policy

package
v0.8.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 6, 2017 License: Apache-2.0 Imports: 16 Imported by: 0

Documentation

Index

Constants

View Source
const (
	RootNodeName      = "root"
	NodePathDelimiter = "."
	RootPrefix        = RootNodeName + NodePathDelimiter
)
View Source
const (

	// MinimalNumericIdentity represents the minimal numeric identity not
	// used for reserved purposes.
	MinimalNumericIdentity = NumericIdentity(256)

	// InvalidIdentity is the identity assigned if the identity is invalid
	// or not determined yet
	InvalidIdentity = NumericIdentity(0)
)

Variables

View Source
var (
	CoverageSHASize = len(fmt.Sprintf("%x", sha512.New512_256().Sum(nil)))
)

Functions

func JoinPath

func JoinPath(a, b string) string

func SplitNodePath

func SplitNodePath(fullPath string) (string, string)

Types

type AllowL4

type AllowL4 struct {
	Ingress []L4Filter `json:"in-ports,omitempty"`
	Egress  []L4Filter `json:"out-ports,omitempty"`
}

func (*AllowL4) Merge

func (l4 *AllowL4) Merge(result *L4Policy)

type AllowRule

type AllowRule struct {
	Action ConsumableDecision `json:"action,omitempty"`
	Label  labels.Label       `json:"label"`
}

func (*AllowRule) Allows

func (a *AllowRule) Allows(ctx *SearchContext) ConsumableDecision

func (*AllowRule) IsMergeable

func (a *AllowRule) IsMergeable() bool

func (*AllowRule) String

func (a *AllowRule) String() string

func (*AllowRule) UnmarshalJSON

func (a *AllowRule) UnmarshalJSON(data []byte) error

type AuxRule

type AuxRule struct {
	Expr string `json:"expr"`
}

type Consumable

type Consumable struct {
	ID           NumericIdentity               `json:"id"`
	Iteration    int                           `json:"-"`
	Labels       *Identity                     `json:"labels"`
	LabelList    []labels.Label                `json:"-"`
	Maps         map[int]*policymap.PolicyMap  `json:"-"`
	Consumers    map[string]*Consumer          `json:"consumers"`
	ReverseRules map[NumericIdentity]*Consumer `json:"-"`
	L4Policy     *L4Policy                     `json:"l4-policy"`
	// contains filtered or unexported fields
}

Consumable is the entity that is being consumed by a Consumable.

func NewConsumable

func NewConsumable(id NumericIdentity, lbls *Identity, cache *ConsumableCache) *Consumable

func (*Consumable) AddMap

func (c *Consumable) AddMap(m *policymap.PolicyMap)

func (*Consumable) AllowConsumer

func (c *Consumable) AllowConsumer(cache *ConsumableCache, id NumericIdentity) *Consumer

func (*Consumable) AllowConsumerAndReverse

func (c *Consumable) AllowConsumerAndReverse(cache *ConsumableCache, id NumericIdentity)

func (*Consumable) Allows

func (c *Consumable) Allows(id NumericIdentity) bool

func (*Consumable) BanConsumer

func (c *Consumable) BanConsumer(id NumericIdentity)

func (*Consumable) DeepCopy

func (c *Consumable) DeepCopy() *Consumable

func (*Consumable) Delete

func (c *Consumable) Delete()

func (*Consumable) GetConsumer

func (c *Consumable) GetConsumer(id NumericIdentity) *Consumer

func (*Consumable) GetModel

func (c *Consumable) GetModel() *models.EndpointPolicy

func (*Consumable) RemoveMap

func (c *Consumable) RemoveMap(m *policymap.PolicyMap)

type ConsumableCache

type ConsumableCache struct {

	// List of consumables representing the reserved identities
	Reserved  []*Consumable
	Iteration int
	// contains filtered or unexported fields
}

func NewConsumableCache

func NewConsumableCache() *ConsumableCache

func (*ConsumableCache) AddReserved

func (c *ConsumableCache) AddReserved(elem *Consumable)

