api

package
v1.14.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 14, 2023 License: Apache-2.0 Imports: 25 Imported by: 0

Documentation

Overview

Package api defines the API of the Cilium network policy interface +groupName=policy

Index

Constants

View Source
const (
	IPv4Family = "IPv4"
	IPv6Family = "IPv6"
)
View Source
const (
	AWSProvider = "AWS" // AWS provider key
)

Variables

View Source
var (
	EndpointSelectorNone = NewESFromLabels(labels.NewLabel(labels.IDNameNone, "", labels.LabelSourceReserved))

	// EntitySelectorMapping maps special entity names that come in
	// policies to selectors
	EntitySelectorMapping = map[Entity]EndpointSelectorSlice{
		EntityAll:           {WildcardEndpointSelector},
		EntityWorld:         {endpointSelectorWorld},
		EntityHost:          {endpointSelectorHost},
		EntityInit:          {endpointSelectorInit},
		EntityIngress:       {endpointSelectorIngress},
		EntityRemoteNode:    {endpointSelectorRemoteNode},
		EntityHealth:        {endpointSelectorHealth},
		EntityUnmanaged:     {endpointSelectorUnmanaged},
		EntityNone:          {EndpointSelectorNone},
		EntityKubeAPIServer: {endpointSelectorKubeAPIServer},

		EntityCluster: {},
	}
)
View Source
var (

	// FQDNMatchNameRegexString is a regex string which matches what's expected
	// in the MatchName field in the FQDNSelector. This should be kept in-sync
	// with the marker comment for validation. There's no way to use a Golang
	// variable in the marker comment, so it's left up to the developer.
	FQDNMatchNameRegexString = `^([-a-zA-Z0-9_]+[.]?)+$`

	// FQDNMatchPatternRegexString is a regex string which matches what's expected
	// in the MatchPattern field in the FQDNSelector. This should be kept in-sync
	// with the marker comment for validation. There's no way to use a Golang
	// variable in the marker comment, so it's left up to the developer.
	FQDNMatchPatternRegexString = `^([-a-zA-Z0-9_*]+[.]?)+$`
)
View Source
var (
	// WildcardEndpointSelector is a wildcard endpoint selector matching
	// all endpoints that can be described with labels.
	WildcardEndpointSelector = NewESFromLabels()

	// ReservedEndpointSelectors map reserved labels to EndpointSelectors
	// that will match those endpoints.
	ReservedEndpointSelectors = map[string]EndpointSelector{
		labels.IDNameHost:       newReservedEndpointSelector(labels.IDNameHost),
		labels.IDNameRemoteNode: newReservedEndpointSelector(labels.IDNameRemoteNode),
		labels.IDNameWorld:      newReservedEndpointSelector(labels.IDNameWorld),
	}
)
View Source
var CIDRMatchAll = []CIDR{CIDR("0.0.0.0/0"), CIDR("::/0")}

CIDRMatchAll is a []CIDR that matches everything

Functions

func InitEntities added in v1.5.0

func InitEntities(clusterName string, treatRemoteNodeAsHost bool)

InitEntities is called to initialize the policy API layer

func RegisterToGroupsProvider added in v1.5.0

func RegisterToGroupsProvider(providerName string, callback GroupProviderFunc)

RegisterToGroupsProvider it will register a new callback that will be used when a new ToGroups rule is added.

func ResourceQualifiedName added in v1.14.0

func ResourceQualifiedName(namespace, name, resource string) string

ResourceQualifiedName returns the qualified name of an Envoy resource, prepending CEC namespace and CEC name to the resource name and using '/' as a separator.

In case of an empty CEC namespace or an empty CEC name, leading separators are stripped away.

Types

type AWSGroup added in v1.5.0

type AWSGroup struct {
	Labels              map[string]string `json:"labels,omitempty"`
	SecurityGroupsIds   []string          `json:"securityGroupsIds,omitempty"`
	SecurityGroupsNames []string          `json:"securityGroupsNames,omitempty"`
	Region              string            `json:"region,omitempty"`
}

AWSGroup is an structure that can be used to whitelisting information from AWS integration

func (*AWSGroup) DeepCopy added in v1.5.0

func (in *AWSGroup) DeepCopy() *AWSGroup

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSGroup.

func (*AWSGroup) DeepCopyInto added in v1.5.0

func (in *AWSGroup) DeepCopyInto(out *AWSGroup)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*AWSGroup) DeepEqual added in v1.14.0

func (in *AWSGroup) DeepEqual(other *AWSGroup) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type Auth added in v1.14.0

type Auth struct {
	// Type is the required authentication type for the allowed traffic, if any.
	//
	// +kubebuilder:validation:Enum=null
	// +kubebuilder:validation:Required
	Type AuthType `json:"type"`
}

Auth specifies the kind of cryptographic authentication required for the traffic to be allowed.

func (*Auth) DeepCopy added in v1.14.0

func (in *Auth) DeepCopy() *Auth

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Auth.

func (*Auth) DeepCopyInto added in v1.14.0

func (in *Auth) DeepCopyInto(out *Auth)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Auth) DeepEqual added in v1.14.0

func (in *Auth) DeepEqual(other *Auth) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type AuthType added in v1.14.0

type AuthType string

AuthType is a string identifying a supported authentication type

const (
	AuthTypeNull AuthType = "null" // Always succeeds
)

type CIDR

type CIDR string

CIDR specifies a block of IP addresses. Example: 192.0.2.1/32

func (CIDR) MatchesAll added in v1.5.0

func (c CIDR) MatchesAll() bool

MatchesAll determines whether the CIDR matches all traffic.

type CIDRRule added in v1.5.0

type CIDRRule struct {
	// CIDR is a CIDR prefix / IP Block.
	//
	// +kubebuilder:validation:Required
	Cidr CIDR `json:"cidr"`

	// ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule
	// is not allowed to initiate connections to. These CIDR prefixes should be
	// contained within Cidr. These exceptions are only applied to the Cidr in
	// this CIDRRule, and do not apply to any other CIDR prefixes in any other
	// CIDRRules.
	//
	// +kubebuilder:validation:Optional
	ExceptCIDRs []CIDR `json:"except,omitempty"`

	// Generated indicates whether the rule was generated based on other rules
	// or provided by user
	Generated bool `json:"-"`
}

CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.

func (*CIDRRule) DeepCopy added in v1.5.0

func (in *CIDRRule) DeepCopy() *CIDRRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CIDRRule.

func (*CIDRRule) DeepCopyInto added in v1.5.0

func (in *CIDRRule) DeepCopyInto(out *CIDRRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CIDRRule) DeepEqual added in v1.14.0

func (in *CIDRRule) DeepEqual(other *CIDRRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (CIDRRule) String added in v1.6.9

func (r CIDRRule) String() string

String converts the CIDRRule into a human-readable string.

type CIDRRuleSlice added in v1.5.0

type CIDRRuleSlice []CIDRRule

CIDRRuleSlice is a slice of CIDRRules. It allows receiver methods to be defined for transforming the slice into other convenient forms such as EndpointSelectorSlice.

func (CIDRRuleSlice) DeepCopy added in v1.5.0

func (in CIDRRuleSlice) DeepCopy() CIDRRuleSlice

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CIDRRuleSlice.

func (CIDRRuleSlice) DeepCopyInto added in v1.5.0

func (in CIDRRuleSlice) DeepCopyInto(out *CIDRRuleSlice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CIDRRuleSlice) DeepEqual added in v1.14.0

func (in *CIDRRuleSlice) DeepEqual(other *CIDRRuleSlice) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (CIDRRuleSlice) GetAsEndpointSelectors added in v1.5.0

func (s CIDRRuleSlice) GetAsEndpointSelectors() EndpointSelectorSlice

GetAsEndpointSelectors returns the provided CIDRRule slice as a slice of endpoint selectors

func (CIDRRuleSlice) StringSlice added in v1.6.9

func (s CIDRRuleSlice) StringSlice() []string

StringSlice returns the CIDRRuleSlice as a slice of strings.

type CIDRSlice added in v1.5.0

type CIDRSlice []CIDR

CIDRSlice is a slice of CIDRs. It allows receiver methods to be defined for transforming the slice into other convenient forms such as EndpointSelectorSlice.

func ComputeResultantCIDRSet added in v1.5.0

func ComputeResultantCIDRSet(cidrs CIDRRuleSlice) CIDRSlice

ComputeResultantCIDRSet converts a slice of CIDRRules into a slice of individual CIDRs. This expands the cidr defined by each CIDRRule, applies the CIDR exceptions defined in "ExceptCIDRs", and forms a minimal set of CIDRs that cover all of the CIDRRules.

