endpoint

package
v1.14.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 14, 2023 License: Apache-2.0 Imports: 81 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// StateWaitingForIdentity is used to set if the endpoint is waiting
	// for an identity from the KVStore.
	StateWaitingForIdentity = State(models.EndpointStateWaitingDashForDashIdentity)

	// StateReady specifies if the endpoint is ready to be used.
	StateReady = State(models.EndpointStateReady)

	// StateWaitingToRegenerate specifies when the endpoint needs to be regenerated, but regeneration has not started yet.
	StateWaitingToRegenerate = State(models.EndpointStateWaitingDashToDashRegenerate)

	// StateRegenerating specifies when the endpoint is being regenerated.
	StateRegenerating = State(models.EndpointStateRegenerating)

	// StateDisconnecting indicates that the endpoint is being disconnected
	StateDisconnecting = State(models.EndpointStateDisconnecting)

	// StateDisconnected is used to set the endpoint is disconnected.
	StateDisconnected = State(models.EndpointStateDisconnected)

	// StateRestoring is used to set the endpoint is being restored.
	StateRestoring = State(models.EndpointStateRestoring)

	// StateInvalid is used when an endpoint failed during creation due to
	// invalid data.
	StateInvalid = State(models.EndpointStateInvalid)
)
View Source
const (
	EndpointPolicyStateEnforcing    cilium_v2.EndpointPolicyState = "enforcing"
	EndpointPolicyStateNonEnforcing cilium_v2.EndpointPolicyState = "non-enforcing"
	EndpointPolicyStateDisabled     cilium_v2.EndpointPolicyState = "<status disabled>"
)

StatusNA is value of fields in the output of 'kubectl get cep' in case of disabled "--endpoint-status"

View Source
const (
	// EndpointGenerationTimeout specifies timeout for proxy completion context
	EndpointGenerationTimeout = 330 * time.Second
)

Variables

View Source
var (
	EndpointMutableOptionLibrary = option.GetEndpointMutableOptionLibrary()
)
View Source
var (
	ErrEndpointDeleted = fmt.Errorf("lock failed: endpoint is in the process of being removed")
)
View Source
var (
	// ErrNotAlive is an error which indicates that the endpoint should not be
	// rlocked because it is currently being removed.
	ErrNotAlive = errors.New("rlock failed: endpoint is in the process of being removed")
)

Functions

func APICanModify added in v1.5.0

func APICanModify(e *Endpoint) error

APICanModify determines whether API requests from a user are allowed to modify this endpoint.

func CheckHealth added in v1.14.0

func CheckHealth(ep *Endpoint) error

CheckHealth verifies that the endpoint is alive and healthy by checking the link status. This satisfies endpointmanager.EndpointCheckerFunc.

func EndpointSyncControllerName added in v1.14.0

func EndpointSyncControllerName(epID uint16) string

EndpointSyncControllerName returns the controller name to synchronize endpoint in to kubernetes.

func FilterEPDir

func FilterEPDir(dirFiles []os.DirEntry) []string

FilterEPDir returns a list of directories' names that possible belong to an endpoint.

func NewDatapathConfiguration added in v1.14.0

func NewDatapathConfiguration() models.EndpointDatapathConfiguration

NewDatapathConfiguration return the default endpoint datapath configuration based on whether per-endpoint routes are enabled.

func ParseExternalRegenerationMetadata added in v1.6.0

func ParseExternalRegenerationMetadata(ctx context.Context, c context.CancelFunc, e *regeneration.ExternalRegenerationMetadata) *regenerationContext

func ReadEPsFromDirNames added in v1.6.0

func ReadEPsFromDirNames(ctx context.Context, owner regeneration.Owner, policyGetter policyRepoGetter,
	namedPortsGetter namedPortsGetter, basePath string, eptsDirNames []string) map[uint16]*Endpoint

ReadEPsFromDirNames returns a mapping of endpoint ID to endpoint of endpoints from a list of directory names that can possible contain an endpoint.

Types

type AnnotationsResolverCB added in v1.14.0

type AnnotationsResolverCB func(ns, podName string) (proxyVisibility string, err error)

AnnotationsResolverCB provides an implementation for resolving the pod annotations.

type DeleteConfig added in v1.5.0

type DeleteConfig struct {
	NoIPRelease       bool
	NoIdentityRelease bool
}

DeleteConfig is the endpoint deletion configuration

type Endpoint

type Endpoint struct {

	// ID of the endpoint, unique in the scope of the node
	ID uint16

	// OpLabels is the endpoint's label configuration
	//
	// FIXME: Rename this field to Labels
	OpLabels labels.OpLabels

	// IPv6 is the IPv6 address of the endpoint
	IPv6 netip.Addr

	// IPv4 is the IPv4 address of the endpoint
	IPv4 netip.Addr

	// SecurityIdentity is the security identity of this endpoint. This is computed from
	// the endpoint's labels.
	SecurityIdentity *identity.Identity `json:"SecLabel"`

	// Options determine the datapath configuration of the endpoint.
	Options *option.IntOptions

	// DNSRules is the collection of current endpoint-specific DNS proxy
	// rules. These can be restored during Cilium restart.
	DNSRules restore.DNSRules

	// DNSHistory is the collection of still-valid DNS responses intercepted for
	// this endpoint.
	DNSHistory *fqdn.DNSCache

	// DNSZombies is the collection of DNS IPs that have expired in or been
	// evicted from DNSHistory. They are held back from deletion until we can
	// confirm that no existing connection is using them.
	DNSZombies *fqdn.DNSZombieMappings

	// K8sPodName is the Kubernetes pod name of the endpoint
	K8sPodName string

	// K8sNamespace is the Kubernetes namespace of the endpoint
	K8sNamespace string

	// DatapathConfiguration is the endpoint's datapath configuration as
	// passed in via the plugin that created the endpoint, e.g. the CNI
	// plugin which performed the plumbing will enable certain datapath
	// features according to the mode selected.
	DatapathConfiguration models.EndpointDatapathConfiguration
	// contains filtered or unexported fields
}

Endpoint represents a container or similar which can be individually addresses on L3 with its own IP addresses. This structured is managed by the endpoint manager in pkg/endpointmanager.

The representation of the Endpoint which is serialized to disk for restore purposes is the serializableEndpoint type in this package.

func CreateHostEndpoint added in v1.14.0

func CreateHostEndpoint(owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, proxy EndpointProxy, allocator cache.IdentityAllocator) (*Endpoint, error)

CreateHostEndpoint creates the endpoint corresponding to the host.

func NewEndpointFromChangeModel

func NewEndpointFromChangeModel(ctx context.Context, owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, proxy EndpointProxy, allocator cache.IdentityAllocator, base *models.EndpointChangeRequest) (*Endpoint, error)

NewEndpointFromChangeModel creates a new endpoint from a request

func NewEndpointWithState added in v1.5.0

func NewEndpointWithState(owner regeneration.Owner, policyGetter policyRepoGetter, namedPortsGetter namedPortsGetter, proxy EndpointProxy, allocator cache.IdentityAllocator, ID uint16, state State) *Endpoint

NewEndpointWithState creates a new endpoint useful for testing purposes

func (*Endpoint) APICanModifyConfig added in v1.14.0

func (e *Endpoint) APICanModifyConfig(n models.ConfigurationMap) error

APICanModifyConfig determines whether API requests from users are allowed to modify the configuration of the endpoint.

func (*Endpoint) Allows

func (e *Endpoint) Allows(id identity.NumericIdentity) bool

Allows is only used for unit testing

func (*Endpoint) ApplyOpts

func (e *Endpoint) ApplyOpts(opts option.OptionMap) (bool, error)

ApplyOpts tries to lock endpoint, applies the given options to the endpoint's options and returns true if there were any options changed.

func (*Endpoint) ApplyPolicyMapChanges added in v1.6.2

func (e *Endpoint) ApplyPolicyMapChanges(proxyWaitGroup *completion.WaitGroup) error

ApplyPolicyMapChanges updates the Endpoint's PolicyMap with the changes that have accumulated for the PolicyMap via various outside events (e.g., identities added / deleted). 'proxyWaitGroup' may not be nil.

func (*Endpoint) ApplyUserLabelChanges added in v1.14.0

func (e *Endpoint) ApplyUserLabelChanges(lbls labels.Labels) (add, del labels.Labels, err error)

ApplyUserLabelChanges changes the label configuration of the endpoint per the provided labels. Returns labels that were added and deleted. Returns an error if the endpoint is being deleted.

func (*Endpoint) BuilderSetStateLocked added in v1.5.0

func (e *Endpoint) BuilderSetStateLocked(toState State, reason string) bool

BuilderSetStateLocked modifies the endpoint's state endpoint.mutex must be Lock()ed endpoint buildMutex must be held!

func (*Endpoint) ConntrackLocal added in v1.5.0

func (e *Endpoint) ConntrackLocal() bool

ConntrackLocal determines whether this endpoint is currently using a local table to handle connection tracking (true), or the global table (false).

func (*Endpoint) ConntrackLocalLocked added in v1.5.0

func (e *Endpoint) ConntrackLocalLocked() bool

ConntrackLocalLocked is the same as ConntrackLocal, but assumes that the endpoint is already locked for reading.

func (*Endpoint) ConntrackName added in v1.6.0

func (e *Endpoint) ConntrackName() string

ConntrackName returns the name suffix for the endpoint-specific bpf conntrack map, which is a 5-digit endpoint ID, or "global" when the global map should be used.

func (*Endpoint) ConntrackNameLocked added in v1.14.0

func (e *Endpoint) ConntrackNameLocked() string

ConntrackNameLocked returns the name suffix for the endpoint-specific bpf conntrack map, which is a 5-digit endpoint ID, or "global" when the global map should be used. Must be called with the endpoint locked.

func (*Endpoint) Delete added in v1.14.0

func (e *Endpoint) Delete(conf DeleteConfig) []error

Delete cleans up all resources associated with this endpoint, including the following: * all goroutines managed by this Endpoint (EventQueue, Controllers) * removal from the endpointmanager, resulting in new events not taking effect on this endpoint * cleanup of datapath state (BPF maps, proxy configuration, directories) * releasing IP addresses allocated for the endpoint * releasing of the reference to its allocated security identity

func (*Endpoint) DirectoryPath

func (e *Endpoint) DirectoryPath() string

DirectoryPath returns the directory name for this endpoint bpf program.

func (*Endpoint) DisableSIPVerification added in v1.14.0

func (e *Endpoint) DisableSIPVerification() bool

DisableSIPVerification returns true if the endpoint wants to skip srcIP verification

func (*Endpoint) FailedDirectoryPath added in v1.5.0

func (e *Endpoint) FailedDirectoryPath() string

FailedDirectoryPath returns the directory name for this endpoint bpf program failed builds.

func (*Endpoint) FormatGlobalEndpointID added in v1.5.0

func (e *Endpoint) FormatGlobalEndpointID() string

FormatGlobalEndpointID returns the global ID of endpoint in the format / <global ID Prefix>:<cluster name>:<node name>:<endpoint ID> as a string.

func (*Endpoint) GetCIDRPrefixLengths added in v1.5.0

func (e *Endpoint) GetCIDRPrefixLengths() (s6, s4 []int)

GetCIDRPrefixLengths returns the sorted list of unique prefix lengths used for CIDR policy or IPcache lookup from this endpoint.

func (*Endpoint) GetCiliumEndpointStatus added in v1.5.0

func (e *Endpoint) GetCiliumEndpointStatus(conf EndpointStatusConfiguration) *cilium_v2.EndpointStatus

GetCiliumEndpointStatus creates a cilium_v2.EndpointStatus of an endpoint. See cilium_v2.EndpointStatus for a detailed explanation of each field.

func (*Endpoint) GetCiliumEndpointUID added in v1.14.0

func (e *Endpoint) GetCiliumEndpointUID() types.UID

GetCiliumEndpointUID returns the UID of the CiliumEndpoint.

func (*Endpoint) GetConfigurationStatus added in v1.14.0

func (e *Endpoint) GetConfigurationStatus() *models.EndpointConfigurationStatus

GetConfigurationStatus returns the Cilium API representation of the configuration of this endpoint.

func (*Endpoint) GetContainerID added in v1.5.0

func (e *Endpoint) GetContainerID() string

GetContainerID returns the endpoint's container ID

func (*Endpoint) GetContainerName added in v1.14.0

func (e *Endpoint) GetContainerName() string

GetContainerName returns the name of the container for the endpoint.