func (*ConsumableCache) GetOrCreate

func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable

func (*ConsumableCache) Lookup

func (*ConsumableCache) Remove

func (c *ConsumableCache) Remove(elem *Consumable)

type ConsumableDecision

type ConsumableDecision byte
const (
	UNDECIDED ConsumableDecision = iota
	ACCEPT
	ALWAYS_ACCEPT
	DENY
)

func (ConsumableDecision) MarshalJSON

func (d ConsumableDecision) MarshalJSON() ([]byte, error)

func (ConsumableDecision) String

func (d ConsumableDecision) String() string

func (*ConsumableDecision) UnmarshalJSON

func (d *ConsumableDecision) UnmarshalJSON(b []byte) error

type Consumer

type Consumer struct {
	ID           NumericIdentity
	Reverse      *Consumer
	DeletionMark bool
	Decision     ConsumableDecision
}

Consumer is the entity that consumes a Consumable.

func NewConsumer

func NewConsumer(id NumericIdentity) *Consumer

func (*Consumer) DeepCopy

func (c *Consumer) DeepCopy() *Consumer

func (*Consumer) StringID

func (c *Consumer) StringID() string

type Identity

type Identity struct {
	// Identity's ID.
	ID NumericIdentity `json:"id"`
	// Endpoints that have this Identity where their value is the last time they were seen.
	Labels labels.Labels `json:"labels"`
	// Set of labels that belong to this Identity.
	Endpoints map[string]time.Time `json:"containers"`
}

Identity is the representation of the security context for a particular set of labels.

func NewIdentity

func NewIdentity() *Identity

func NewIdentityFromModel

func NewIdentityFromModel(base *models.Identity) *Identity

func (*Identity) AssociateEndpoint

func (id *Identity) AssociateEndpoint(epID string)

AssociateEndpoint associates the endpoint with identity.

func (*Identity) DeepCopy

func (id *Identity) DeepCopy() *Identity

func (*Identity) DisassociateEndpoint

func (id *Identity) DisassociateEndpoint(epID string) bool

DisassociateEndpoint disassociates the endpoint endpoint with identity and return true if successful.

func (*Identity) GetModel

func (id *Identity) GetModel() *models.Identity

func (*Identity) RefCount

func (id *Identity) RefCount() int

type L4Filter

type L4Filter struct {
	// Port is the destination port to allow
	Port int `json:"port,omitempty"`
	// Protocol is the L4 protocol to allow or NONE
	Protocol string `json:"protocol,omitempty"`
	// L7Parser specifies the L7 protocol parser (optional)
	L7Parser string `json:"l7-parser,omitempty"`
	// L7RedirectPort is the L7 proxy port to redirect to (optional)
	L7RedirectPort int `json:"l7-redirect-port,omitempty"`
	// L7Rules is a list of L7 rules which are passed to the L7 proxy (optional)
	L7Rules []AuxRule `json:"l7-rules,omitempty"`
}

func (*L4Filter) IsRedirect

func (l4 *L4Filter) IsRedirect() bool

IsRedirect returns true if the L4 filter contains a port redirection

func (*L4Filter) Merge

func (l4 *L4Filter) Merge(result *L4Policy, m map[string]L4Filter, proto string)

func (*L4Filter) String

func (l4 *L4Filter) String() string

func (*L4Filter) UnmarshalJSON

func (l4 *L4Filter) UnmarshalJSON(data []byte) error

type L4Policy

type L4Policy struct {
	// key format: "proto:port"
	Ingress L4PolicyMap
	Egress  L4PolicyMap
}

func NewL4Policy

func NewL4Policy() *L4Policy

func (*L4Policy) DeepCopy

func (l4 *L4Policy) DeepCopy() *L4Policy

func (*L4Policy) GetModel

func (l4 *L4Policy) GetModel() *models.L4Policy

func (*L4Policy) HasRedirect

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

func (*L4Policy) RequiresConntrack

func (l4 *L4Policy) RequiresConntrack() bool

RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.