Assumes no error checking is necessary as CIDRRule.Sanitize already does this.

func (CIDRSlice) DeepCopy added in v1.5.0

func (in CIDRSlice) DeepCopy() CIDRSlice

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CIDRSlice.

func (CIDRSlice) DeepCopyInto added in v1.5.0

func (in CIDRSlice) DeepCopyInto(out *CIDRSlice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*CIDRSlice) DeepEqual added in v1.14.0

func (in *CIDRSlice) DeepEqual(other *CIDRSlice) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (CIDRSlice) GetAsEndpointSelectors added in v1.5.0

func (s CIDRSlice) GetAsEndpointSelectors() EndpointSelectorSlice

GetAsEndpointSelectors returns the provided CIDR slice as a slice of endpoint selectors

func (CIDRSlice) String added in v1.6.9

func (s CIDRSlice) String() string

String converts the CIDRSlice into a human-readable string.

func (CIDRSlice) StringSlice added in v1.5.0

func (s CIDRSlice) StringSlice() []string

StringSlice returns the CIDR slice as a slice of strings.

type Decision

type Decision byte

Decision is a reachability policy decision

const (
	// Undecided means that we have not come to a decision yet
	Undecided Decision = iota
	// Allowed means that reachability is allowed
	Allowed
	// Denied means that reachability is denied
	Denied
)

func (Decision) MarshalJSON

func (d Decision) MarshalJSON() ([]byte, error)

MarshalJSON returns the decision as JSON formatted buffer

func (Decision) String

func (d Decision) String() string

String returns the decision in human readable format

func (*Decision) UnmarshalJSON

func (d *Decision) UnmarshalJSON(b []byte) error

UnmarshalJSON parses a JSON formatted buffer and returns a decision

type EgressCommonRule added in v1.14.0

type EgressCommonRule struct {
	// ToEndpoints is a list of endpoints identified by an EndpointSelector to
	// which the endpoints subject to the rule are allowed to communicate.
	//
	// Example:
	// Any endpoint with the label "role=frontend" can communicate with any
	// endpoint carrying the label "role=backend".
	//
	// +kubebuilder:validation:Optional
	ToEndpoints []EndpointSelector `json:"toEndpoints,omitempty"`

	// ToRequires is a list of additional constraints which must be met
	// in order for the selected endpoints to be able to connect to other
	// endpoints. These additional constraints do no by itself grant access
	// privileges and must always be accompanied with at least one matching
	// ToEndpoints.
	//
	// Example:
	// Any Endpoint with the label "team=A" requires any endpoint to which it
	// communicates to also carry the label "team=A".
	//
	// +kubebuilder:validation:Optional
	ToRequires []EndpointSelector `json:"toRequires,omitempty"`

	// ToCIDR is a list of IP blocks which the endpoint subject to the rule
	// is allowed to initiate connections. Only connections destined for
	// outside of the cluster and not targeting the host will be subject
	// to CIDR rules.  This will match on the destination IP address of
	// outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet
	// with no ExcludeCIDRs is equivalent. Overlaps are allowed between
	// ToCIDR and ToCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=database-proxy" is allowed to
	// initiate connections to 10.2.3.0/24
	//
	// +kubebuilder:validation:Optional
	ToCIDR CIDRSlice `json:"toCIDR,omitempty"`

	// ToCIDRSet is a list of IP blocks which the endpoint subject to the rule
	// is allowed to initiate connections to in addition to connections
	// which are allowed via ToEndpoints, along with a list of subnets contained
	// within their corresponding IP block to which traffic should not be
	// allowed. This will match on the destination IP address of outgoing
	// connections. Adding a prefix into ToCIDR or into ToCIDRSet with no
	// ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and
	// ToCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=database-proxy" is allowed to
	// initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.
	//
	// +kubebuilder:validation:Optional
	ToCIDRSet CIDRRuleSlice `json:"toCIDRSet,omitempty"`

	// ToEntities is a list of special entities to which the endpoint subject
	// to the rule is allowed to initiate connections. Supported entities are
	// `world`, `cluster`,`host`,`remote-node`,`kube-apiserver`, `init`,
	// `health`,`unmanaged` and `all`.
	//
	// +kubebuilder:validation:Optional
	ToEntities EntitySlice `json:"toEntities,omitempty"`

	// ToServices is a list of services to which the endpoint subject
	// to the rule is allowed to initiate connections.
	// Currently Cilium only supports toServices for K8s services without
	// selectors.
	//
	// Example:
	// Any endpoint with the label "app=backend-app" is allowed to
	// initiate connections to all cidrs backing the "external-service" service
	//
	// +kubebuilder:validation:Optional
	ToServices []Service `json:"toServices,omitempty"`

	// ToGroups is a directive that allows the integration with multiple outside
	// providers. Currently, only AWS is supported, and the rule can select by
	// multiple sub directives:
	//
	// Example:
	// toGroups:
	// - aws:
	//     securityGroupsIds:
	//     - 'sg-XXXXXXXXXXXXX'
	//
	// +kubebuilder:validation:Optional
	ToGroups []ToGroups `json:"toGroups,omitempty"`
	// contains filtered or unexported fields
}

EgressCommonRule is a rule that shares some of its fields across the EgressRule and EgressDenyRule. It's publicly exported so the code generators can generate code for this structure.

func (*EgressCommonRule) AllowsWildcarding added in v1.14.0

func (e *EgressCommonRule) AllowsWildcarding() bool

AllowsWildcarding returns true if wildcarding should be performed upon policy evaluation for the given rule.

func (*EgressCommonRule) DeepCopy added in v1.14.0

func (in *EgressCommonRule) DeepCopy() *EgressCommonRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressCommonRule.

func (*EgressCommonRule) DeepCopyInto added in v1.14.0

func (in *EgressCommonRule) DeepCopyInto(out *EgressCommonRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EgressCommonRule) DeepEqual added in v1.14.0

func (in *EgressCommonRule) DeepEqual(other *EgressCommonRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*EgressCommonRule) RequiresDerivative added in v1.14.0

func (e *EgressCommonRule) RequiresDerivative() bool

RequiresDerivative returns true when the EgressCommonRule contains sections that need a derivative policy created in order to be enforced (e.g. ToGroups).

func (*EgressCommonRule) SetAggregatedSelectors added in v1.14.0

func (e *EgressCommonRule) SetAggregatedSelectors()

SetAggregatedSelectors creates a single slice containing all of the following fields within the EgressRule, converted to EndpointSelector, to be stored within the EgressRule for easy lookup while performing policy evaluation for the rule: * ToEntities * ToCIDR * ToCIDRSet * ToFQDNs

ToEndpoints is not aggregated due to requirement folding in GetDestinationEndpointSelectorsWithRequirements()

type EgressDenyRule added in v1.14.0

type EgressDenyRule struct {
	EgressCommonRule `json:",inline"`

	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is not allowed to connect
	// to.
	//
	// Example:
	// Any endpoint with the label "role=frontend" is not allowed to initiate
	// connections to destination port 8080/tcp
	//
	// +kubebuilder:validation:Optional
	ToPorts PortDenyRules `json:"toPorts,omitempty"`

	// ICMPs is a list of ICMP rule identified by type number
	// which the endpoint subject to the rule is not allowed to connect to.
	//
	// Example:
	// Any endpoint with the label "app=httpd" is not allowed to initiate
	// type 8 ICMP connections.
	//
	// +kubebuilder:validation:Optional
	ICMPs ICMPRules `json:"icmps,omitempty"`
}

EgressDenyRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector.

  • All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.

  • If multiple members of the structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the ToRequires member; the effects of any Requires field in any rule will apply to all other rules as well.

  • ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually exclusive. Only one of these members may be present within an individual rule.

func (*EgressDenyRule) CreateDerivative added in v1.14.0

func (e *EgressDenyRule) CreateDerivative(ctx context.Context) (*EgressDenyRule, error)

CreateDerivative will return a new rule based on the data gathered by the rules that creates a new derivative policy. In the case of ToGroups will call outside using the groups callback and this function can take a bit of time.

func (*EgressDenyRule) DeepCopy added in v1.14.0

func (in *EgressDenyRule) DeepCopy() *EgressDenyRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressDenyRule.

func (*EgressDenyRule) DeepCopyInto added in v1.14.0

func (in *EgressDenyRule) DeepCopyInto(out *EgressDenyRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EgressDenyRule) DeepEqual added in v1.14.0

func (in *EgressDenyRule) DeepEqual(other *EgressDenyRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*EgressDenyRule) GetDestinationEndpointSelectorsWithRequirements added in v1.14.0

func (e *EgressDenyRule) GetDestinationEndpointSelectorsWithRequirements(requirements []slim_metav1.LabelSelectorRequirement) EndpointSelectorSlice

GetDestinationEndpointSelectorsWithRequirements returns a slice of endpoints selectors covering all L3 source selectors of the ingress rule

type EgressRule

type EgressRule struct {
	EgressCommonRule `json:",inline"`

	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is allowed to
	// connect to.
	//
	// Example:
	// Any endpoint with the label "role=frontend" is allowed to initiate
	// connections to destination port 8080/tcp
	//
	// +kubebuilder:validation:Optional
	ToPorts PortRules `json:"toPorts,omitempty"`

	// ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result
	// from DNS resolution of `ToFQDN.MatchName`s are added to the same
	// EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and
	// L7 rules within this EgressRule will also apply to these IPs.
	// The DNS -> IP mapping is re-resolved periodically from within the
	// cilium-agent, and the IPs in the DNS response are effected in the policy
	// for selected pods as-is (i.e. the list of IPs is not modified in any way).
	// Note: An explicit rule to allow for DNS traffic is needed for the pods, as
	// ToFQDN counts as an egress rule and will enforce egress policy when
	// PolicyEnforcment=default.
	// Note: If the resolved IPs are IPs within the kubernetes cluster, the
	// ToFQDN rule will not apply to that IP.
	// Note: ToFQDN cannot occur in the same policy as other To* rules.
	//
	// The current implementation has a number of limitations:
	// - The DNS resolution originates from cilium-agent, and not from the pods.
	// Differences between the responses seen by cilium agent and a particular
	// pod will whitelist the incorrect IP.
	// - DNS TTLs are ignored, and cilium-agent will repoll on a short interval
	// (5 seconds). Each change to the DNS data will trigger a policy
	// regeneration. This may result in delayed updates to the policy for an
	// endpoint when the data changes often or the system is under load.
	//
	// +kubebuilder:validation:Optional
	ToFQDNs FQDNSelectorSlice `json:"toFQDNs,omitempty"`

	// ICMPs is a list of ICMP rule identified by type number
	// which the endpoint subject to the rule is allowed to connect to.
	//
	// Example:
	// Any endpoint with the label "app=httpd" is allowed to initiate
	// type 8 ICMP connections.
	//
	// +kubebuilder:validation:Optional
	ICMPs ICMPRules `json:"icmps,omitempty"`

	// Auth is the required authentication type for the allowed traffic, if any.
	//
	// +kubebuilder:validation:Optional
	Auth *Auth `json:"auth,omitempty"`
}

EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector.

  • All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.

  • If multiple members of the structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the ToRequires member; the effects of any Requires field in any rule will apply to all other rules as well.

  • ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually exclusive. Only one of these members may be present within an individual rule.

func (*EgressRule) AllowsWildcarding added in v1.14.0

func (e *EgressRule) AllowsWildcarding() bool

AllowsWildcarding returns true if wildcarding should be performed upon policy evaluation for the given rule.

func (*EgressRule) CreateDerivative added in v1.5.0

func (e *EgressRule) CreateDerivative(ctx context.Context) (*EgressRule, error)

CreateDerivative will return a new rule based on the data gathered by the rules that creates a new derivative policy. In the case of ToGroups will call outside using the groups callback and this function can take a bit of time.

func (*EgressRule) DeepCopy added in v1.5.0

func (in *EgressRule) DeepCopy() *EgressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRule.

func (*EgressRule) DeepCopyInto added in v1.5.0

func (in *EgressRule) DeepCopyInto(out *EgressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EgressRule) DeepEqual added in v1.14.0

func (in *EgressRule) DeepEqual(other *EgressRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*EgressRule) GetDestinationEndpointSelectorsWithRequirements added in v1.6.0

func (e *EgressRule) GetDestinationEndpointSelectorsWithRequirements(requirements []slim_metav1.LabelSelectorRequirement) EndpointSelectorSlice

GetDestinationEndpointSelectorsWithRequirements returns a slice of endpoints selectors covering all L3 dst selectors of the egress rule

func (*EgressRule) SetAggregatedSelectors added in v1.5.0

func (e *EgressRule) SetAggregatedSelectors()

SetAggregatedSelectors creates a single slice containing all of the following fields within the EgressRule, converted to EndpointSelector, to be stored within the EgressRule for easy lookup while performing policy evaluation for the rule: * ToEntities * ToCIDR * ToCIDRSet * ToFQDNs

ToEndpoints is not aggregated due to requirement folding in GetDestinationEndpointSelectorsWithRequirements()

type EndpointSelector

type EndpointSelector struct {
	*slim_metav1.LabelSelector `json:",inline"`
	// contains filtered or unexported fields
}

EndpointSelector is a wrapper for k8s LabelSelector.

func NewESFromK8sLabelSelector

func NewESFromK8sLabelSelector(srcPrefix string, lss ...*slim_metav1.LabelSelector) EndpointSelector

NewESFromK8sLabelSelector returns a new endpoint selector from the label where it the given srcPrefix will be encoded in the label's keys.

func NewESFromLabels

func NewESFromLabels(lbls ...labels.Label) EndpointSelector

NewESFromLabels creates a new endpoint selector from the given labels.

func NewESFromMatchRequirements added in v1.5.0

func NewESFromMatchRequirements(matchLabels map[string]string, reqs []slim_metav1.LabelSelectorRequirement) EndpointSelector

NewESFromMatchRequirements creates a new endpoint selector from the given match specifications: An optional set of labels that must match, and an optional slice of LabelSelectorRequirements.

If the caller intends to reuse 'matchLabels' or 'reqs' after creating the EndpointSelector, they must make a copy of the parameter.

func (*EndpointSelector) AddMatch added in v1.5.0

func (n *EndpointSelector) AddMatch(key, value string)

AddMatch adds a match for 'key' == 'value' to the endpoint selector.

func (*EndpointSelector) AddMatchExpression added in v1.14.0

func (n *EndpointSelector) AddMatchExpression(key string, op slim_metav1.LabelSelectorOperator, values []string)

AddMatchExpression adds a match expression to label selector of the endpoint selector.

func (EndpointSelector) CachedString added in v1.6.0

func (n EndpointSelector) CachedString() string

CachedString returns the cached string representation of the LabelSelector for this EndpointSelector.

func (*EndpointSelector) ConvertToLabelSelectorRequirementSlice added in v1.5.0

func (n *EndpointSelector) ConvertToLabelSelectorRequirementSlice() []slim_metav1.LabelSelectorRequirement

ConvertToLabelSelectorRequirementSlice converts the MatchLabels and MatchExpressions within the specified EndpointSelector into a list of LabelSelectorRequirements.

func (*EndpointSelector) DeepCopy added in v1.5.0

func (in *EndpointSelector) DeepCopy() *EndpointSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointSelector.

func (*EndpointSelector) DeepCopyInto added in v1.5.0

func (in *EndpointSelector) DeepCopyInto(out *EndpointSelector)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EndpointSelector) DeepEqual added in v1.14.0

func (in *EndpointSelector) DeepEqual(other *EndpointSelector) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (EndpointSelector) GetMatch added in v1.5.0

func (n EndpointSelector) GetMatch(key string) ([]string, bool)

GetMatch checks for a match on the specified key, and returns the value that the key must match, and true. If a match cannot be found, returns nil, false.

func (EndpointSelector) HasKey added in v1.5.0

func (n EndpointSelector) HasKey(key string) bool

HasKey checks if the endpoint selector contains the given key in its MatchLabels map or in its MatchExpressions slice.

func (EndpointSelector) HasKeyPrefix

func (n EndpointSelector) HasKeyPrefix(prefix string) bool

HasKeyPrefix checks if the endpoint selector contains the given key prefix in its MatchLabels map and MatchExpressions slice.

func (*EndpointSelector) IsWildcard added in v1.5.0

func (n *EndpointSelector) IsWildcard() bool

IsWildcard returns true if the endpoint selector selects all endpoints.

func (*EndpointSelector) LabelSelectorString added in v1.5.0

func (n *EndpointSelector) LabelSelectorString() string

LabelSelectorString returns a user-friendly string representation of EndpointSelector.

func (EndpointSelector) MarshalJSON

func (n EndpointSelector) MarshalJSON() ([]byte, error)

MarshalJSON returns a JSON representation of the byte array.

func (*EndpointSelector) Matches

func (n *EndpointSelector) Matches(lblsToMatch k8sLbls.Labels) bool

Matches returns true if the endpoint selector Matches the `lblsToMatch`. Returns always true if the endpoint selector contains the reserved label for "all".

func (EndpointSelector) String

func (n EndpointSelector) String() string

String returns a string representation of EndpointSelector.

func (*EndpointSelector) SyncRequirementsWithLabelSelector added in v1.5.0

func (n *EndpointSelector) SyncRequirementsWithLabelSelector()

SyncRequirementsWithLabelSelector ensures that the requirements within the specified EndpointSelector are in sync with the LabelSelector. This is because the LabelSelector has publicly accessible fields, which can be updated without concurrently updating the requirements, so the two fields can become out of sync.

func (*EndpointSelector) UnmarshalJSON

func (n *EndpointSelector) UnmarshalJSON(b []byte) error

UnmarshalJSON unmarshals the endpoint selector from the byte array.

type EndpointSelectorSlice added in v1.5.0

type EndpointSelectorSlice []EndpointSelector

EndpointSelectorSlice is a slice of EndpointSelectors that can be sorted.

func (EndpointSelectorSlice) DeepCopy added in v1.5.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointSelectorSlice.

func (EndpointSelectorSlice) DeepCopyInto added in v1.5.0

func (in EndpointSelectorSlice) DeepCopyInto(out *EndpointSelectorSlice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EndpointSelectorSlice) DeepEqual added in v1.14.0

func (in *EndpointSelectorSlice) DeepEqual(other *EndpointSelectorSlice) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (EndpointSelectorSlice) Len added in v1.5.0

func (s EndpointSelectorSlice) Len() int

func (EndpointSelectorSlice) Less added in v1.5.0

func (s EndpointSelectorSlice) Less(i, j int) bool

func (EndpointSelectorSlice) Matches added in v1.5.0

Matches returns true if any of the EndpointSelectors in the slice match the provided labels

func (EndpointSelectorSlice) SelectsAllEndpoints added in v1.5.0

func (s EndpointSelectorSlice) SelectsAllEndpoints() bool

SelectsAllEndpoints returns whether the EndpointSelectorSlice selects all endpoints, which is true if the wildcard endpoint selector is present in the slice.

func (EndpointSelectorSlice) Swap added in v1.5.0

func (s EndpointSelectorSlice) Swap(i, j int)

type Entity added in v1.5.0

type Entity string

Entity specifies the class of receiver/sender endpoints that do not have individual identities. Entities are used to describe "outside of cluster", "host", etc.

+kubebuilder:validation:Enum=all;world;cluster;host;init;ingress;unmanaged;remote-node;health;none;kube-apiserver

const (
	// EntityAll is an entity that represents all traffic
	EntityAll Entity = "all"

	// EntityWorld is an entity that represents traffic external to
	// endpoint's cluster
	EntityWorld Entity = "world"

	// EntityCluster is an entity that represents traffic within the
	// endpoint's cluster, to endpoints not managed by cilium
	EntityCluster Entity = "cluster"

	// EntityHost is an entity that represents traffic within endpoint host
	EntityHost Entity = "host"

	// EntityInit is an entity that represents an initializing endpoint
	EntityInit Entity = "init"

	// EntityIngress is an entity that represents envoy proxy
	EntityIngress Entity = "ingress"

	// EntityUnmanaged is an entity that represents unamanaged endpoints.
	EntityUnmanaged Entity = "unmanaged"

	// EntityRemoteNode is an entity that represents all remote nodes
	EntityRemoteNode Entity = "remote-node"

	// EntityHealth is an entity that represents all health endpoints.
	EntityHealth Entity = "health"

	// EntityNone is an entity that can be selected but never exist
	EntityNone Entity = "none"

	// EntityNone is an entity that represents the kube-apiserver.
	EntityKubeAPIServer Entity = "kube-apiserver"
)

type EntitySlice added in v1.5.0

type EntitySlice []Entity

EntitySlice is a slice of entities

func (EntitySlice) DeepCopy added in v1.5.0

func (in EntitySlice) DeepCopy() EntitySlice

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntitySlice.

func (EntitySlice) DeepCopyInto added in v1.5.0

func (in EntitySlice) DeepCopyInto(out *EntitySlice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EntitySlice) DeepEqual added in v1.14.0

func (in *EntitySlice) DeepEqual(other *EntitySlice) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (EntitySlice) GetAsEndpointSelectors added in v1.5.0

func (s EntitySlice) GetAsEndpointSelectors() EndpointSelectorSlice

GetAsEndpointSelectors returns the provided entity slice as a slice of endpoint selectors

type EnvoyConfig added in v1.14.0

type EnvoyConfig struct {
	// Kind is the resource type being referred to. Defaults to CiliumEnvoyConfig or
	// CiliumClusterwideEnvoyConfig for CiliumNetworkPolicy and CiliumClusterwideNetworkPolicy,
	// respectively. The only case this is currently explicitly needed is when referring to a
	// CiliumClusterwideEnvoyConfig from CiliumNetworkPolicy, as using a namespaced listener
	// from a cluster scoped policy is not allowed.
	//
	// +kubebuilder:validation:Enum=CiliumEnvoyConfig;CiliumClusterwideEnvoyConfig
	// +kubebuilder:validation:Optional
	Kind string `json:"kind"`

	// Name is the resource name of the CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig where
	// the listener is defined in.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Required
	Name string `json:"name"`
}

EnvoyConfig defines a reference to a CiliumEnvoyConfig or CiliumClusterwideEnvoyConfig

func (*EnvoyConfig) DeepCopy added in v1.14.0

func (in *EnvoyConfig) DeepCopy() *EnvoyConfig

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EnvoyConfig.

func (*EnvoyConfig) DeepCopyInto added in v1.14.0

func (in *EnvoyConfig) DeepCopyInto(out *EnvoyConfig)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*EnvoyConfig) DeepEqual added in v1.14.0

func (in *EnvoyConfig) DeepEqual(other *EnvoyConfig) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type FQDNSelector added in v1.5.0

type FQDNSelector struct {
	// MatchName matches literal DNS names. A trailing "." is automatically added
	// when missing.
	//
	// +kubebuilder:validation:Pattern=`^([-a-zA-Z0-9_]+[.]?)+$`
	MatchName string `json:"matchName,omitempty"`

	// MatchPattern allows using wildcards to match DNS names. All wildcards are
	// case insensitive. The wildcards are:
	// - "*" matches 0 or more DNS valid characters, and may occur anywhere in
	// the pattern. As a special case a "*" as the leftmost character, without a
	// following "." matches all subdomains as well as the name to the right.
	// A trailing "." is automatically added when missing.
	//
	// Examples:
	// `*.cilium.io` matches subomains of cilium at that level
	//   www.cilium.io and blog.cilium.io match, cilium.io and google.com do not
	// `*cilium.io` matches cilium.io and all subdomains ends with "cilium.io"
	//   except those containing "." separator, subcilium.io and sub-cilium.io match,
	//   www.cilium.io and blog.cilium.io does not
	// sub*.cilium.io matches subdomains of cilium where the subdomain component
	// begins with "sub"
	//   sub.cilium.io and subdomain.cilium.io match, www.cilium.io,
	//   blog.cilium.io, cilium.io and google.com do not
	//
	// +kubebuilder:validation:Pattern=`^([-a-zA-Z0-9_*]+[.]?)+$`
	MatchPattern string `json:"matchPattern,omitempty"`
}

func (*FQDNSelector) DeepCopy added in v1.5.0

func (in *FQDNSelector) DeepCopy() *FQDNSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNSelector.

func (*FQDNSelector) DeepCopyInto added in v1.5.0

func (in *FQDNSelector) DeepCopyInto(out *FQDNSelector)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FQDNSelector) DeepEqual added in v1.14.0

func (in *FQDNSelector) DeepEqual(other *FQDNSelector) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*FQDNSelector) GetAsEndpointSelectors added in v1.5.0

func (s *FQDNSelector) GetAsEndpointSelectors() EndpointSelectorSlice

GetAsEndpointSelectors returns a FQDNSelector as a single EntityNone EndpointSelector slice. Note that toFQDNs behaves differently than most other rules. The presence of any toFQDNs rules means the endpoint must enforce policy, but the IPs are later added as toCIDRSet entries and processed as such.

func (*FQDNSelector) String added in v1.6.0

func (s *FQDNSelector) String() string

func (*FQDNSelector) ToRegex added in v1.6.0

func (s *FQDNSelector) ToRegex() (*regexp.Regexp, error)

ToRegex converts the given FQDNSelector to its corresponding regular expression. If the MatchName field is set in the selector, it performs all needed formatting to ensure that the field is a valid regular expression.

type FQDNSelectorSlice added in v1.5.0

type FQDNSelectorSlice []FQDNSelector

FQDNSelectorSlice is a wrapper type for []FQDNSelector to make is simpler to bind methods.

func (FQDNSelectorSlice) DeepCopy added in v1.5.0

func (in FQDNSelectorSlice) DeepCopy() FQDNSelectorSlice

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNSelectorSlice.

func (FQDNSelectorSlice) DeepCopyInto added in v1.5.0

func (in FQDNSelectorSlice) DeepCopyInto(out *FQDNSelectorSlice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FQDNSelectorSlice) DeepEqual added in v1.14.0

func (in *FQDNSelectorSlice) DeepEqual(other *FQDNSelectorSlice) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (FQDNSelectorSlice) GetAsEndpointSelectors added in v1.5.0

func (s FQDNSelectorSlice) GetAsEndpointSelectors() EndpointSelectorSlice

GetAsEndpointSelectors will return a single EntityNone if any toFQDNs rules exist, and a nil slice otherwise.

type GroupProviderFunc added in v1.5.0

type GroupProviderFunc func(context.Context, *ToGroups) ([]netip.Addr, error)

GroupProviderFunc is a func that need to be register to be able to register a new provider in the platform.

type HeaderMatch added in v1.14.0

type HeaderMatch struct {
	// Mismatch identifies what to do in case there is no match. The default is
	// to drop the request. Otherwise the overall rule is still considered as
	// matching, but the mismatches are logged in the access log.
	//
	// +kubebuilder:validation:Enum=LOG;ADD;DELETE;REPLACE
	// +kubebuilder:validation:Optional
	Mismatch MismatchAction `json:"mismatch,omitempty"`

	// Name identifies the header.
	Name string `json:"name"`

	// Secret refers to a secret that contains the value to be matched against.
	// The secret must only contain one entry. If the referred secret does not
	// exist, and there is no "Value" specified, the match will fail.
	//
	// +kubebuilder:validation:Optional
	Secret *Secret `json:"secret,omitempty"`

	// Value matches the exact value of the header. Can be specified either
	// alone or together with "Secret"; will be used as the header value if the
	// secret can not be found in the latter case.
	//
	// +kubebuilder:validation:Optional
	Value string `json:"value,omitempty"`
}

HeaderMatch extends the HeaderValue for matching requirement of a named header field against an immediate string, a secret value, or a regex. If none of the optional fields is present, then the header value is not matched, only presence of the header is enough.

func (*HeaderMatch) DeepCopy added in v1.14.0

func (in *HeaderMatch) DeepCopy() *HeaderMatch

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new HeaderMatch.

func (*HeaderMatch) DeepCopyInto added in v1.14.0

func (in *HeaderMatch) DeepCopyInto(out *HeaderMatch)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*HeaderMatch) DeepEqual added in v1.14.0

func (in *HeaderMatch) DeepEqual(other *HeaderMatch) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*HeaderMatch) Equal added in v1.14.0

func (h *HeaderMatch) Equal(o *HeaderMatch) bool

Equal returns true if both HeaderMatches are equal

type ICMPField added in v1.14.0

type ICMPField struct {
	// Family is a IP address version.
	// Currently, we support `IPv4` and `IPv6`.
	// `IPv4` is set as default.
	//
	// +kubebuilder:default=IPv4
	// +kubebuilder:validation:Optional
	// +kubebuilder:validation:Enum=IPv4;IPv6
	Family string `json:"family,omitempty"`

	// Type is a ICMP-type.
	// It should be 0-255 (8bit).
	//
	// +kubebuilder:validation:Maximum=255
	// +kubebuilder:validation:Minimum=0
	Type uint8 `json:"type"`
}

ICMPField is a ICMP field.

func (*ICMPField) DeepCopy added in v1.14.0

func (in *ICMPField) DeepCopy() *ICMPField

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ICMPField.

func (*ICMPField) DeepCopyInto added in v1.14.0

func (in *ICMPField) DeepCopyInto(out *ICMPField)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ICMPField) DeepEqual added in v1.14.0

func (in *ICMPField) DeepEqual(other *ICMPField) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (ICMPField) PortProtocol added in v1.14.0

func (i ICMPField) PortProtocol() *PortProtocol

PortProtocol translates ICMPType to PortProtocol.

type ICMPRule added in v1.14.0

type ICMPRule struct {
	// Fields is a list of ICMP fields.
	//
	// +kubebuilder:validation:Optional
	Fields []ICMPField `json:"fields,omitempty"`
}

ICMPRule is a list of ICMP fields.

func (*ICMPRule) DeepCopy added in v1.14.0

func (in *ICMPRule) DeepCopy() *ICMPRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ICMPRule.

func (*ICMPRule) DeepCopyInto added in v1.14.0

func (in *ICMPRule) DeepCopyInto(out *ICMPRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ICMPRule) DeepEqual added in v1.14.0

func (in *ICMPRule) DeepEqual(other *ICMPRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (ICMPRule) GetPortProtocols added in v1.14.0

func (ir ICMPRule) GetPortProtocols() []PortProtocol

GetPortProtocols generates PortProtocol slice from ICMPRule and returns it.

func (ICMPRule) GetPortRule added in v1.14.0

func (ir ICMPRule) GetPortRule() *PortRule

GetPortRule generates PortRule from ICMPRule and returns it.

type ICMPRules added in v1.14.0

type ICMPRules []ICMPRule

func (ICMPRules) DeepCopy added in v1.14.0

func (in ICMPRules) DeepCopy() ICMPRules

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ICMPRules.

func (ICMPRules) DeepCopyInto added in v1.14.0

func (in ICMPRules) DeepCopyInto(out *ICMPRules)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ICMPRules) DeepEqual added in v1.14.0

func (in *ICMPRules) DeepEqual(other *ICMPRules) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (ICMPRules) Iterate added in v1.14.0

func (ir ICMPRules) Iterate(f func(pr Ports) error) error

Iterate iterates over all elements of ICMPRules.

func (ICMPRules) Len added in v1.14.0

func (ir ICMPRules) Len() int

Len returns the length of the elements of ICMPRules.

type IngressCommonRule added in v1.14.0

type IngressCommonRule struct {
	// FromEndpoints is a list of endpoints identified by an
	// EndpointSelector which are allowed to communicate with the endpoint
	// subject to the rule.
	//
	// Example:
	// Any endpoint with the label "role=backend" can be consumed by any
	// endpoint carrying the label "role=frontend".
	//
	// +kubebuilder:validation:Optional
	FromEndpoints []EndpointSelector `json:"fromEndpoints,omitempty"`

	// FromRequires is a list of additional constraints which must be met
	// in order for the selected endpoints to be reachable. These
	// additional constraints do no by itself grant access privileges and
	// must always be accompanied with at least one matching FromEndpoints.
	//
	// Example:
	// Any Endpoint with the label "team=A" requires consuming endpoint
	// to also carry the label "team=A".
	//
	// +kubebuilder:validation:Optional
	FromRequires []EndpointSelector `json:"fromRequires,omitempty"`

	// FromCIDR is a list of IP blocks which the endpoint subject to the
	// rule is allowed to receive connections from. Only connections which
	// do *not* originate from the cluster or from the local host are subject
	// to CIDR rules. In order to allow in-cluster connectivity, use the
	// FromEndpoints field.  This will match on the source IP address of
	// incoming connections. Adding  a prefix into FromCIDR or into
	// FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are
	// allowed between FromCIDR and FromCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=my-legacy-pet" is allowed to receive
	// connections from 10.3.9.1
	//
	// +kubebuilder:validation:Optional
	FromCIDR CIDRSlice `json:"fromCIDR,omitempty"`

	// FromCIDRSet is a list of IP blocks which the endpoint subject to the
	// rule is allowed to receive connections from in addition to FromEndpoints,
	// along with a list of subnets contained within their corresponding IP block
	// from which traffic should not be allowed.
	// This will match on the source IP address of incoming connections. Adding
	// a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is
	// equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=my-legacy-pet" is allowed to receive
	// connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.
	//
	// +kubebuilder:validation:Optional
	FromCIDRSet CIDRRuleSlice `json:"fromCIDRSet,omitempty"`

	// FromEntities is a list of special entities which the endpoint subject
	// to the rule is allowed to receive connections from. Supported entities are
	// `world`, `cluster` and `host`
	//
	// +kubebuilder:validation:Optional
	FromEntities EntitySlice `json:"fromEntities,omitempty"`
	// contains filtered or unexported fields
}

IngressCommonRule is a rule that shares some of its fields across the IngressRule and IngressDenyRule. It's publicly exported so the code generators can generate code for this structure.

func (*IngressCommonRule) AllowsWildcarding added in v1.14.0

func (i *IngressCommonRule) AllowsWildcarding() bool

AllowsWildcarding returns true if wildcarding should be performed upon policy evaluation for the given rule.

func (*IngressCommonRule) DeepCopy added in v1.14.0

func (in *IngressCommonRule) DeepCopy() *IngressCommonRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressCommonRule.

func (*IngressCommonRule) DeepCopyInto added in v1.14.0

func (in *IngressCommonRule) DeepCopyInto(out *IngressCommonRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IngressCommonRule) DeepEqual added in v1.14.0

func (in *IngressCommonRule) DeepEqual(other *IngressCommonRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*IngressCommonRule) GetSourceEndpointSelectorsWithRequirements added in v1.14.0

func (i *IngressCommonRule) GetSourceEndpointSelectorsWithRequirements(requirements []slim_metav1.LabelSelectorRequirement) EndpointSelectorSlice

GetSourceEndpointSelectorsWithRequirements returns a slice of endpoints selectors covering all L3 source selectors of the ingress rule

func (*IngressCommonRule) SetAggregatedSelectors added in v1.14.0

func (i *IngressCommonRule) SetAggregatedSelectors()

SetAggregatedSelectors creates a single slice containing all of the following fields within the IngressRule, converted to EndpointSelector, to be stored within the IngressRule for easy lookup while performing policy evaluation for the rule: * FromEntities * FromCIDR * FromCIDRSet

FromEndpoints is not aggregated due to requirement folding in GetSourceEndpointSelectorsWithRequirements()

type IngressDenyRule added in v1.14.0

type IngressDenyRule struct {
	IngressCommonRule `json:",inline"`

	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is not allowed to
	// receive connections on.
	//
	// Example:
	// Any endpoint with the label "app=httpd" can not accept incoming
	// connections on port 80/tcp.
	//
	// +kubebuilder:validation:Optional
	ToPorts PortDenyRules `json:"toPorts,omitempty"`

	// ICMPs is a list of ICMP rule identified by type number
	// which the endpoint subject to the rule is not allowed to
	// receive connections on.
	//
	// Example:
	// Any endpoint with the label "app=httpd" can not accept incoming
	// type 8 ICMP connections.
	//
	// +kubebuilder:validation:Optional
	ICMPs ICMPRules `json:"icmps,omitempty"`
}

IngressDenyRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector.

  • All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.

  • If multiple members are set, all of them need to match in order for the rule to take effect. The exception to this rule is FromRequires field; the effects of any Requires field in any rule will apply to all other rules as well.

  • FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. Only one of these members may be present within an individual rule.

func (*IngressDenyRule) DeepCopy added in v1.14.0

func (in *IngressDenyRule) DeepCopy() *IngressDenyRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressDenyRule.

func (*IngressDenyRule) DeepCopyInto added in v1.14.0

func (in *IngressDenyRule) DeepCopyInto(out *IngressDenyRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IngressDenyRule) DeepEqual added in v1.14.0

func (in *IngressDenyRule) DeepEqual(other *IngressDenyRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type IngressRule

type IngressRule struct {
	IngressCommonRule `json:",inline"`

	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is allowed to
	// receive connections on.
	//
	// Example:
	// Any endpoint with the label "app=httpd" can only accept incoming
	// connections on port 80/tcp.
	//
	// +kubebuilder:validation:Optional
	ToPorts PortRules `json:"toPorts,omitempty"`

	// ICMPs is a list of ICMP rule identified by type number
	// which the endpoint subject to the rule is allowed to
	// receive connections on.
	//
	// Example:
	// Any endpoint with the label "app=httpd" can only accept incoming
	// type 8 ICMP connections.
	//
	// +kubebuilder:validation:Optional
	ICMPs ICMPRules `json:"icmps,omitempty"`

	// Auth is the required authentication type for the allowed traffic, if any.
	//
	// +kubebuilder:validation:Optional
	Auth *Auth `json:"auth,omitempty"`
}

IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector.

  • All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.

  • If multiple members are set, all of them need to match in order for the rule to take effect. The exception to this rule is FromRequires field; the effects of any Requires field in any rule will apply to all other rules as well.

  • FromEndpoints, FromCIDR, FromCIDRSet and FromEntities are mutually exclusive. Only one of these members may be present within an individual rule.

func (*IngressRule) DeepCopy added in v1.5.0

func (in *IngressRule) DeepCopy() *IngressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRule.

func (*IngressRule) DeepCopyInto added in v1.5.0

func (in *IngressRule) DeepCopyInto(out *IngressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*IngressRule) DeepEqual added in v1.14.0

func (in *IngressRule) DeepEqual(other *IngressRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type K8sServiceNamespace added in v1.5.0

type K8sServiceNamespace struct {
	ServiceName string `json:"serviceName,omitempty"`
	Namespace   string `json:"namespace,omitempty"`
}

K8sServiceNamespace is an abstraction for the k8s service + namespace types.

func (*K8sServiceNamespace) DeepCopy added in v1.5.0

func (in *K8sServiceNamespace) DeepCopy() *K8sServiceNamespace

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8sServiceNamespace.

func (*K8sServiceNamespace) DeepCopyInto added in v1.5.0

func (in *K8sServiceNamespace) DeepCopyInto(out *K8sServiceNamespace)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*K8sServiceNamespace) DeepEqual added in v1.14.0

func (in *K8sServiceNamespace) DeepEqual(other *K8sServiceNamespace) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type K8sServiceSelectorNamespace added in v1.5.0

type K8sServiceSelectorNamespace struct {
	// +kubebuilder:validation:Required
	Selector  ServiceSelector `json:"selector"`
	Namespace string          `json:"namespace,omitempty"`
}

K8sServiceSelectorNamespace wraps service selector with namespace

func (*K8sServiceSelectorNamespace) DeepCopy added in v1.5.0

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8sServiceSelectorNamespace.

func (*K8sServiceSelectorNamespace) DeepCopyInto added in v1.5.0

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*K8sServiceSelectorNamespace) DeepEqual added in v1.14.0

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type L4Proto added in v1.5.0

type L4Proto string

L4Proto is a layer 4 protocol name

const (
	ProtoTCP    L4Proto = "TCP"
	ProtoUDP    L4Proto = "UDP"
	ProtoSCTP   L4Proto = "SCTP"
	ProtoICMP   L4Proto = "ICMP"
	ProtoICMPv6 L4Proto = "ICMPV6"
	ProtoAny    L4Proto = "ANY"

	PortProtocolAny = "0/ANY"
)

func ParseL4Proto added in v1.5.0

func ParseL4Proto(proto string) (L4Proto, error)

ParseL4Proto parses a string as layer 4 protocol

func (L4Proto) Validate added in v1.5.0

func (l4 L4Proto) Validate() error

Validate returns an error if the layer 4 protocol is not valid

type L7Rules

type L7Rules struct {
	// HTTP specific rules.
	//
	// +kubebuilder:validation:Optional
	HTTP []PortRuleHTTP `json:"http,omitempty"`

	// Kafka-specific rules.
	//
	// +kubebuilder:validation:Optional
	Kafka []kafka.PortRule `json:"kafka,omitempty"`

	// DNS-specific rules.
	//
	// +kubebuilder:validation:Optional
	DNS []PortRuleDNS `json:"dns,omitempty"`

	// Name of the L7 protocol for which the Key-value pair rules apply.
	//
	// +kubebuilder:validation:Optional
	L7Proto string `json:"l7proto,omitempty"`

	// Key-value pair rules.
	//
	// +kubebuilder:validation:Optional
	L7 []PortRuleL7 `json:"l7,omitempty"`
}

L7Rules is a union of port level rule types. Mixing of different port level rule types is disallowed, so exactly one of the following must be set. If none are specified, then no additional port level rules are applied.

func (*L7Rules) DeepCopy added in v1.5.0

func (in *L7Rules) DeepCopy() *L7Rules

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L7Rules.

func (*L7Rules) DeepCopyInto added in v1.5.0

func (in *L7Rules) DeepCopyInto(out *L7Rules)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*L7Rules) DeepEqual added in v1.14.0

func (in *L7Rules) DeepEqual(other *L7Rules) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*L7Rules) IsEmpty added in v1.5.0

func (rules *L7Rules) IsEmpty() bool

IsEmpty returns whether the `L7Rules` is nil or contains no rules.

func (*L7Rules) Len added in v1.5.0

func (rules *L7Rules) Len() int

Len returns the total number of rules inside `L7Rules`. Returns 0 if nil.

type Listener added in v1.14.0

type Listener struct {
	// EnvoyConfig is a reference to the CEC or CCNP resource in which
	// the listener is defined.
	//
	// +kubebuilder:validation:Required
	EnvoyConfig *EnvoyConfig `json:"envoyConfig"`

	// Name is the name of the listener.
	//
	// +kubebuilder:validation:MinLength=1
	// +kubebuilder:validation:Required
	Name string `json:"name"`
}

Listener defines a reference to an Envoy listener specified in a CEC or CCEC resource.

func (*Listener) DeepCopy added in v1.14.0

func (in *Listener) DeepCopy() *Listener

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Listener.

func (*Listener) DeepCopyInto added in v1.14.0

func (in *Listener) DeepCopyInto(out *Listener)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Listener) DeepEqual added in v1.14.0

func (in *Listener) DeepEqual(other *Listener) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type MismatchAction added in v1.14.0

type MismatchAction string

MismatchAction specifies what to do when there is no header match Empty string is the default for making the rule to fail the match. Otherwise the rule is still considered as matching, but the mismatches are logged in the access log.

const (
	MismatchActionLog     MismatchAction = "LOG"     // Keep checking other matches
	MismatchActionAdd     MismatchAction = "ADD"     // Add the missing value to a possibly multi-valued header
	MismatchActionDelete  MismatchAction = "DELETE"  // Remove the whole mismatching header
	MismatchActionReplace MismatchAction = "REPLACE" // Replace (of add if missing) the header
)

type PortDenyRule added in v1.14.0

type PortDenyRule struct {
	// Ports is a list of L4 port/protocol
	//
	// +kubebuilder:validation:Optional
	Ports []PortProtocol `json:"ports,omitempty"`
}

PortDenyRule is a list of ports/protocol that should be used for deny policies. This structure lacks the L7Rules since it's not supported in deny policies.

func (*PortDenyRule) DeepCopy added in v1.14.0

func (in *PortDenyRule) DeepCopy() *PortDenyRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortDenyRule.

func (*PortDenyRule) DeepCopyInto added in v1.14.0

func (in *PortDenyRule) DeepCopyInto(out *PortDenyRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortDenyRule) DeepEqual added in v1.14.0

func (in *PortDenyRule) DeepEqual(other *PortDenyRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (PortDenyRule) GetPortProtocols added in v1.14.0

func (pd PortDenyRule) GetPortProtocols() []PortProtocol

GetPortProtocols returns the Ports field of the PortDenyRule.

func (*PortDenyRule) GetPortRule added in v1.14.0

func (pd *PortDenyRule) GetPortRule() *PortRule

GetPortRule returns nil has it is not a PortRule.

type PortDenyRules added in v1.14.0

type PortDenyRules []PortDenyRule

PortDenyRules is a slice of PortDenyRule.

func (PortDenyRules) DeepCopy added in v1.14.0

func (in PortDenyRules) DeepCopy() PortDenyRules

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortDenyRules.

func (PortDenyRules) DeepCopyInto added in v1.14.0

func (in PortDenyRules) DeepCopyInto(out *PortDenyRules)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortDenyRules) DeepEqual added in v1.14.0

func (in *PortDenyRules) DeepEqual(other *PortDenyRules) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (PortDenyRules) Iterate added in v1.14.0

func (pr PortDenyRules) Iterate(f func(pr Ports) error) error

Iterate iterates over all elements of PortDenyRules.

func (PortDenyRules) Len added in v1.14.0

func (pr PortDenyRules) Len() int

Len returns the length of the elements of PortDenyRules.

type PortProtocol

type PortProtocol struct {
	// Port is an L4 port number. For now the string will be strictly
	// parsed as a single uint16. In the future, this field may support
	// ranges in the form "1024-2048
	// Port can also be a port name, which must contain at least one [a-z],
	// and may also contain [0-9] and '-' anywhere except adjacent to another
	// '-' or in the beginning or the end.
	//
	// +kubebuilder:validation:Pattern=`^(6553[0-5]|655[0-2][0-9]|65[0-4][0-9]{2}|6[0-4][0-9]{3}|[1-5][0-9]{4}|[0-9]{1,4})|([a-zA-Z0-9]-?)*[a-zA-Z](-?[a-zA-Z0-9])*$`
	Port string `json:"port"`

	// Protocol is the L4 protocol. If omitted or empty, any protocol
	// matches. Accepted values: "TCP", "UDP", "SCTP", "ANY"
	//
	// Matching on ICMP is not supported.
	//
	// Named port specified for a container may narrow this down, but may not
	// contradict this.
	//
	// +kubebuilder:validation:Enum=TCP;UDP;SCTP;ANY
	// +kubebuilder:validation:Optional
	Protocol L4Proto `json:"protocol,omitempty"`
}

PortProtocol specifies an L4 port with an optional transport protocol

func (PortProtocol) Covers added in v1.6.0

func (p PortProtocol) Covers(other PortProtocol) bool

Covers returns true if the ports and protocol specified in the received PortProtocol are equal to or a superset of the ports and protocol in 'other'. Named ports only cover other named ports with exactly the same name.

func (*PortProtocol) DeepCopy added in v1.5.0

func (in *PortProtocol) DeepCopy() *PortProtocol

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortProtocol.

func (*PortProtocol) DeepCopyInto added in v1.5.0

func (in *PortProtocol) DeepCopyInto(out *PortProtocol)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortProtocol) DeepEqual added in v1.14.0

func (in *PortProtocol) DeepEqual(other *PortProtocol) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type PortRule

type PortRule struct {
	// Ports is a list of L4 port/protocol
	//
	// +kubebuilder:validation:Optional
	Ports []PortProtocol `json:"ports,omitempty"`

	// TerminatingTLS is the TLS context for the connection terminated by
	// the L7 proxy.  For egress policy this specifies the server-side TLS
	// parameters to be applied on the connections originated from the local
	// endpoint and terminated by the L7 proxy. For ingress policy this specifies
	// the server-side TLS parameters to be applied on the connections
	// originated from a remote source and terminated by the L7 proxy.
	//
	// +kubebuilder:validation:Optional
	TerminatingTLS *TLSContext `json:"terminatingTLS,omitempty"`

	// OriginatingTLS is the TLS context for the connections originated by
	// the L7 proxy.  For egress policy this specifies the client-side TLS
	// parameters for the upstream connection originating from the L7 proxy
	// to the remote destination. For ingress policy this specifies the
	// client-side TLS parameters for the connection from the L7 proxy to
	// the local endpoint.
	//
	// +kubebuilder:validation:Optional
	OriginatingTLS *TLSContext `json:"originatingTLS,omitempty"`

	// ServerNames is a list of allowed TLS SNI values. If not empty, then
	// TLS must be present and one of the provided SNIs must be indicated in the
	// TLS handshake.
	//
	// +kubebuilder:validation:Optional
	ServerNames []string `json:"serverNames,omitempty"`

	// listener specifies the name of a custom Envoy listener to which this traffic should be
	// redirected to.
	//
	// +kubebuilder:validation:Optional
	Listener *Listener `json:"listener,omitempty"`

	// Rules is a list of additional port level rules which must be met in
	// order for the PortRule to allow the traffic. If omitted or empty,
	// no layer 7 rules are enforced.
	//
	// +kubebuilder:validation:Optional
	Rules *L7Rules `json:"rules,omitempty"`
}

PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.

func (*PortRule) DeepCopy added in v1.5.0

func (in *PortRule) DeepCopy() *PortRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRule.

func (*PortRule) DeepCopyInto added in v1.5.0

func (in *PortRule) DeepCopyInto(out *PortRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortRule) DeepEqual added in v1.14.0

func (in *PortRule) DeepEqual(other *PortRule) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (PortRule) GetPortProtocols added in v1.14.0

func (pd PortRule) GetPortProtocols() []PortProtocol

GetPortProtocols returns the Ports field of the PortRule.

func (*PortRule) GetPortRule added in v1.14.0

func (pd *PortRule) GetPortRule() *PortRule

GetPortRule returns the PortRule.

type PortRuleDNS added in v1.5.0

type PortRuleDNS FQDNSelector

PortRuleDNS is a list of allowed DNS lookups.

func (*PortRuleDNS) DeepCopy added in v1.5.0

func (in *PortRuleDNS) DeepCopy() *PortRuleDNS

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRuleDNS.

func (*PortRuleDNS) DeepCopyInto added in v1.5.0

func (in *PortRuleDNS) DeepCopyInto(out *PortRuleDNS)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortRuleDNS) DeepEqual added in v1.14.0

func (in *PortRuleDNS) DeepEqual(other *PortRuleDNS) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*PortRuleDNS) Equal added in v1.5.0

func (d *PortRuleDNS) Equal(o PortRuleDNS) bool

Equal returns true if both rules are equal

func (*PortRuleDNS) Exists added in v1.5.0

func (d *PortRuleDNS) Exists(rules L7Rules) bool

Exists returns true if the DNS rule already exists in the list of rules

func (*PortRuleDNS) Sanitize added in v1.5.0

func (r *PortRuleDNS) Sanitize() error

Sanitize checks that the matchName in the portRule can be compiled as a regex. It does not check that a DNS name is a valid DNS name.

type PortRuleHTTP

type PortRuleHTTP struct {
	// Path is an extended POSIX regex matched against the path of a
	// request. Currently it can contain characters disallowed from the
	// conventional "path" part of a URL as defined by RFC 3986.
	//
	// If omitted or empty, all paths are all allowed.
	//
	// +kubebuilder:validation:Optional
	Path string `json:"path,omitempty"`

	// Method is an extended POSIX regex matched against the method of a
	// request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ...
	//
	// If omitted or empty, all methods are allowed.
	//
	// +kubebuilder:validation:Optional
	Method string `json:"method,omitempty"`

	// Host is an extended POSIX regex matched against the host header of a
	// request, e.g. "foo.com"
	//
	// If omitted or empty, the value of the host header is ignored.
	//
	// +kubebuilder:validation:Format=idn-hostname
	// +kubebuilder:validation:Optional
	Host string `json:"host,omitempty"`

	// Headers is a list of HTTP headers which must be present in the
	// request. If omitted or empty, requests are allowed regardless of
	// headers present.
	//
	// +kubebuilder:validation:Optional
	Headers []string `json:"headers,omitempty"`

	// HeaderMatches is a list of HTTP headers which must be
	// present and match against the given values. Mismatch field can be used
	// to specify what to do when there is no match.
	//
	// +kubebuilder:validation:Optional
	HeaderMatches []*HeaderMatch `json:"headerMatches,omitempty"`
}

PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.

All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986.

func (*PortRuleHTTP) DeepCopy added in v1.5.0

func (in *PortRuleHTTP) DeepCopy() *PortRuleHTTP

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRuleHTTP.

func (*PortRuleHTTP) DeepCopyInto added in v1.5.0

func (in *PortRuleHTTP) DeepCopyInto(out *PortRuleHTTP)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortRuleHTTP) DeepEqual added in v1.14.0

func (in *PortRuleHTTP) DeepEqual(other *PortRuleHTTP) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*PortRuleHTTP) Equal added in v1.5.0

func (h *PortRuleHTTP) Equal(o PortRuleHTTP) bool

Equal returns true if both HTTP rules are equal

func (*PortRuleHTTP) Exists added in v1.5.0

func (h *PortRuleHTTP) Exists(rules L7Rules) bool

Exists returns true if the HTTP rule already exists in the list of rules

func (*PortRuleHTTP) Sanitize added in v1.5.0

func (h *PortRuleHTTP) Sanitize() error

Sanitize sanitizes HTTP rules. It ensures that the path and method fields are valid regular expressions. Note that the proxy may support a wider-range of regular expressions (e.g. that specified by ECMAScript), so this function may return some false positives. If the rule is invalid, returns an error.

type PortRuleL7 added in v1.5.0

type PortRuleL7 map[string]string

PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.

func (PortRuleL7) DeepCopy added in v1.5.0

func (in PortRuleL7) DeepCopy() PortRuleL7

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRuleL7.

func (PortRuleL7) DeepCopyInto added in v1.5.0

func (in PortRuleL7) DeepCopyInto(out *PortRuleL7)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortRuleL7) DeepEqual added in v1.14.0

func (in *PortRuleL7) DeepEqual(other *PortRuleL7) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*PortRuleL7) Equal added in v1.5.0

func (h *PortRuleL7) Equal(o PortRuleL7) bool

Equal returns true if both L7 rules are equal

func (*PortRuleL7) Exists added in v1.5.0

func (h *PortRuleL7) Exists(rules L7Rules) bool

Exists returns true if the L7 rule already exists in the list of rules

func (*PortRuleL7) Sanitize added in v1.5.0

func (rule *PortRuleL7) Sanitize() error

Sanitize sanitizes key-value pair rules. It makes sure keys are present.

type PortRules added in v1.14.0

type PortRules []PortRule

PortRules is a slice of PortRule.

func (PortRules) DeepCopy added in v1.14.0

func (in PortRules) DeepCopy() PortRules

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRules.

func (PortRules) DeepCopyInto added in v1.14.0

func (in PortRules) DeepCopyInto(out *PortRules)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PortRules) DeepEqual added in v1.14.0

func (in *PortRules) DeepEqual(other *PortRules) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (PortRules) Iterate added in v1.14.0

func (pr PortRules) Iterate(f func(pr Ports) error) error

Iterate iterates over all elements of PortRules.

func (PortRules) Len added in v1.14.0

func (pr PortRules) Len() int

Len returns the length of the elements of PortRules.

type Ports added in v1.14.0

type Ports interface {
	// GetPortProtocols returns the slice PortProtocol
	GetPortProtocols() []PortProtocol
	// GetPortRule returns a PortRule, if the implementation does not support
	// it, then returns nil.
	GetPortRule() *PortRule
}

Ports is an interface that should be used by all implementations of the PortProtocols.

type PortsIterator added in v1.14.0

type PortsIterator interface {
	Iterate(f func(pr Ports) error) error
	Len() int
}

PortsIterator is an interface that should be implemented by structures that can iterate over a list of Ports interfaces.

type Rule

type Rule struct {
	// EndpointSelector selects all endpoints which should be subject to
	// this rule. EndpointSelector and NodeSelector cannot be both empty and
	// are mutually exclusive.
	//
	// +kubebuilder:validation:OneOf
	EndpointSelector EndpointSelector `json:"endpointSelector,omitempty"`

	// NodeSelector selects all nodes which should be subject to this rule.
	// EndpointSelector and NodeSelector cannot be both empty and are mutually
	// exclusive. Can only be used in CiliumClusterwideNetworkPolicies.
	//
	// +kubebuilder:validation:OneOf
	NodeSelector EndpointSelector `json:"nodeSelector,omitempty"`

	// Ingress is a list of IngressRule which are enforced at ingress.
	// If omitted or empty, this rule does not apply at ingress.
	//
	// +kubebuilder:validation:Optional
	Ingress []IngressRule `json:"ingress,omitempty"`

	// IngressDeny is a list of IngressDenyRule which are enforced at ingress.
	// Any rule inserted here will by denied regardless of the allowed ingress
	// rules in the 'ingress' field.
	// If omitted or empty, this rule does not apply at ingress.
	//
	// +kubebuilder:validation:Optional
	IngressDeny []IngressDenyRule `json:"ingressDeny,omitempty"`

	// Egress is a list of EgressRule which are enforced at egress.
	// If omitted or empty, this rule does not apply at egress.
	//
	// +kubebuilder:validation:Optional
	Egress []EgressRule `json:"egress,omitempty"`

	// EgressDeny is a list of EgressDenyRule which are enforced at egress.
	// Any rule inserted here will by denied regardless of the allowed egress
	// rules in the 'egress' field.
	// If omitted or empty, this rule does not apply at egress.
	//
	// +kubebuilder:validation:Optional
	EgressDeny []EgressDenyRule `json:"egressDeny,omitempty"`

	// Labels is a list of optional strings which can be used to
	// re-identify the rule or to store metadata. It is possible to lookup
	// or delete strings based on labels. Labels are not required to be
	// unique, multiple rules can have overlapping or identical labels.
	//
	// +kubebuilder:validation:Optional
	Labels labels.LabelArray `json:"labels,omitempty"`

	// Description is a free form string, it can be used by the creator of
	// the rule to store human readable explanation of the purpose of this
	// rule. Rules cannot be identified by comment.
	//
	// +kubebuilder:validation:Optional
	Description string `json:"description,omitempty"`
}

Rule is a policy rule which must be applied to all endpoints which match the labels contained in the endpointSelector

Each rule is split into an ingress section which contains all rules applicable at ingress, and an egress section applicable at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both ingress and egress, both ingress and egress side have to either specifically allow the connection or one side has to be omitted.

Either ingress, egress, or both can be provided. If both ingress and egress are omitted, the rule has no effect.

+deepequal-gen:private-method=true

func NewRule added in v1.5.0

func NewRule() *Rule

NewRule builds a new rule with no selector and no policy.

func (*Rule) CreateDerivative added in v1.5.0

func (r *Rule) CreateDerivative(ctx context.Context) (*Rule, error)

CreateDerivative will return a new Rule with the new data based gather by the rules that autogenerated new Rule

func (*Rule) DeepCopy added in v1.5.0

func (in *Rule) DeepCopy() *Rule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.

func (*Rule) DeepCopyInto added in v1.5.0

func (in *Rule) DeepCopyInto(out *Rule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Rule) DeepEqual added in v1.14.0

func (r *Rule) DeepEqual(o *Rule) bool

func (*Rule) MarshalJSON added in v1.14.0

func (r *Rule) MarshalJSON() ([]byte, error)

MarshalJSON returns the JSON encoding of Rule r. We need to overwrite it to enforce omitempty on the EndpointSelector nested structures.

func (*Rule) RequiresDerivative added in v1.5.0

func (r *Rule) RequiresDerivative() bool

RequiresDerivative it return true if the rule has a derivative rule.

func (Rule) Sanitize added in v1.5.0

func (r Rule) Sanitize() error

Sanitize validates and sanitizes a policy rule. Minor edits such as capitalization of the protocol name are automatically fixed up. More fundamental violations will cause an error to be returned.

func (*Rule) WithDescription added in v1.5.0

func (r *Rule) WithDescription(desc string) *Rule

WithDescription configures the Rule with the specified description metadata.

func (*Rule) WithEgressDenyRules added in v1.14.0

func (r *Rule) WithEgressDenyRules(rules []EgressDenyRule) *Rule

WithEgressDenyRules configures the Rule with the specified rules.

func (*Rule) WithEgressRules added in v1.5.0

func (r *Rule) WithEgressRules(rules []EgressRule) *Rule

WithEgressRules configures the Rule with the specified rules.

func (*Rule) WithEndpointSelector added in v1.5.0

func (r *Rule) WithEndpointSelector(es EndpointSelector) *Rule

WithEndpointSelector configures the Rule with the specified selector.

func (*Rule) WithIngressDenyRules added in v1.14.0

func (r *Rule) WithIngressDenyRules(rules []IngressDenyRule) *Rule

WithIngressDenyRules configures the Rule with the specified rules.

func (*Rule) WithIngressRules added in v1.5.0

func (r *Rule) WithIngressRules(rules []IngressRule) *Rule

WithIngressRules configures the Rule with the specified rules.

func (*Rule) WithLabels added in v1.5.0

func (r *Rule) WithLabels(labels labels.LabelArray) *Rule

WithLabels configures the Rule with the specified labels metadata.

type Rules

type Rules []*Rule

Rules is a collection of api.Rule.

All rules must be evaluated in order to come to a conclusion. While it is sufficient to have a single fromEndpoints rule match, none of the fromRequires may be violated at the same time. +deepequal-gen:private-method=true

func (Rules) DeepCopy added in v1.5.0

func (in Rules) DeepCopy() Rules

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rules.

func (Rules) DeepCopyInto added in v1.5.0

func (in Rules) DeepCopyInto(out *Rules)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Rules) DeepEqual added in v1.14.0

func (rs *Rules) DeepEqual(other *Rules) bool

DeepEqual is a deepequal function, deeply comparing the receiver with other. the receiver must be non-nil.

func (Rules) String added in v1.5.0

func (rs Rules) String() string

type Secret added in v1.14.0

type Secret struct {
	// Namespace is the namespace in which the secret exists. Context of use
	// determines the default value if left out (e.g., "default").
	//
	// +kubebuilder:validation:Optional
	Namespace string `json:"namespace,omitempty"`

	// Name is the name of the secret.
	//
	// +kubebuilder:validation:Required
	Name string `json:"name"`
}

Secret is a reference to a secret, backed by k8s or local file system.

func (*Secret) DeepCopy added in v1.14.0

func (in *Secret) DeepCopy() *Secret

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Secret.

func (*Secret) DeepCopyInto added in v1.14.0

func (in *Secret) DeepCopyInto(out *Secret)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Secret) DeepEqual added in v1.14.0

func (in *Secret) DeepEqual(other *Secret) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*Secret) Equal added in v1.14.0

func (a *Secret) Equal(b *Secret) bool

Equal returns true if both Secrets are equal

type Service added in v1.5.0

type Service struct {
	// K8sServiceSelector selects services by k8s labels and namespace
	K8sServiceSelector *K8sServiceSelectorNamespace `json:"k8sServiceSelector,omitempty"`
	// K8sService selects service by name and namespace pair
	K8sService *K8sServiceNamespace `json:"k8sService,omitempty"`
}

Service wraps around selectors for services

func (*Service) DeepCopy added in v1.5.0

func (in *Service) DeepCopy() *Service

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Service.

func (*Service) DeepCopyInto added in v1.5.0

func (in *Service) DeepCopyInto(out *Service)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Service) DeepEqual added in v1.14.0

func (in *Service) DeepEqual(other *Service) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type ServiceSelector added in v1.5.0

type ServiceSelector EndpointSelector

ServiceSelector is a label selector for k8s services

func (*ServiceSelector) DeepCopy added in v1.5.0

func (in *ServiceSelector) DeepCopy() *ServiceSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceSelector.

func (*ServiceSelector) DeepCopyInto added in v1.5.0

func (in *ServiceSelector) DeepCopyInto(out *ServiceSelector)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ServiceSelector) DeepEqual added in v1.14.0

func (in *ServiceSelector) DeepEqual(other *ServiceSelector) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type TLSContext added in v1.14.0

type TLSContext struct {
	// Secret is the secret that contains the certificates and private key for
	// the TLS context.
	// By default, Cilium will search in this secret for the following items:
	//  - 'ca.crt'  - Which represents the trusted CA to verify remote source.
	//  - 'tls.crt' - Which represents the public key certificate.
	//  - 'tls.key' - Which represents the private key matching the public key
	//                certificate.
	//
	// +kubebuilder:validation:Required
	Secret *Secret `json:"secret"`

	// TrustedCA is the file name or k8s secret item name for the trusted CA.
	// If omitted, 'ca.crt' is assumed, if it exists. If given, the item must
	// exist.
	//
	// +kubebuilder:validation:Optional
	TrustedCA string `json:"trustedCA,omitempty"`

	// Certificate is the file name or k8s secret item name for the certificate
	// chain. If omitted, 'tls.crt' is assumed, if it exists. If given, the
	// item must exist.
	//
	// +kubebuilder:validation:Optional
	Certificate string `json:"certificate,omitempty"`

	// PrivateKey is the file name or k8s secret item name for the private key
	// matching the certificate chain. If omitted, 'tls.key' is assumed, if it
	// exists. If given, the item must exist.
	//
	// +kubebuilder:validation:Optional
	PrivateKey string `json:"privateKey,omitempty"`
}

TLSContext provides TLS configuration via reference to either k8s secrets or via filepath. If both are set, directory is given priority over k8sSecrets.

func (*TLSContext) DeepCopy added in v1.14.0

func (in *TLSContext) DeepCopy() *TLSContext

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new TLSContext.

func (*TLSContext) DeepCopyInto added in v1.14.0

func (in *TLSContext) DeepCopyInto(out *TLSContext)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*TLSContext) DeepEqual added in v1.14.0

func (in *TLSContext) DeepEqual(other *TLSContext) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

type ToGroups added in v1.5.0

type ToGroups struct {
	AWS *AWSGroup `json:"aws,omitempty"`
}

ToGroups structure to store all kinds of new integrations that needs a new derivative policy.

func (*ToGroups) DeepCopy added in v1.5.0

func (in *ToGroups) DeepCopy() *ToGroups

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ToGroups.

func (*ToGroups) DeepCopyInto added in v1.5.0

func (in *ToGroups) DeepCopyInto(out *ToGroups)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ToGroups) DeepEqual added in v1.14.0

func (in *ToGroups) DeepEqual(other *ToGroups) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*ToGroups) GetCidrSet added in v1.5.0

func (group *ToGroups) GetCidrSet(ctx context.Context) ([]CIDRRule, error)

GetCidrSet will return the CIDRRule for the rule using the callbacks that are register in the platform.

Directories

Path Synopsis
Package kafka defines the Kafka API of the Cilium network policy interface +groupName=policy
Package kafka defines the Kafka API of the Cilium network policy interface +groupName=policy

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL