Documentation ¶
Index ¶
- Constants
- Variables
- func EnableTracing()
- func GetEnvoyVersion() string
- func GetFlowType(m *cilium.LogEntry) accesslog.FlowType
- func GetNetHttpHeaders(httpHeaders []*cilium.KeyValue) http.Header
- func GetProtocol(httpProtocol cilium.HttpProtocol) string
- func GetVerdict(m *cilium.LogEntry) accesslog.FlowVerdict
- func HTTPNetworkPolicyRuleLess(r1, r2 *cilium.HttpNetworkPolicyRule) bool
- func HeaderMatcherLess(m1, m2 *envoy_api_v2_route.HeaderMatcher) bool
- func ParseURL(scheme, host, path string) *url.URL
- func PortNetworkPolicyRuleLess(r1, r2 *cilium.PortNetworkPolicyRule) bool
- func SortHTTPNetworkPolicyRules(rules []*cilium.HttpNetworkPolicyRule)
- func SortHeaderMatchers(headers []*envoy_api_v2_route.HeaderMatcher)
- func SortPortNetworkPolicies(policies []*cilium.PortNetworkPolicy)
- func SortPortNetworkPolicyRules(rules []*cilium.PortNetworkPolicyRule)
- func StartAccessLogServer(stateDir string, xdsServer *XDSServer, ...)
- type Envoy
- type HTTPNetworkPolicyRuleSlice
- type HeaderMatcherSlice
- type Listener
- type NPHDSCache
- func (cache *NPHDSCache) HandleResourceVersionAck(ackVersion uint64, nackVersion uint64, node *envoy_api_v2_core.Node, ...)
- func (cache *NPHDSCache) OnIPIdentityCacheChange(modType ipcache.CacheModification, cidr net.IPNet, oldHostIP, newHostIP net.IP, ...)
- func (cache *NPHDSCache) OnIPIdentityCacheGC()
- type PortNetworkPolicyRuleSlice
- type PortNetworkPolicySlice
- type XDSServer
- func (s *XDSServer) AddListener(name string, kind policy.L7ParserType, port uint16, isIngress bool, ...)
- func (s *XDSServer) GetNetworkPolicies(resourceNames []string) (map[string]*cilium.NetworkPolicy, error)
- func (s *XDSServer) RemoveAllNetworkPolicies()
- func (s *XDSServer) RemoveListener(name string, wg *completion.WaitGroup) xds.AckingResourceMutatorRevertFunc
- func (s *XDSServer) RemoveNetworkPolicy(ep logger.EndpointInfoSource)
- func (s *XDSServer) UpdateNetworkPolicy(ep logger.EndpointUpdater, policy *policy.L4Policy, ...) (error, func() error)
Constants ¶
const ( // ListenerTypeURL is the type URL of Listener resources. ListenerTypeURL = "type.googleapis.com/envoy.api.v2.Listener" // NetworkPolicyTypeURL is the type URL of NetworkPolicy resources. NetworkPolicyTypeURL = "type.googleapis.com/cilium.NetworkPolicy" // NetworkPolicyHostsTypeURL is the type URL of NetworkPolicyHosts resources. NetworkPolicyHostsTypeURL = "type.googleapis.com/cilium.NetworkPolicyHosts" )
const (
EnvoyTimeout = 300 * time.Second // must be smaller than endpoint.EndpointGenerationTimeout
)
Variables ¶
var ( // ErrNotImplemented is the error returned by gRPC methods that are not // implemented by Cilium. ErrNotImplemented = errors.New("not implemented") )
var ( // NetworkPolicyHostsCache is the global cache of resources of type // NetworkPolicyHosts. Resources in this cache must have the // NetworkPolicyHostsTypeURL type URL. NetworkPolicyHostsCache = newNPHDSCache() )
var ( // RequiredEnvoyVersionSHA is set during build // Running Envoy version will be checked against `RequiredEnvoyVersionSHA`. // By default cilium-agent will fail to start if there is a version mismatch. RequiredEnvoyVersionSHA string )
Functions ¶
func EnableTracing ¶
func EnableTracing()
EnableTracing changes Envoy log level to "trace", producing the most logs.
func GetEnvoyVersion ¶
func GetEnvoyVersion() string
GetEnvoyVersion returns the envoy binary version string
func GetFlowType ¶
GetFlowType returns the type of flow (request|response)
func GetNetHttpHeaders ¶
getNetHttpHeaders returns the Headers as net.http.Header
func GetProtocol ¶
func GetProtocol(httpProtocol cilium.HttpProtocol) string
getProtocol returns the HTTP protocol in the format that Cilium understands
func GetVerdict ¶
func GetVerdict(m *cilium.LogEntry) accesslog.FlowVerdict
GetVerdict returns the verdict performed on the flow (forwarded|denied)
func HTTPNetworkPolicyRuleLess ¶
func HTTPNetworkPolicyRuleLess(r1, r2 *cilium.HttpNetworkPolicyRule) bool
HTTPNetworkPolicyRuleLess reports whether the r1 rule should sort before the r2 rule.
func HeaderMatcherLess ¶
func HeaderMatcherLess(m1, m2 *envoy_api_v2_route.HeaderMatcher) bool
HeaderMatcherLess reports whether the m1 matcher should sort before the m2 matcher.
func PortNetworkPolicyRuleLess ¶
func PortNetworkPolicyRuleLess(r1, r2 *cilium.PortNetworkPolicyRule) bool
PortNetworkPolicyRuleLess reports whether the r1 rule should sort before the r2 rule. L3-L4-only rules are less than L7 rules.
func SortHTTPNetworkPolicyRules ¶
func SortHTTPNetworkPolicyRules(rules []*cilium.HttpNetworkPolicyRule)
SortHTTPNetworkPolicyRules sorts the given slice.
func SortHeaderMatchers ¶
func SortHeaderMatchers(headers []*envoy_api_v2_route.HeaderMatcher)
SortHeaderMatchers sorts the given slice.
func SortPortNetworkPolicies ¶
func SortPortNetworkPolicies(policies []*cilium.PortNetworkPolicy)
SortPortNetworkPolicies sorts the given slice.
func SortPortNetworkPolicyRules ¶
func SortPortNetworkPolicyRules(rules []*cilium.PortNetworkPolicyRule)
SortPortNetworkPolicyRules sorts the given slice.
func StartAccessLogServer ¶
func StartAccessLogServer(stateDir string, xdsServer *XDSServer, endpointInfoRegistry logger.EndpointInfoRegistry)
StartAccessLogServer starts the access log server.
Types ¶
type Envoy ¶
type Envoy struct {
// contains filtered or unexported fields
}
Envoy manages a running Envoy proxy instance via the ListenerDiscoveryService and RouteDiscoveryService gRPC APIs.
func StartEnvoy ¶
StartEnvoy starts an Envoy proxy instance.
func (*Envoy) ChangeLogLevel ¶
ChangeLogLevel changes Envoy log level to correspond to the logrus log level 'level'.
type HTTPNetworkPolicyRuleSlice ¶
type HTTPNetworkPolicyRuleSlice []*cilium.HttpNetworkPolicyRule
HTTPNetworkPolicyRuleSlice implements sort.Interface to sort a slice of *cilium.HttpNetworkPolicyRule.
func (HTTPNetworkPolicyRuleSlice) Len ¶
func (s HTTPNetworkPolicyRuleSlice) Len() int
func (HTTPNetworkPolicyRuleSlice) Less ¶
func (s HTTPNetworkPolicyRuleSlice) Less(i, j int) bool
func (HTTPNetworkPolicyRuleSlice) Swap ¶
func (s HTTPNetworkPolicyRuleSlice) Swap(i, j int)
type HeaderMatcherSlice ¶
type HeaderMatcherSlice []*envoy_api_v2_route.HeaderMatcher
HeaderMatcherSlice implements sort.Interface to sort a slice of *envoy_api_v2_route.HeaderMatcher.
func (HeaderMatcherSlice) Len ¶
func (s HeaderMatcherSlice) Len() int
func (HeaderMatcherSlice) Less ¶
func (s HeaderMatcherSlice) Less(i, j int) bool
func (HeaderMatcherSlice) Swap ¶
func (s HeaderMatcherSlice) Swap(i, j int)
type NPHDSCache ¶
NPHDSCache is a cache of resources in the Network Policy Hosts Discovery Service.
func (*NPHDSCache) HandleResourceVersionAck ¶ added in v1.6.0
func (cache *NPHDSCache) HandleResourceVersionAck(ackVersion uint64, nackVersion uint64, node *envoy_api_v2_core.Node, resourceNames []string, typeURL string, detail string)
HandleResourceVersionAck is required to implement ResourceVersionAckObserver.
func (*NPHDSCache) OnIPIdentityCacheChange ¶
func (cache *NPHDSCache) OnIPIdentityCacheChange(modType ipcache.CacheModification, cidr net.IPNet, oldHostIP, newHostIP net.IP, oldID *identity.NumericIdentity, newID identity.NumericIdentity, encryptKey uint8)
OnIPIdentityCacheChange pushes modifications to the IP<->Identity mapping into the Network Policy Host Discovery Service (NPHDS).
func (*NPHDSCache) OnIPIdentityCacheGC ¶
func (cache *NPHDSCache) OnIPIdentityCacheGC()
OnIPIdentityCacheGC is required to implement IPIdentityMappingListener.
type PortNetworkPolicyRuleSlice ¶
type PortNetworkPolicyRuleSlice []*cilium.PortNetworkPolicyRule
PortNetworkPolicyRuleSlice implements sort.Interface to sort a slice of *cilium.PortNetworkPolicyRuleSlice.
func (PortNetworkPolicyRuleSlice) Len ¶
func (s PortNetworkPolicyRuleSlice) Len() int
func (PortNetworkPolicyRuleSlice) Less ¶
func (s PortNetworkPolicyRuleSlice) Less(i, j int) bool
func (PortNetworkPolicyRuleSlice) Swap ¶
func (s PortNetworkPolicyRuleSlice) Swap(i, j int)
type PortNetworkPolicySlice ¶
type PortNetworkPolicySlice []*cilium.PortNetworkPolicy
PortNetworkPolicySlice implements sort.Interface to sort a slice of *cilium.PortNetworkPolicy.
func (PortNetworkPolicySlice) Len ¶
func (s PortNetworkPolicySlice) Len() int
func (PortNetworkPolicySlice) Less ¶
func (s PortNetworkPolicySlice) Less(i, j int) bool
func (PortNetworkPolicySlice) Swap ¶
func (s PortNetworkPolicySlice) Swap(i, j int)
type XDSServer ¶
type XDSServer struct { // NetworkPolicyMutator wraps networkPolicyCache to publish route // configuration updates to Envoy proxies. // Exported for testing only! NetworkPolicyMutator xds.AckingResourceMutator // contains filtered or unexported fields }
XDSServer provides a high-lever interface to manage resources published using the xDS gRPC API.
func StartXDSServer ¶
StartXDSServer configures and starts the xDS GRPC server.
func (*XDSServer) AddListener ¶
func (s *XDSServer) AddListener(name string, kind policy.L7ParserType, port uint16, isIngress bool, mayUseOriginalSourceAddr bool, wg *completion.WaitGroup)
AddListener adds a listener to a running Envoy proxy.
func (*XDSServer) GetNetworkPolicies ¶
func (s *XDSServer) GetNetworkPolicies(resourceNames []string) (map[string]*cilium.NetworkPolicy, error)
GetNetworkPolicies returns the current version of the network policies with the given names. If resourceNames is empty, all resources are returned.
func (*XDSServer) RemoveAllNetworkPolicies ¶
func (s *XDSServer) RemoveAllNetworkPolicies()
RemoveAllNetworkPolicies removes all network policies from the set published to L7 proxies.
func (*XDSServer) RemoveListener ¶
func (s *XDSServer) RemoveListener(name string, wg *completion.WaitGroup) xds.AckingResourceMutatorRevertFunc
RemoveListener removes an existing Envoy Listener.
func (*XDSServer) RemoveNetworkPolicy ¶
func (s *XDSServer) RemoveNetworkPolicy(ep logger.EndpointInfoSource)
RemoveNetworkPolicy removes network policies relevant to the specified endpoint from the set published to L7 proxies, and stops listening for acks for policies on this endpoint.
func (*XDSServer) UpdateNetworkPolicy ¶
func (s *XDSServer) UpdateNetworkPolicy(ep logger.EndpointUpdater, policy *policy.L4Policy, ingressPolicyEnforced, egressPolicyEnforced bool, wg *completion.WaitGroup) (error, func() error)
UpdateNetworkPolicy adds or updates a network policy in the set published to L7 proxies. When the proxy acknowledges the network policy update, it will result in a subsequent call to the endpoint's OnProxyPolicyUpdate() function.