type L4PolicyMap

type L4PolicyMap map[string]L4Filter

func (L4PolicyMap) HasRedirect

func (l4 L4PolicyMap) HasRedirect() bool

HasRedirect returns true if at least one L4 filter contains a port redirection

type Node

type Node struct {
	Name     string           `json:"name"`
	Parent   *Node            `json:"-"`
	Rules    []PolicyRule     `json:"rules,omitempty"`
	Children map[string]*Node `json:"children,omitempty"`
	// contains filtered or unexported fields
}

Node to define hierarchy of rules

func NewNode

func NewNode(name string, parent *Node) *Node

func (*Node) AddChild

func (n *Node) AddChild(name string, child *Node) (bool, error)

func (*Node) Allows

func (n *Node) Allows(ctx *SearchContext) ConsumableDecision

func (*Node) CanMerge

func (n *Node) CanMerge(obj *Node) error

CanMerge returns an error if obj cannot be safely merged into an existing node

func (*Node) Covers

func (n *Node) Covers(ctx *SearchContext) bool

func (*Node) DebugString

func (n *Node) DebugString(level int) string

func (*Node) HasPolicyRule

func (n *Node) HasPolicyRule(pr PolicyRule) bool

func (*Node) HasRules

func (n *Node) HasRules() bool

HasRules returns true if a node has any rules attached or at least one child.

func (*Node) IsMergeable

func (n *Node) IsMergeable() bool

IsMergeable returns true if the node is eligible to be merged with another node

func (*Node) JSONMarshal

func (n *Node) JSONMarshal() string

func (*Node) Merge

func (n *Node) Merge(obj *Node) (bool, error)

Merge incorporates the rules and children of obj into an existing node

func (*Node) NormalizeNames

func (n *Node) NormalizeNames(path string) (string, error)

NormalizeNames walks all policy nodes and normalizes the policy node name according to to the path specified. Takes a node with a list of optional children and the path to where the node is/will be located in the tree.

1. If the name of a node is omitted, the node name will be derived from the path. The element after the last node path delimiter is assumed to be the node name, e.g. rootNode.parentNode.name

2. If the node name is an absolute path, it must match the path but will be translated to a relative node name.

func (*Node) Path

func (n *Node) Path() string

func (*Node) ResolveL4Policy

func (n *Node) ResolveL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy

func (*Node) ResolveName

func (n *Node) ResolveName(name string) string

ResolveName translates a possibly relative name to an absolute path relative to the node

func (*Node) ResolveTree

func (n *Node) ResolveTree() error

func (*Node) UnmarshalJSON

func (n *Node) UnmarshalJSON(data []byte) error

type NumericIdentity

type NumericIdentity uint32

NumericIdentity represents an identity of an entity to which consumer policy can be applied to.

const (
	ID_UNKNOWN NumericIdentity = iota
	ID_HOST
	ID_WORLD
)

func GetReservedID

func GetReservedID(name string) NumericIdentity

func ParseNumericIdentity

func ParseNumericIdentity(id string) (NumericIdentity, error)

func (NumericIdentity) String

func (id NumericIdentity) String() string

func (NumericIdentity) StringID

func (id NumericIdentity) StringID() string

func (NumericIdentity) Uint32

func (id NumericIdentity) Uint32() uint32

Uint32 normalizes the ID for use in BPF program.

type PolicyRule

type PolicyRule interface {
	// Resolve must resolve any internal label members to the full path
	// assuming that the rule is attached to the specified node.
	Resolve(node *Node) error

	// SHA256Sum must return the SHA256 hash over the policy rule
	SHA256Sum() (string, error)

	// CoverageSHA256Sum must return the SHA256 hash over the coverage
	// section of the policy rule
	CoverageSHA256Sum() (string, error)

	// IsMergeable must return true if a rule allows merging with other
	// rules within a node. Certain rules are not additive and require
	// strict ordering, such rules may never be merged in a node as
	// merging may occur in undefined order.
	IsMergeable() bool
}

type Privilege

type Privilege byte

Privilege represents the privileges available to define for a policy node.

const (
	ALLOW Privilege = iota
	ALWAYS_ALLOW
	REQUIRES
	L4
)

func (Privilege) MarshalJSON

func (p Privilege) MarshalJSON() ([]byte, error)

func (Privilege) String

func (p Privilege) String() string

func (*Privilege) UnmarshalJSON

func (p *Privilege) UnmarshalJSON(b []byte) error

type RuleConsumers

type RuleConsumers struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Allow    []AllowRule    `json:"allow"`
}

RuleConsumers allows the following consumers.

func (*RuleConsumers) Allows

func (*RuleConsumers) CoverageSHA256Sum

func (prc *RuleConsumers) CoverageSHA256Sum() (string, error)

func (*RuleConsumers) IsMergeable

func (prc *RuleConsumers) IsMergeable() bool

func (*RuleConsumers) Resolve

func (prc *RuleConsumers) Resolve(node *Node) error

func (*RuleConsumers) SHA256Sum

func (prc *RuleConsumers) SHA256Sum() (string, error)

func (*RuleConsumers) String

func (prc *RuleConsumers) String() string

type RuleL4

type RuleL4 struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Allow    []AllowL4      `json:"l4"`
}

func (*RuleL4) CoverageSHA256Sum

func (l4 *RuleL4) CoverageSHA256Sum() (string, error)

func (*RuleL4) GetL4Policy

func (l4 *RuleL4) GetL4Policy(ctx *SearchContext, result *L4Policy) *L4Policy

func (*RuleL4) IsMergeable

func (l4 *RuleL4) IsMergeable() bool

func (*RuleL4) Resolve

func (l4 *RuleL4) Resolve(node *Node) error

func (*RuleL4) SHA256Sum

func (l4 *RuleL4) SHA256Sum() (string, error)

type RuleRequires

type RuleRequires struct {
	Coverage []labels.Label `json:"coverage,omitempty"`
	Requires []labels.Label `json:"requires"`
}

RuleRequires any further consumer requires the specified list of labels in order to consume.

func (*RuleRequires) Allows

func (prr *RuleRequires) Allows(ctx *SearchContext) ConsumableDecision

Allows a require rule imposes additional label requirements but does not imply access immediately. Hence if the label context is not sufficient access can be denied but fullfillment of the requirement only leads to the decision being UNDECIDED waiting on an explicit allow rule further down the tree

func (*RuleRequires) CoverageSHA256Sum

func (prr *RuleRequires) CoverageSHA256Sum() (string, error)

func (*RuleRequires) IsMergeable

func (prr *RuleRequires) IsMergeable() bool

func (*RuleRequires) Resolve

func (prr *RuleRequires) Resolve(node *Node) error

func (*RuleRequires) SHA256Sum

func (prr *RuleRequires) SHA256Sum() (string, error)

func (*RuleRequires) String

func (prr *RuleRequires) String() string

type SearchContext

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *logging.LogBackend
	// TODO: Put this as []*Label?
	From []labels.Label
	To   []labels.Label
}

func (*SearchContext) CallDepth

func (s *SearchContext) CallDepth() string

func (*SearchContext) String

func (s *SearchContext) String() string

func (*SearchContext) TargetCoveredBy

func (s *SearchContext) TargetCoveredBy(coverage []labels.Label) bool

type SearchContextReply

type SearchContextReply struct {
	Logging  []byte
	Decision ConsumableDecision
}

type Tracing

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

type Tree

type Tree struct {
	Root  *Node
	Mutex sync.RWMutex
}

Tree overall policy tree.

func (*Tree) Add

func (t *Tree) Add(parentPath string, node *Node) (bool, error)

Add adds the provided policy node at the specified path.

func (*Tree) Allows

func (t *Tree) Allows(ctx *SearchContext) ConsumableDecision

func (*Tree) Delete

func (t *Tree) Delete(path string, coverage string) bool

func (*Tree) Lookup

func (t *Tree) Lookup(path string) (node, parent *Node)

Lookup returns a policy node and its parent for a given path

func (*Tree) ResolveL4Policy

func (t *Tree) ResolveL4Policy(ctx *SearchContext) *L4Policy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL