supplied configuration will completely replace the existing one, otherwise pods not mentioned in the transaction are left unchanged.
func (*PolicyConfigurator) RegisterRenderer ¶
func (pc *PolicyConfigurator) RegisterRenderer(renderer renderer.PolicyRendererAPI) error
RegisterRenderer registers a new renderer. The renderer will be receiving rules for all pods in this K8s node. It is up to the render to possibly filter out rules for pods without an inter-connection in the destination network stack.
type PolicyConfiguratorAPI ¶
type PolicyConfiguratorAPI interface {
// RegisterRenderer registers a new renderer.
// The renderer will be receiving rules for all pods in this K8s node.
// It is up to the render to possibly filter out rules for pods without
// an inter-connection in the destination network stack.
RegisterRenderer(renderer renderer.PolicyRendererAPI) error
// NewTxn starts a new transaction. The re-configuration executes only
// after Commit() is called.
// If <resync> is enabled, the supplied configuration will completely
// replace the existing one, otherwise pods not mentioned in the transaction
// are left unchanged.
NewTxn(resync bool) Txn
}
PolicyConfiguratorAPI defines the API of Policy Configurator. For a given pod, the configurator translates a set of Contiv Policies into ingress and egress lists of Contiv Rules (n-tuples with the most basic policy rule definition) and applies them into the target vswitch via registered renderers. Allows to register multiple renderers for different network stacks. For the best performance, creates a shortest possible sequence of rules that implement a given policy. For the sake of renderers that install rules into per-interface tables (as opposed to one or more global tables), the configurator ensures that the same set of policies always results in the same list of rules, allowing renderers to group and share them across multiple interfaces (if supported by the destination network stack)
type PolicyConfiguratorTxn ¶
PolicyConfiguratorTxn represents a single transaction of the policy configurator.
func (*PolicyConfiguratorTxn) Commit ¶
func (pct *PolicyConfiguratorTxn) Commit() error
Commit proceeds with the reconfiguration.
func (*PolicyConfiguratorTxn) Configure ¶
func (pct *PolicyConfiguratorTxn) Configure(pod podmodel.ID, policies []*ContivPolicy) Txn
Configure applies the set of policies for a given pod. The existing policies are replaced. The order of policies is not important (it is a set).
type PolicyType ¶
type PolicyType int
PolicyType selects the rule types that the network policy relates to.
func (PolicyType) String ¶
func (pt PolicyType) String() string
String converts PolicyType into a human-readable string.
type Port ¶
type Port struct {
Protocol ProtocolType
Number uint16
}
Port represent a TCP or UDP port. Number=0 represents all ports for a given protocol.
type ProcessedPolicySet ¶
type ProcessedPolicySet struct {
// contains filtered or unexported fields
}
ProcessedPolicySet stores configuration already generated for a given set of policies. It is used only temporarily for a duration of the commit for a performance optimization.
type ProtocolType ¶
type ProtocolType int
ProtocolType is either TCP or UDP.
const ( // TCP protocol. TCP ProtocolType = iota // UDP protocol. UDP )
func (ProtocolType) String ¶
func (pt ProtocolType) String() string
String converts ProtocolType into a human-readable string.
type Txn ¶
type Txn interface {
// Configure applies the set of policies for a given pod.
// The existing policies are replaced.
// The order of policies is not important (it is a set).
Configure(pod podmodel.ID, policies []*ContivPolicy) Txn
// Commit proceeds with the reconfiguration.
Commit() error
}
Txn defines the API of PolicyConfigurator transaction.
Source Files