func (*Endpoint) GetCreatedAt added in v1.14.0

func (e *Endpoint) GetCreatedAt() time.Time

GetCreatedAt returns the endpoint creation time.

func (*Endpoint) GetDockerEndpointID added in v1.14.0

func (e *Endpoint) GetDockerEndpointID() string

func (*Endpoint) GetDockerNetworkID added in v1.5.0

func (e *Endpoint) GetDockerNetworkID() string

GetDockerNetworkID returns the endpoint's Docker Endpoint ID

func (*Endpoint) GetHealthModel added in v1.5.0

func (e *Endpoint) GetHealthModel() *models.EndpointHealth

GetHealthModel returns the endpoint's health object.

func (*Endpoint) GetID added in v0.10.0

func (e *Endpoint) GetID() uint64

GetID returns the endpoint's ID as a 64-bit unsigned integer.

func (*Endpoint) GetID16 added in v1.5.0

func (e *Endpoint) GetID16() uint16

GetID16 returns the endpoint's ID as a 16-bit unsigned integer.

func (*Endpoint) GetIPv4Address added in v0.10.0

func (e *Endpoint) GetIPv4Address() string

GetIPv4Address returns the IPv4 address of the endpoint as a string

func (*Endpoint) GetIPv6Address added in v0.10.0

func (e *Endpoint) GetIPv6Address() string

GetIPv6Address returns the IPv6 address of the endpoint as a string

func (*Endpoint) GetIdentity

func (e *Endpoint) GetIdentity() identity.NumericIdentity

GetIdentity returns the numeric security identity of the endpoint

func (*Endpoint) GetIdentityLocked added in v1.6.10

func (e *Endpoint) GetIdentityLocked() identity.NumericIdentity

GetIdentityLocked is identical to GetIdentity() but assumes that a.mutex is already held. This function is obsolete and should no longer be used.

func (*Endpoint) GetIfIndex added in v1.14.0

func (e *Endpoint) GetIfIndex() int

GetIfIndex returns the ifIndex for this endpoint.

func (*Endpoint) GetK8sNamespace added in v1.5.0

func (e *Endpoint) GetK8sNamespace() string

GetK8sNamespace returns the name of the pod if the endpoint represents a Kubernetes pod

func (*Endpoint) GetK8sNamespaceAndPodName added in v1.14.0

func (e *Endpoint) GetK8sNamespaceAndPodName() string

GetK8sNamespaceAndPodName returns the corresponding namespace and pod name for this endpoint.

func (*Endpoint) GetK8sPodName added in v1.5.0

func (e *Endpoint) GetK8sPodName() string

GetK8sPodName returns the name of the pod if the endpoint represents a Kubernetes pod

func (*Endpoint) GetK8sPorts added in v1.14.0

func (e *Endpoint) GetK8sPorts() (k8sPorts types.NamedPortMap, err error)

GetK8sPorts returns the k8sPorts, which must not be modified by the caller

func (*Endpoint) GetLabels added in v0.10.0

func (e *Endpoint) GetLabels() []string

GetLabels returns the labels as slice

func (*Endpoint) GetLabelsModel added in v1.14.0

func (e *Endpoint) GetLabelsModel() (*models.LabelConfiguration, error)

GetLabelsModel returns the labels of the endpoint in their representation for the Cilium API. Returns an error if the Endpoint is being deleted.

func (*Endpoint) GetModel

func (e *Endpoint) GetModel() *models.Endpoint

GetModel returns the API model of endpoint e.

func (*Endpoint) GetModelRLocked added in v1.5.0

func (e *Endpoint) GetModelRLocked() *models.Endpoint

GetModelRLocked returns the API model of endpoint e. e.mutex must be RLocked.

func (*Endpoint) GetNamedPort added in v1.14.0

func (e *Endpoint) GetNamedPort(ingress bool, name string, proto uint8) uint16

GetNamedPort returns the port for the given name. Must be called with e.mutex NOT held

func (*Endpoint) GetNamedPortLocked added in v1.14.0

func (e *Endpoint) GetNamedPortLocked(ingress bool, name string, proto uint8) uint16

GetNamedPortLocked returns port for the given name. May return an invalid (0) port Must be called with e.mutex held.

func (*Endpoint) GetNamedPortsModel added in v1.14.0

func (e *Endpoint) GetNamedPortsModel() models.NamedPorts

GetNamedPortsModel returns the endpoint's NamedPorts object.

func (*Endpoint) GetNodeMAC added in v1.5.0

func (e *Endpoint) GetNodeMAC() mac.MAC

GetNodeMAC returns the MAC address of the node from this endpoint's perspective.

func (*Endpoint) GetOpLabels added in v1.5.0

func (e *Endpoint) GetOpLabels() []string

GetOpLabels returns the labels as slice

func (*Endpoint) GetOptions added in v1.5.0

func (e *Endpoint) GetOptions() *option.IntOptions

GetOptions returns the datapath configuration options of the endpoint.

func (*Endpoint) GetPod added in v1.14.0

func (e *Endpoint) GetPod() *slim_corev1.Pod

GetPod retrieves the pod related to this endpoint

func (*Endpoint) GetPolicyModel added in v1.5.0

func (e *Endpoint) GetPolicyModel() *models.EndpointPolicyStatus

GetPolicyModel returns the endpoint's policy as an API model.

Must be called with e.mutex RLock()ed.

func (*Endpoint) GetPolicyVerdictLogFilter added in v1.14.0

func (e *Endpoint) GetPolicyVerdictLogFilter() uint32

GetPolicyVerdictLogFilter returns the PolicyVerdictLogFilter that would control the creation of policy verdict logs. Value of VerdictLogFilter needs to be consistent with how it is used in policy_verdict_filter_allow() in bpf/lib/policy_log.h

func (*Endpoint) GetRealizedPolicyRuleLabelsForKey added in v1.14.0

func (e *Endpoint) GetRealizedPolicyRuleLabelsForKey(key policy.Key) (
	derivedFrom labels.LabelArrayList,
	revision uint64,
	ok bool,
)

GetRealizedPolicyRuleLabelsForKey returns the list of policy rule labels which match a given flow key (in host byte-order). The returned LabelArrayList is shallow-copied and therefore must not be mutated. This function explicitly exported to be accessed by code outside of the Cilium source code tree and for testing.

func (*Endpoint) GetSecurityIdentity added in v1.5.0

func (e *Endpoint) GetSecurityIdentity() (*identity.Identity, error)

GetSecurityIdentity returns the security identity of the endpoint. It assumes the endpoint's mutex is held.

func (*Endpoint) GetShortContainerID added in v1.5.0

func (e *Endpoint) GetShortContainerID() string

GetShortContainerID returns the endpoint's shortened container ID

func (*Endpoint) GetState added in v1.5.0

func (e *Endpoint) GetState() State

GetState returns the endpoint's state endpoint.mutex may only be rlockAlive()ed

func (*Endpoint) GetStatusModel added in v1.14.0

func (e *Endpoint) GetStatusModel() []*models.EndpointStatusChange

GetStatusModel returns the model of the status of this endpoint.

func (*Endpoint) HasLabels added in v0.10.0

func (e *Endpoint) HasLabels(l labels.Labels) bool

HasLabels returns whether endpoint e contains all labels l. Will return 'false' if any label in l is not in the endpoint's labels.

func (*Endpoint) HasSidecarProxy added in v1.5.0

func (e *Endpoint) HasSidecarProxy() bool

func (*Endpoint) HaveK8sMetadata added in v1.14.0

func (e *Endpoint) HaveK8sMetadata() (metadataSet bool)

HaveK8sMetadata returns true once hasK8sMetadata was set

func (*Endpoint) HostInterface added in v1.14.0

func (e *Endpoint) HostInterface() string

HostInterface returns the name of the link-layer interface used for communicating with the endpoint from the host (if available).

In some datapath modes, it may return an empty string as there is no unique host netns network interface for this endpoint.

func (*Endpoint) HumanStringLocked added in v1.5.0

func (e *Endpoint) HumanStringLocked() string

HumanStringLocked returns the endpoint's most human readable identifier as string

func (*Endpoint) IPv4Address added in v1.5.0

func (e *Endpoint) IPv4Address() netip.Addr

IPv4Address returns the IPv4 address of the endpoint

func (*Endpoint) IPv6Address added in v1.5.0

func (e *Endpoint) IPv6Address() netip.Addr

IPv6Address returns the IPv6 address of the endpoint

func (*Endpoint) Identifiers added in v1.14.0

func (e *Endpoint) Identifiers() (id.Identifiers, error)

Identifiers fetches the set of attributes that uniquely identify the endpoint.

func (*Endpoint) IdentifiersLocked added in v1.14.0

func (e *Endpoint) IdentifiersLocked() id.Identifiers

IdentifiersLocked fetches the set of attributes that uniquely identify the endpoint. The caller must hold exclusive control over the endpoint.

func (*Endpoint) InitEventQueue added in v1.14.0

func (e *Endpoint) InitEventQueue()

InitEventQueue initializes the endpoint's event queue. Note that this function does not begin processing events off the queue, as that's left up to the caller to call Expose in order to allow other subsystems to access the endpoint. This function assumes that the endpoint ID has already been allocated!

Having this be a separate function allows us to prepare the event queue while the endpoint is being validated (during restoration) so that when its metadata is resolved, events can be enqueued (such as visibility policy and bandwidth policy).

func (*Endpoint) InitMap added in v1.14.0

func (e *Endpoint) InitMap() error

InitMap creates the policy map in the kernel.

func (*Endpoint) InitWithNodeLabels added in v1.14.0

func (e *Endpoint) InitWithNodeLabels(ctx context.Context, launchTime time.Duration)

InitWithNodeLabels initializes the endpoint with the known node labels as well as reserved:host. It should only be used for the host endpoint.

func (*Endpoint) IsDisconnecting added in v1.5.0

func (e *Endpoint) IsDisconnecting() bool

IsDisconnecting returns true if the endpoint is being disconnected or already disconnected

This function must be called after re-acquiring the endpoint mutex to verify that the endpoint has not been removed in the meantime.

endpoint.mutex must be held in read mode at least

func (*Endpoint) IsHost added in v1.14.0

func (e *Endpoint) IsHost() bool

func (*Endpoint) IsInit added in v1.5.0

func (e *Endpoint) IsInit() bool

IsInit returns true if the endpoint still hasn't received identity labels, i.e. has the special identity with label reserved:init.

func (*Endpoint) K8sNamespaceAndPodNameIsSet added in v1.6.0

func (e *Endpoint) K8sNamespaceAndPodNameIsSet() bool

K8sNamespaceAndPodNameIsSet returns true if the pod name is set

func (*Endpoint) LXCMac added in v1.14.0

func (e *Endpoint) LXCMac() mac.MAC

LXCMac returns the LXCMac for this endpoint.

func (*Endpoint) LogStatus

func (e *Endpoint) LogStatus(typ StatusType, code StatusCode, msg string)

func (*Endpoint) LogStatusOK

func (e *Endpoint) LogStatusOK(typ StatusType, msg string)

func (*Endpoint) LogStatusOKLocked added in v1.5.0

func (e *Endpoint) LogStatusOKLocked(typ StatusType, msg string)

LogStatusOKLocked will log an OK message of the given status type with the given msg string. Must be called with endpoint.mutex RLock()ed.

func (*Endpoint) Logger added in v1.5.0

func (e *Endpoint) Logger(subsystem string) *logrus.Entry

Logger returns a logrus object with EndpointID, containerID and the Endpoint revision fields. The caller must specify their subsystem.

func (*Endpoint) LookupRedirectPortLocked added in v1.14.0

func (e *Endpoint) LookupRedirectPortLocked(ingress bool, protocol string, port uint16) uint16

lookupRedirectPort returns the redirect L4 proxy port for the given L4 policy map key, in host byte order. Returns 0 if not found or the filter doesn't require a redirect. Must be called with Endpoint.mutex held.

func (*Endpoint) MarkCTGCTime added in v1.14.0

func (e *Endpoint) MarkCTGCTime(now time.Time)

MarkCTGCTime is the START time of a GC run. It is used by the DNS garbage collector to determine whether a DNS zombie can be deleted. This is done by comparing the timestamp of the start CT GC run with the alive timestamps of specific DNS zombies IPs marked with MarkDNSCTEntry. NOTE: While the timestamp is the start of the run, it should be set AFTER the run completes. This avoids a race between the DNS garbage collector and the CT GC. This would occur when a DNS zombie that has not been visited by the CT GC run is seen by a concurrent DNS garbage collector run, and then deleted. The DNS garbage collector is in daemon/fqdn.go and the CT GC is in pkg/maps/ctmap/gc/gc.go

func (*Endpoint) MarkDNSCTEntry added in v1.14.0

func (e *Endpoint) MarkDNSCTEntry(dstIP netip.Addr, now time.Time)

MarkDNSCTEntry records that dstIP is in use by a connection that is allowed by toFQDNs policy. The reverse lookup is attempted in both DNSHistory and DNSCTHistory, allowing short DNS TTLs but long-lived connections to persist there.DNSCTHistory is used to suppress delete handling of expired DNS lookups (in DNSHistory) and it relies on pkg/maps/ctmap/gc to call this function. Internally, the lookupTime is used to checkpoint this update so that dns-garbage-collector-job can correctly clear older connection data.

func (*Endpoint) MarshalJSON added in v1.14.0

func (ep *Endpoint) MarshalJSON() ([]byte, error)

MarshalJSON marshals the Endpoint as its serializableEndpoint representation.

func (*Endpoint) ModifyIdentityLabels added in v1.5.0

func (e *Endpoint) ModifyIdentityLabels(addLabels, delLabels labels.Labels) error

ModifyIdentityLabels changes the custom and orchestration identity labels of an endpoint. Labels can be added or deleted. If a label change is performed, the endpoint will receive a new identity and will be regenerated. Both of these operations will happen in the background.

func (*Endpoint) NextDirectoryPath added in v1.5.0

func (e *Endpoint) NextDirectoryPath() string

NextDirectoryPath returns the directory name for this endpoint bpf program next bpf builds.

func (*Endpoint) OnDNSPolicyUpdateLocked added in v1.14.0

func (e *Endpoint) OnDNSPolicyUpdateLocked(rules restore.DNSRules)

OnDNSPolicyUpdateLocked is called when the Endpoint's DNS policy has been updated

func (*Endpoint) OnProxyPolicyUpdate added in v1.5.0

func (e *Endpoint) OnProxyPolicyUpdate(revision uint64)

OnProxyPolicyUpdate is a callback used to update the Endpoint's proxyPolicyRevision when the specified revision has been applied in the proxy.

func (*Endpoint) PolicyDebug added in v1.14.0

func (e *Endpoint) PolicyDebug(fields logrus.Fields, msg string)

PolicyDebug logs the 'msg' with 'fields' if policy debug logging is enabled.

func (*Endpoint) PolicyRevisionBumpEvent added in v1.5.0

func (e *Endpoint) PolicyRevisionBumpEvent(rev uint64)

PolicyRevisionBumpEvent queues an event for the given endpoint to set its realized policy revision to rev. This may block depending on if events have been queued up for the given endpoint. It blocks until the event has succeeded, or if the event has been cancelled.

func (*Endpoint) ProcessChangeRequest added in v1.14.0

func (e *Endpoint) ProcessChangeRequest(newEp *Endpoint, validPatchTransitionState bool) (string, error)

ProcessChangeRequest handles the update logic for performing a PATCH operation on a given Endpoint. Returns the reason which will be used for informational purposes should a caller choose to try to regenerate this endpoint, as well as an error if the Endpoint is being deleted, since there is no point in changing an Endpoint if it is going to be deleted.

func (*Endpoint) Regenerate

func (e *Endpoint) Regenerate(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool

Regenerate forces the regeneration of endpoint programs & policy Should only be called with e.state at StateWaitingToRegenerate, StateWaitingForIdentity, or StateRestoring

func (*Endpoint) RegenerateAfterRestore added in v1.14.0

func (e *Endpoint) RegenerateAfterRestore() error

RegenerateAfterRestore performs the following operations on the specified Endpoint: * allocates an identity for the Endpoint * regenerates the endpoint Returns an error if any operation fails while trying to perform the above operations.

func (*Endpoint) RegenerateIfAlive added in v1.6.0

func (e *Endpoint) RegenerateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool

RegenerateIfAlive queue a regeneration of this endpoint into the build queue of the endpoint and returns a channel that is closed when the regeneration of the endpoint is complete. The channel returns:

  • false if the regeneration failed
  • true if the regeneration succeed
  • nothing and the channel is closed if the regeneration did not happen

func (*Endpoint) RequireARPPassthrough added in v1.6.0

func (e *Endpoint) RequireARPPassthrough() bool

RequireARPPassthrough returns true if the datapath must implement ARP passthrough for this endpoint

func (*Endpoint) RequireEgressProg added in v1.6.0

func (e *Endpoint) RequireEgressProg() bool

RequireEgressProg returns true if the endpoint requires bpf_lxc with section "to-container" to be attached at egress on the host facing veth pair

func (*Endpoint) RequireEndpointRoute added in v1.6.0

func (e *Endpoint) RequireEndpointRoute() bool

RequireEndpointRoute returns if the endpoint wants a per endpoint route

func (*Endpoint) RequireRouting added in v1.6.0

func (e *Endpoint) RequireRouting() (required bool)

RequireRouting returns true if the endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing

func (*Endpoint) RunMetadataResolver added in v1.6.4

func (e *Endpoint) RunMetadataResolver(resolveMetadata MetadataResolverCB)

RunMetadataResolver starts a controller associated with the received endpoint which will periodically attempt to resolve the metadata for the endpoint and update the endpoint with the related. It stops resolving after either the first successful metadata resolution or when the endpoint is removed.

This assumes that after the initial successful resolution, other mechanisms will handle updates (such as pkg/k8s/watchers informers).

func (*Endpoint) SetAllocator added in v1.14.0

func (e *Endpoint) SetAllocator(allocator cache.IdentityAllocator)

SetAllocator sets the identity allocator for this endpoint.

func (*Endpoint) SetCiliumEndpointUID added in v1.14.0

func (e *Endpoint) SetCiliumEndpointUID(uid types.UID)

SetCiliumEndpointUID modifies the endpoint's CiliumEndpoint UID.

func (*Endpoint) SetContainerID added in v1.5.0

func (e *Endpoint) SetContainerID(id string)

SetContainerID modifies the endpoint's container ID

func (*Endpoint) SetContainerName added in v1.5.0

func (e *Endpoint) SetContainerName(name string)

SetContainerName modifies the endpoint's container name

func (*Endpoint) SetDefaultConfiguration added in v1.14.0

func (e *Endpoint) SetDefaultConfiguration(restore bool)

SetDefaultConfiguration sets the default configuration options for its boolean configuration options and for policy enforcement based off of the global policy enforcement configuration options. If restore is true, then the configuration option to keep endpoint configuration during endpoint restore is checked, and if so, this is a no-op.

func (*Endpoint) SetDefaultOpts

func (e *Endpoint) SetDefaultOpts(opts *option.IntOptions)

SetDefaultOpts initializes the endpoint Options and configures the specified options.

func (*Endpoint) SetDockerEndpointID added in v1.5.0

func (e *Endpoint) SetDockerEndpointID(id string)

SetDockerEndpointID modifies the endpoint's Docker Endpoint ID

func (*Endpoint) SetDockerNetworkID added in v1.5.0

func (e *Endpoint) SetDockerNetworkID(id string)

SetDockerNetworkID modifies the endpoint's Docker Endpoint ID

func (*Endpoint) SetIdentity

func (e *Endpoint) SetIdentity(identity *identityPkg.Identity, newEndpoint bool)

SetIdentity resets endpoint's policy identity to 'id'. Caller triggers policy regeneration if needed. Called with e.mutex Lock()ed

func (*Endpoint) SetK8sMetadata added in v1.14.0

func (e *Endpoint) SetK8sMetadata(containerPorts []slim_corev1.ContainerPort) error

SetK8sMetadata sets the k8s container ports specified by kubernetes. Note that once put in place, the new k8sPorts is never changed, so that the map can be used concurrently without keeping locks. Reading the 'e.k8sPorts' member (the "map pointer") *itself* requires the endpoint lock! Can't really error out as that might break backwards compatibility.

func (*Endpoint) SetK8sNamespace added in v1.5.0

func (e *Endpoint) SetK8sNamespace(name string)

SetK8sNamespace modifies the endpoint's pod name

func (*Endpoint) SetK8sPodName added in v1.5.0

func (e *Endpoint) SetK8sPodName(name string)

SetK8sPodName modifies the endpoint's pod name

func (*Endpoint) SetPod added in v1.14.0

func (e *Endpoint) SetPod(pod *slim_corev1.Pod)

SetPod sets the pod related to this endpoint.

func (*Endpoint) SetPolicyRevision added in v1.5.0

func (e *Endpoint) SetPolicyRevision(rev uint64)

SetPolicyRevision sets the endpoint's policy revision with the given revision.

func (*Endpoint) SetProxy added in v1.14.0

func (e *Endpoint) SetProxy(p EndpointProxy)

SetProxy sets the proxy for this endpoint.

func (*Endpoint) SetRegenerateStateIfAlive added in v1.14.0

func (e *Endpoint) SetRegenerateStateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) (bool, error)

SetRegenerateStateIfAlive tries to change the state of the endpoint for pending regeneration. Returns 'true' if 'e.Regenerate()' should be called after releasing the endpoint lock. Return 'false' if returned error is non-nil.

func (*Endpoint) SetState added in v1.6.9

func (e *Endpoint) SetState(toState State, reason string) bool

SetState modifies the endpoint's state. Returns true only if endpoints state was changed as requested

func (*Endpoint) SkipStateClean added in v1.5.0

func (e *Endpoint) SkipStateClean()

SkipStateClean can be called on a endpoint before its first build to skip the cleaning of state such as the conntrack table. This is useful when an endpoint is being restored from state and the datapath state should not be claned.

The endpoint lock must NOT be held.

func (*Endpoint) Start added in v1.14.0

func (e *Endpoint) Start(id uint16)

Start assigns a Cilium Endpoint ID to the endpoint and prepares it to receive events from other subsystems.

The endpoint must not already be exposed via the endpointmanager prior to calling Start(), as it assumes unconditional access over the Endpoint object.

func (*Endpoint) StateDirectoryPath added in v1.5.0

func (e *Endpoint) StateDirectoryPath() string

StateDirectoryPath returns the directory name for this endpoint bpf program.

func (*Endpoint) Stop added in v1.14.0

func (e *Endpoint) Stop()

Stop cleans up all goroutines managed by this endpoint (EventQueue, Controllers). This function should be used directly in cleanup functions which aim to stop goroutines managed by this endpoint, but without removing BPF maps and datapath state (for instance, because the daemon is shutting down but the endpoint should remain operational while the daemon is not running).

func (*Endpoint) String

func (e *Endpoint) String() string

String returns endpoint on a JSON format.

func (*Endpoint) StringID

func (e *Endpoint) StringID() string

StringID returns the endpoint's ID in a string.

func (*Endpoint) SyncEndpointHeaderFile added in v1.5.0

func (e *Endpoint) SyncEndpointHeaderFile()

SyncEndpointHeaderFile triggers the header file sync to the ep_config.h file. This includes updating the current DNS History information.

func (*Endpoint) UnmarshalJSON added in v1.14.0

func (ep *Endpoint) UnmarshalJSON(raw []byte) error

UnmarshalJSON expects that the contents of `raw` are a serializableEndpoint, which is then converted into an Endpoint.

func (*Endpoint) Update

Update modifies the endpoint options and *always* tries to regenerate the endpoint's program. Returns an error if the provided options are not valid, if there was an issue triggering policy updates for the given endpoint, or if endpoint regeneration was unable to be triggered. Note that the LabelConfiguration in the EndpointConfigurationSpec is *not* consumed here.

func (*Endpoint) UpdateBandwidthPolicy added in v1.14.0

func (e *Endpoint) UpdateBandwidthPolicy(annoCB AnnotationsResolverCB)

UpdateBandwidthPolicy updates the egress bandwidth of this endpoint to progagate the throttle rate to the BPF data path.

func (*Endpoint) UpdateController added in v1.5.0

func (e *Endpoint) UpdateController(name string, params controller.ControllerParams)

UpdateController updates the controller with the specified name with the provided list of parameters in endpoint's list of controllers.

func (*Endpoint) UpdateLabels added in v1.5.0

func (e *Endpoint) UpdateLabels(ctx context.Context, identityLabels, infoLabels labels.Labels, blocking bool) (regenTriggered bool)

UpdateLabels is called to update the labels of an endpoint. Calls to this function do not necessarily mean that the labels actually changed. The container runtime layer will periodically synchronize labels.

If a net label changed was performed, the endpoint will receive a new security identity and will be regenerated. Both of these operations will run first synchronously if 'blocking' is true, and then in the background.

Returns 'true' if endpoint regeneration was triggered.

func (*Endpoint) UpdateLabelsFrom added in v1.14.0

func (e *Endpoint) UpdateLabelsFrom(oldLbls, newLbls map[string]string, source string) error

UpdateLabelsFrom is a convenience function to update an endpoint's identity labels from any source.

func (*Endpoint) UpdateLogger added in v1.5.0

func (e *Endpoint) UpdateLogger(fields map[string]interface{})

UpdateLogger creates a logger instance specific to this endpoint. It will create a custom Debug logger for this endpoint when the option on it is set. If fields is not nil only the those specific fields will be updated in the endpoint's logger, otherwise a full update of those fields is executed.

Note: You must hold Endpoint.mutex.Lock() to synchronize logger pointer updates if the endpoint is already exposed. Callers that create new endopoints do not need locks to call this.

func (*Endpoint) UpdateNoTrackRules added in v1.14.0

func (e *Endpoint) UpdateNoTrackRules(annoCB AnnotationsResolverCB)

UpdateNoTrackRules updates the NOTRACK iptable rules for this endpoint. If anno is empty, then any existing NOTRACK rules will be removed. If anno cannot be parsed, we remove existing NOTRACK rules too if there's any.

func (*Endpoint) UpdateProxyStatistics added in v1.5.0

func (e *Endpoint) UpdateProxyStatistics(l4Protocol string, port uint16, ingress, request bool, verdict accesslog.FlowVerdict)

UpdateProxyStatistics updates the Endpoint's proxy statistics to account for a new observed flow with the given characteristics.

func (*Endpoint) UpdateVisibilityPolicy added in v1.14.0

func (e *Endpoint) UpdateVisibilityPolicy(annoCB AnnotationsResolverCB)

UpdateVisibilityPolicy updates the visibility policy of this endpoint to reflect the state stored in the provided proxy visibility annotation. If anno is empty, then the VisibilityPolicy for the Endpoint will be empty, and will have no effect. If the proxy visibility annotation cannot be parsed, an empty visibility policy is assigned to the Endpoint.

func (*Endpoint) ValidateConnectorPlumbing added in v1.14.0

func (e *Endpoint) ValidateConnectorPlumbing(linkChecker linkCheckerFunc) error

ValidateConnectorPlumbing checks whether the endpoint is correctly plumbed.

func (*Endpoint) WaitForFirstRegeneration added in v1.14.0

func (e *Endpoint) WaitForFirstRegeneration(ctx context.Context) error

WaitForFirstRegeneration waits for specific conditions before returning: * if the endpoint has a sidecar proxy, it waits for the endpoint's BPF program to be generated for the first time. * otherwise, waits for the endpoint to complete its first full regeneration.

func (*Endpoint) WaitForIdentity added in v1.14.0

func (e *Endpoint) WaitForIdentity(timeoutDuration time.Duration) *identity.Identity

WaitForIdentity waits for up to timeoutDuration amount of time for the endpoint to have an identity. If the timeout is reached, returns nil.

func (*Endpoint) WaitForPolicyRevision added in v1.5.0

func (e *Endpoint) WaitForPolicyRevision(ctx context.Context, rev uint64, done func(ts time.Time)) <-chan struct{}

WaitForPolicyRevision returns a channel that is closed when one or more of the following conditions have met:

  • the endpoint is disconnected state
  • the endpoint's policy revision reaches the wanted revision

When the done callback is non-nil it will be called just before the channel is closed.

type EndpointNoTrackEvent added in v1.14.0

type EndpointNoTrackEvent struct {
	// contains filtered or unexported fields
}

EndpointNoTrackEvent contains all fields necessary to update the NOTRACK rules.

func (*EndpointNoTrackEvent) Handle added in v1.14.0

func (ev *EndpointNoTrackEvent) Handle(res chan interface{})

Handle handles the NOTRACK rule update.

type EndpointPolicyBandwidthEvent added in v1.14.0

type EndpointPolicyBandwidthEvent struct {
	// contains filtered or unexported fields
}

EndpointPolicyBandwidthEvent contains all fields necessary to update the Pod's bandwidth policy.

func (*EndpointPolicyBandwidthEvent) Handle added in v1.14.0

func (ev *EndpointPolicyBandwidthEvent) Handle(res chan interface{})

Handle handles the policy bandwidth update.

type EndpointPolicyVisibilityEvent added in v1.14.0

type EndpointPolicyVisibilityEvent struct {
	// contains filtered or unexported fields
}

EndpointPolicyVisibilityEvent contains all fields necessary to update the visibility policy.

func (*EndpointPolicyVisibilityEvent) Handle added in v1.14.0

func (ev *EndpointPolicyVisibilityEvent) Handle(res chan interface{})

Handle handles the policy visibility update.

type EndpointProxy added in v1.14.0

type EndpointProxy interface {
	CreateOrUpdateRedirect(ctx context.Context, l4 policy.ProxyPolicy, id string, localEndpoint logger.EndpointUpdater, wg *completion.WaitGroup) (proxyPort uint16, err error, finalizeFunc revert.FinalizeFunc, revertFunc revert.RevertFunc)
	RemoveRedirect(id string, wg *completion.WaitGroup) (error, revert.FinalizeFunc, revert.RevertFunc)
	UpdateNetworkPolicy(ep logger.EndpointUpdater, vis *policy.VisibilityPolicy, policy *policy.L4Policy, ingressPolicyEnforced, egressPolicyEnforced bool, wg *completion.WaitGroup) (error, func() error)
	UseCurrentNetworkPolicy(ep logger.EndpointUpdater, policy *policy.L4Policy, wg *completion.WaitGroup)
	RemoveNetworkPolicy(ep logger.EndpointInfoSource)
}

EndpointProxy defines any L7 proxy with which an Endpoint must interact.

type EndpointRegenerationEvent added in v1.5.0

type EndpointRegenerationEvent struct {
	// contains filtered or unexported fields
}

EndpointRegenerationEvent contains all fields necessary to regenerate an endpoint.

func (*EndpointRegenerationEvent) Handle added in v1.5.0

func (ev *EndpointRegenerationEvent) Handle(res chan interface{})

Handle handles the regeneration event for the endpoint.

type EndpointRegenerationResult added in v1.5.0

type EndpointRegenerationResult struct {
	// contains filtered or unexported fields
}

EndpointRegenerationResult contains the results of an endpoint regeneration.

type EndpointRevisionBumpEvent added in v1.5.0

type EndpointRevisionBumpEvent struct {
	Rev uint64
	// contains filtered or unexported fields
}

EndpointRevisionBumpEvent contains all fields necessary to bump the policy revision of a given endpoint.

func (*EndpointRevisionBumpEvent) Handle added in v1.5.0

func (ev *EndpointRevisionBumpEvent) Handle(res chan interface{})

Handle handles the revision bump event for the Endpoint.

type EndpointStatus

type EndpointStatus struct {
	// CurrentStatuses is the last status of a given priority.
	CurrentStatuses componentStatus `json:"current-status,omitempty"`
	// Contains the last maxLogs messages for this endpoint.
	Log statusLog `json:"log,omitempty"`
	// Index is the index in the statusLog, is used to keep track the next
	// available position to write a new log message.
	Index int `json:"index"`
	// contains filtered or unexported fields
}

EndpointStatus represents the endpoint status.

func NewEndpointStatus

func NewEndpointStatus() *EndpointStatus

func (*EndpointStatus) CurrentStatus

func (e *EndpointStatus) CurrentStatus() StatusCode

func (*EndpointStatus) GetModel

func (e *EndpointStatus) GetModel() []*models.EndpointStatusChange

func (*EndpointStatus) String

func (e *EndpointStatus) String() string

type EndpointStatusConfiguration added in v1.14.0

type EndpointStatusConfiguration interface {
	// EndpointStatusIsEnabled must return true if a particular
	// option.EndpointStatus* feature is enabled
	EndpointStatusIsEnabled(option string) bool
}

EndpointStatusConfiguration is the configuration interface that a caller of to GetCiliumEndpointStatus() must implement

type FakeEndpointProxy added in v1.14.0

type FakeEndpointProxy struct{}

FakeEndpointProxy is a stub proxy used for testing.

func (*FakeEndpointProxy) CreateOrUpdateRedirect added in v1.14.0

func (f *FakeEndpointProxy) CreateOrUpdateRedirect(ctx context.Context, l4 policy.ProxyPolicy, id string, localEndpoint logger.EndpointUpdater, wg *completion.WaitGroup) (proxyPort uint16, err error, finalizeFunc revert.FinalizeFunc, revertFunc revert.RevertFunc)

CreateOrUpdateRedirect does nothing.

func (*FakeEndpointProxy) RemoveNetworkPolicy added in v1.14.0

func (f *FakeEndpointProxy) RemoveNetworkPolicy(ep logger.EndpointInfoSource)

RemoveNetworkPolicy does nothing.

func (*FakeEndpointProxy) RemoveRedirect added in v1.14.0

RemoveRedirect does nothing.

func (*FakeEndpointProxy) UpdateNetworkPolicy added in v1.14.0

func (f *FakeEndpointProxy) UpdateNetworkPolicy(ep logger.EndpointUpdater, vis *policy.VisibilityPolicy, policy *policy.L4Policy, ingressPolicyEnforced, egressPolicyEnforced bool, wg *completion.WaitGroup) (error, func() error)

UpdateNetworkPolicy does nothing.

func (*FakeEndpointProxy) UseCurrentNetworkPolicy added in v1.14.0

func (f *FakeEndpointProxy) UseCurrentNetworkPolicy(ep logger.EndpointUpdater, policy *policy.L4Policy, wg *completion.WaitGroup)

UseCurrentNetworkPolicy does nothing.

type MetadataResolverCB added in v1.6.4

type MetadataResolverCB func(ns, podName string) (pod *slim_corev1.Pod, _ []slim_corev1.ContainerPort, identityLabels labels.Labels, infoLabels labels.Labels, annotations map[string]string, err error)

MetadataResolverCB provides an implementation for resolving the endpoint metadata for an endpoint such as the associated labels and annotations.

type State added in v1.14.0

type State string

State is an enumeration for possible endpoint states.

type Status

type Status struct {
	Code  StatusCode `json:"code"`
	Msg   string     `json:"msg"`
	Type  StatusType `json:"status-type"`
	State string     `json:"state"`
}

func (Status) String

func (s Status) String() string

type StatusCode

type StatusCode int
const (
	OK       StatusCode = 0
	Warning  StatusCode = -1
	Failure  StatusCode = -2
	Disabled StatusCode = -3
)

func (StatusCode) String

func (sc StatusCode) String() string

type StatusResponse

type StatusResponse struct {
	KVStore    Status              `json:"kvstore"`
	Docker     Status              `json:"docker"`
	Kubernetes Status              `json:"kubernetes"`
	Cilium     Status              `json:"cilium"`
	IPAMStatus map[string][]string `json:",omitempty"`
}

type StatusType

type StatusType int

StatusType represents the type for the given status, higher the value, higher the priority.

const (
	BPF    StatusType = 200
	Policy StatusType = 100
	Other  StatusType = 0
)

type UpdateCompilationError

type UpdateCompilationError struct {
	// contains filtered or unexported fields
}

func (UpdateCompilationError) Error

func (e UpdateCompilationError) Error() string

type UpdateStateChangeError added in v1.5.0

type UpdateStateChangeError struct {
	// contains filtered or unexported fields
}

UpdateStateChangeError is an error that indicates that updating the state of an endpoint was unsuccessful. Implements error interface.

func (UpdateStateChangeError) Error added in v1.5.0

func (e UpdateStateChangeError) Error() string

type UpdateValidationError

type UpdateValidationError struct {
	// contains filtered or unexported fields
}

func (UpdateValidationError) Error

func (e UpdateValidationError) Error() string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL