ipcache

package
v1.14.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 14, 2023 License: Apache-2.0 Imports: 32 Imported by: 0

Documentation

Overview

Package ipcache provides a local cache of the mapping of IPs of endpoints managed by Cilium to their corresponding security identities.

Index

Constants

View Source
const (
	// DefaultAddressSpace is the address space used if none is provided.
	// TODO - once pkg/node adds this to clusterConfiguration, remove.
	DefaultAddressSpace = "default"
)

Variables

View Source
var (
	// IPIdentitiesPath is the path to where endpoint IPs are stored in the key-value
	// store.
	IPIdentitiesPath = path.Join(kvstore.BaseKeyPrefix, "state", "ip", "v1")

	// AddressSpace is the address space (cluster, etc.) in which policy is
	// computed. It is determined by the orchestration system / runtime.
	AddressSpace = DefaultAddressSpace
)
View Source
var (
	// ErrLocalIdentityAllocatorUninitialized is an error that's returned when
	// the local identity allocator is uninitialized.
	ErrLocalIdentityAllocatorUninitialized = errors.New("local identity allocator uninitialized")

	LabelInjectorName = "ipcache-inject-labels"
)

Functions

func DeleteIPFromKVStore

func DeleteIPFromKVStore(ctx context.Context, ip string) error

DeleteIPFromKVStore removes the IP->Identity mapping for the specified ip from the kvstore, which will subsequently trigger an event in NewIPIdentityWatcher().

func UpsertIPToKVStore

func UpsertIPToKVStore(ctx context.Context, IP, hostIP net.IP, ID identity.NumericIdentity, key uint8,
	metadata, k8sNamespace, k8sPodName string, npm types.NamedPortMap) error

UpsertIPToKVStore updates / inserts the provided IP->Identity mapping into the kvstore, which will subsequently trigger an event in NewIPIdentityWatcher().

func WaitForKVStoreSync added in v1.6.0

func WaitForKVStoreSync()

WaitForKVStoreSync waits until the ipcache has been synchronized from the kvstore

Types

type CacheModification

type CacheModification string

CacheModification represents the type of operation performed upon IPCache.

const (
	// Upsert represents Upsertion into IPCache.
	Upsert CacheModification = "Upsert"

	// Delete represents deletion of an entry in IPCache.
	Delete CacheModification = "Delete"
)

type Configuration added in v1.14.0

type Configuration struct {
	context.Context
	// Accessors to other subsystems, provided by the daemon
	cache.IdentityAllocator
	ipcacheTypes.PolicyHandler
	ipcacheTypes.DatapathHandler
	ipcacheTypes.NodeHandler
	k8s.CacheStatus
}

Configuration is init-time configuration for the IPCache.

type ErrInvalidIP added in v1.14.0

type ErrInvalidIP struct {
	// contains filtered or unexported fields
}

ErrInvalidIP represents an error of an invalid IP.

func NewErrInvalidIP added in v1.14.0

func NewErrInvalidIP(ip string) *ErrInvalidIP

NewErrInvalidIP returns a new ErrInvalidIP.

func (ErrInvalidIP) Error added in v1.14.0

func (e ErrInvalidIP) Error() string

func (*ErrInvalidIP) Is added in v1.14.0

func (e *ErrInvalidIP) Is(target error) bool

type ErrOverwrite added in v1.14.0

type ErrOverwrite struct {
	ExistingSrc source.Source
	NewSrc      source.Source
}

ErrOverwrite represents an overwrite error where functions return the error to indicate the new source can't overwrite existing source.

func NewErrOverwrite added in v1.14.0

func NewErrOverwrite(existing, new source.Source) *ErrOverwrite

NewErrOverwrite returns a new ErrOverwrite.

func (ErrOverwrite) Error added in v1.14.0

func (e ErrOverwrite) Error() string

func (*ErrOverwrite) Is added in v1.14.0

func (e *ErrOverwrite) Is(target error) bool

type IPCache

type IPCache struct {

	// Configuration provides pointers towards other agent components that
	// the IPCache relies upon at runtime.
	*Configuration
	// contains filtered or unexported fields
}

IPCache is a collection of mappings:

  • mapping of endpoint IP or CIDR to security identities of all endpoints which are part of the same cluster, and vice-versa
  • mapping of endpoint IP or CIDR to host IP (maybe nil)

func NewIPCache

func NewIPCache(c *Configuration) *IPCache

NewIPCache returns a new IPCache with the mappings of endpoint IP to security identity (and vice-versa) initialized.

func (*IPCache) AddListener added in v1.6.0

func (ipc *IPCache) AddListener(listener IPIdentityMappingListener)

AddListener adds a listener for this IPCache.

func (*IPCache) AllocateCIDRs added in v1.14.0

func (ipc *IPCache) AllocateCIDRs(
	prefixes []netip.Prefix, oldNIDs []identity.NumericIdentity, newlyAllocatedIdentities map[netip.Prefix]*identity.Identity,
) ([]*identity.Identity, error)

AllocateCIDRs attempts to allocate identities for a list of CIDRs. If any allocation fails, all allocations are rolled back and the error is returned. When an identity is freshly allocated for a CIDR, it is added to the ipcache if 'newlyAllocatedIdentities' is 'nil', otherwise the newly allocated identities are placed in 'newlyAllocatedIdentities' and it is the caller's responsibility to upsert them into ipcache by calling UpsertGeneratedIdentities().

Previously used numeric identities for the given prefixes may be passed in as the 'oldNIDs' parameter; nil slice must be passed if no previous numeric identities exist. Previously used NID is allocated if still available. Non-availability is not an error.

Upon success, the caller must also arrange for the resulting identities to be released via a subsequent call to ReleaseCIDRIdentitiesByCIDR().

func (*IPCache) AllocateCIDRsForIPs added in v1.14.0

func (ipc *IPCache) AllocateCIDRsForIPs(
	prefixes []net.IP, newlyAllocatedIdentities map[netip.Prefix]*identity.Identity,
) ([]*identity.Identity, error)

AllocateCIDRsForIPs performs the same action as AllocateCIDRs but for IP addresses instead of CIDRs.

Upon success, the caller must also arrange for the resulting identities to be released via a subsequent call to ReleaseCIDRIdentitiesByID().

func (*IPCache) Delete

func (ipc *IPCache) Delete(IP string, source source.Source) (namedPortsChanged bool)

Delete removes the provided IP-to-security-identity mapping from the IPCache.

func (*IPCache) DeleteOnMetadataMatch added in v1.14.0

func (ipc *IPCache) DeleteOnMetadataMatch(IP string, source source.Source, namespace, name string) (namedPortsChanged bool)

DeleteOnMetadataMatch removes the provided IP to security identity mapping from the IPCache if the metadata cache holds the same "owner" metadata as the triggering pod event.

func (*IPCache) DumpToListener added in v1.14.0

func (ipc *IPCache) DumpToListener(listener IPIdentityMappingListener)

DumpToListener dumps the entire contents of the IPCache by triggering the listener's "OnIPIdentityCacheChange" method for each entry in the cache.

func (*IPCache) DumpToListenerLocked

func (ipc *IPCache) DumpToListenerLocked(listener IPIdentityMappingListener)

DumpToListenerLocked dumps the entire contents of the IPCache by triggering the listener's "OnIPIdentityCacheChange" method for each entry in the cache. The caller *MUST* grab the IPCache.Lock for reading before calling this function.

func (*IPCache) ForEachListener added in v1.14.0

func (ipc *IPCache) ForEachListener(f func(listener IPIdentityMappingListener))

func (*IPCache) GetHostIP added in v1.14.0

func (ipc *IPCache) GetHostIP(ip string) net.IP

GetHostIP returns the host IP for the given IP address.

func (*IPCache) GetIDMetadataByIP added in v1.14.0

func (ipc *IPCache) GetIDMetadataByIP(addr netip.Addr) labels.Labels

GetIDMetadataByIP returns the associated labels with an IP. The caller must not modifying the returned object as it's a live reference to the underlying map.

func (*IPCache) GetK8sMetadata added in v1.14.0

func (ipc *IPCache) GetK8sMetadata(ip string) *K8sMetadata

GetK8sMetadata returns Kubernetes metadata for the given IP address. The returned pointer should *never* be modified.

func (*IPCache) GetNamedPorts added in v1.14.0

func (ipc *IPCache) GetNamedPorts() (npm types.NamedPortMultiMap)

GetNamedPorts returns a copy of the named ports map. May return nil.

func (*IPCache) InitIPIdentityWatcher added in v1.14.0

func (ipc *IPCache) InitIPIdentityWatcher(ctx context.Context)

InitIPIdentityWatcher initializes the watcher for ip-identity mapping events in the key-value store.

func (*IPCache) InjectLabels added in v1.14.0

func (ipc *IPCache) InjectLabels(ctx context.Context, modifiedPrefixes []netip.Prefix) (remainingPrefixes []netip.Prefix, err error)

InjectLabels injects labels from the ipcache metadata (IDMD) map into the identities used for the prefixes in the IPCache. The given source is the source of the caller, as inserting into the IPCache requires knowing where this updated information comes from. Conversely, RemoveLabelsExcluded() performs the inverse: removes labels from the IDMD map and releases identities allocated by this function.

Note that as this function iterates through the IDMD, if it detects a change in labels for a given prefix, then this might allocate a new identity. If a prefix was previously associated with an identity, it will get deallocated, so a balance is kept, ensuring a one-to-one mapping between prefix and identity.

Returns the CIDRs that were not yet processed, for example due to an unexpected error while processing the identity updates for those CIDRs The caller should attempt to retry injecting labels for those CIDRs.

func (*IPCache) Lock

func (ipc *IPCache) Lock()

Lock locks the IPCache's mutex.

func (*IPCache) LookupByHostRLocked added in v1.14.0

func (ipc *IPCache) LookupByHostRLocked(hostIPv4, hostIPv6 net.IP) (cidrs []net.IPNet)

LookupByHostRLocked returns the list of IPs returns the set of IPs (endpoint or CIDR prefix) that have hostIPv4 or hostIPv6 associated as the host of the entry. Requires the caller to hold the RLock.

func (*IPCache) LookupByIP

func (ipc *IPCache) LookupByIP(IP string) (Identity, bool)

LookupByIP returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.

func (*IPCache) LookupByIPRLocked

func (ipc *IPCache) LookupByIPRLocked(IP string) (Identity, bool)

LookupByIPRLocked returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.

func (*IPCache) LookupByIdentity

func (ipc *IPCache) LookupByIdentity(id identity.NumericIdentity) (ips []string)

LookupByIdentity returns the set of IPs (endpoint or CIDR prefix) that have security identity ID, or nil if the entry does not exist.

func (*IPCache) LookupByPrefix

func (ipc *IPCache) LookupByPrefix(IP string) (Identity, bool)

LookupByPrefix returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.

func (*IPCache) LookupByPrefixRLocked

func (ipc *IPCache) LookupByPrefixRLocked(prefix string) (identity Identity, exists bool)

LookupByPrefixRLocked looks for either the specified CIDR prefix, or if the prefix is fully specified (ie, w.x.y.z/32 for IPv4), find the host for the identity in the provided IPCache, and returns the corresponding security identity as well as whether the entry exists in the IPCache.

func (*IPCache) OverrideIdentity added in v1.14.0

func (ipc *IPCache) OverrideIdentity(prefix netip.Prefix, identityLabels labels.Labels, src source.Source, resource ipcacheTypes.ResourceID)

OverrideIdentity overrides the identity for a given prefix in the IPCache metadata map. This is used when a resource indicates that this prefix already has a defined identity, and where any additional labels associated with the prefix are to be ignored. If multiple resources override the identity, a warning is emitted and only one of the override identities is used. This will trigger asynchronous calculation of any local identity changes that must occur to associate the specified labels with the prefix, and push any datapath updates necessary to implement the logic associated with the metadata currently associated with the 'prefix'.

func (*IPCache) RLock

func (ipc *IPCache) RLock()

RLock RLocks the IPCache's mutex.

func (*IPCache) RUnlock

func (ipc *IPCache) RUnlock()

RUnlock RUnlocks the IPCache's mutex.

func (*IPCache) ReleaseCIDRIdentitiesByCIDR added in v1.14.0

func (ipc *IPCache) ReleaseCIDRIdentitiesByCIDR(prefixes []netip.Prefix)

ReleaseCIDRIdentitiesByCIDR releases the identities of a list of CIDRs. When the last use of the identity is released, the ipcache entry is deleted.

func (*IPCache) ReleaseCIDRIdentitiesByID added in v1.14.0

func (ipc *IPCache) ReleaseCIDRIdentitiesByID(ctx context.Context, identities []identity.NumericIdentity)

ReleaseCIDRIdentitiesByID releases the specified identities. When the last use of the identity is released, the ipcache entry is deleted.

func (*IPCache) RemoveIdentityOverride added in v1.14.0

func (ipc *IPCache) RemoveIdentityOverride(cidr netip.Prefix, identityLabels labels.Labels, resource ipcacheTypes.ResourceID)

func (*IPCache) RemoveLabels added in v1.14.0

func (ipc *IPCache) RemoveLabels(cidr netip.Prefix, lbls labels.Labels, resource ipcacheTypes.ResourceID)

func (*IPCache) RemoveLabelsExcluded added in v1.14.0

func (ipc *IPCache) RemoveLabelsExcluded(
	lbls labels.Labels,
	toExclude map[netip.Prefix]struct{},
	rid types.ResourceID,
)

RemoveLabelsExcluded removes the given labels from all IPs inside the IDMD except for the IPs / prefixes inside the given excluded set.

The caller must subsequently call IPCache.TriggerLabelInjection() to push these changes down into the policy engine and ipcache datapath maps.

func (*IPCache) RemoveMetadata added in v1.14.0

func (ipc *IPCache) RemoveMetadata(prefix netip.Prefix, resource ipcacheTypes.ResourceID, aux ...IPMetadata)

func (*IPCache) SetListeners

func (ipc *IPCache) SetListeners(listeners []IPIdentityMappingListener)

SetListeners sets the listeners for this IPCache.

func (*IPCache) Shutdown added in v1.14.0

func (ipc *IPCache) Shutdown() error

Shutdown cleans up asynchronous routines associated with the IPCache.

func (*IPCache) ShutdownLabelInjection added in v1.14.0

func (ipc *IPCache) ShutdownLabelInjection() error

ShutdownLabelInjection shuts down the controller in TriggerLabelInjection().

func (*IPCache) TriggerLabelInjection added in v1.14.0

func (ipc *IPCache) TriggerLabelInjection()

TriggerLabelInjection triggers the label injection controller to iterate through the IDMD and potentially allocate new identities based on any label changes.

The following diagram describes the relationship between the label injector triggered here and the callers/callees.

+------------+  (1)        (1)  +-----------------------------+
| EP Watcher +-----+      +-----+ CN Watcher / Node Discovery |
+-----+------+   W |      | W   +------+----------------------+
      |            |      |            |
      |            v      v            |
      |            +------+            |
      |            | IDMD |            |
      |            +------+            |
      |               ^                |
      |               |                |
      |           (3) |R               |
      | (2)    +------+--------+   (2) |
      +------->|Label Injector |<------+
     Trigger   +-------+-------+ Trigger
	      (4) |W    (5) |W
	          |         |
	          v         v
	     +--------+   +---+
	     |Policy &|   |IPC|
	     |datapath|   +---+
	     +--------+
legend:
* W means write
* R means read

func (*IPCache) Unlock

func (ipc *IPCache) Unlock()

Unlock unlocks the IPCache's mutex.

func (*IPCache) UpdateController added in v1.14.0

func (ipc *IPCache) UpdateController(name string, params controller.ControllerParams)

Update a controller for this IPCache

func (*IPCache) UpdatePolicyMaps added in v1.14.0

func (ipc *IPCache) UpdatePolicyMaps(ctx context.Context, addedIdentities, deletedIdentities map[identity.NumericIdentity]labels.LabelArray)

UpdatePolicyMaps pushes updates for the specified identities into the policy engine and ensures that they are propagated into the underlying datapaths.

func (*IPCache) Upsert

func (ipc *IPCache) Upsert(ip string, hostIP net.IP, hostKey uint8, k8sMeta *K8sMetadata, newIdentity Identity) (namedPortsChanged bool, err error)

Upsert adds / updates the provided IP (endpoint or CIDR prefix) and identity into the IPCache.

Returns an error if the entry is not owned by the self declared source, i.e. returns error if the kubernetes layer is trying to upsert an entry now managed by the kvstore layer or if 'ip' is invalid. See source.AllowOverwrite() for rules on ownership. hostIP is the location of the given IP. It is optional (may be nil) and is propagated to the listeners. k8sMeta contains Kubernetes-specific metadata such as pod namespace and pod name belonging to the IP (may be nil).

func (*IPCache) UpsertGeneratedIdentities added in v1.14.0

func (ipc *IPCache) UpsertGeneratedIdentities(newlyAllocatedIdentities map[netip.Prefix]*identity.Identity, usedIdentities []*identity.Identity)

UpsertGeneratedIdentities unconditionally upserts 'newlyAllocatedIdentities' into the ipcache, then also upserts any CIDR identities in 'usedIdentities' that were not already upserted. If any 'usedIdentities' are upserted, these are counted separately as they may provide an indication of another logic error elsewhere in the codebase that is causing premature ipcache deletions.

func (*IPCache) UpsertLabels added in v1.14.0

func (ipc *IPCache) UpsertLabels(prefix netip.Prefix, lbls labels.Labels, src source.Source, resource ipcacheTypes.ResourceID)

UpsertLabels upserts a given IP and its corresponding labels associated with it into the ipcache metadata map. The given labels are not modified nor is its reference saved, as they're copied when inserting into the map. This will trigger asynchronous calculation of any local identity changes that must occur to associate the specified labels with the prefix, and push any datapath updates necessary to implement the logic associated with the metadata currently associated with the 'prefix'.

func (*IPCache) UpsertMetadata added in v1.14.0

func (ipc *IPCache) UpsertMetadata(prefix netip.Prefix, src source.Source, resource ipcacheTypes.ResourceID, aux ...IPMetadata)

UpsertMetadata upserts a given IP and some corresponding information into the ipcache metadata map. See IPMetadata for a list of types that are valid to pass into this function. This will trigger asynchronous calculation of any datapath updates necessary to implement the logic associated with the specified metadata.

type IPCacher added in v1.14.0

type IPCacher interface {
	Upsert(ip string, hostIP net.IP, hostKey uint8, k8sMeta *K8sMetadata, newIdentity Identity) (bool, error)
	ForEachListener(f func(listener IPIdentityMappingListener))
	Delete(IP string, source source.Source) (namedPortsChanged bool)
}

type IPIdentityMappingListener

type IPIdentityMappingListener interface {
	// OnIPIdentityCacheChange will be called whenever there the state of the
	// IPCache has changed. If an existing CIDR->ID mapping is updated, then
	// oldID is not nil; otherwise it is nil.
	// hostIP is the IP address of the location of the cidr.
	// hostIP is optional and may only be non-nil for an Upsert modification.
	// k8sMeta contains the Kubernetes pod namespace and name behind the IP
	// and may be nil.
	OnIPIdentityCacheChange(modType CacheModification, cidrCluster cmtypes.PrefixCluster, oldHostIP, newHostIP net.IP,
		oldID *Identity, newID Identity, encryptKey uint8, nodeID uint16, k8sMeta *K8sMetadata)

	// OnIPIdentityCacheGC will be called to sync other components which are
	// reliant upon the IPIdentityCache with the IPIdentityCache.
	OnIPIdentityCacheGC()
}

IPIdentityMappingListener represents a component that is interested in learning about IP to Identity mapping events.

type IPIdentityWatcher

type IPIdentityWatcher struct {
	// contains filtered or unexported fields
}

IPIdentityWatcher is a watcher that will notify when IP<->identity mappings change in the kvstore

func NewClusterIPIdentityWatcher added in v1.14.0

func NewClusterIPIdentityWatcher(clusterID uint32, ipc IPCacher, backend kvstore.BackendOperations) *IPIdentityWatcher

NewClusterIPIdentityWatcher creates a new IPIdentityWatcher using the specified kvstore backend. The difference between the watcher created by NewIPIdentityWatcher is that each IP <=> Identity mapping will be annotated with ClusterID. Thus, it can be used for watching the kvstore of the remote cluster with overlapping PodCIDR. Calling this function with clusterID = 0 is identical to calling NewIPIdentityWatcher.

func NewIPIdentityWatcher

func NewIPIdentityWatcher(ipc IPCacher, backend kvstore.BackendOperations) *IPIdentityWatcher

NewIPIdentityWatcher creates a new IPIdentityWatcher using the specified kvstore backend.

func (*IPIdentityWatcher) Close

func (iw *IPIdentityWatcher) Close()

Close stops the IPIdentityWatcher and causes Watch() to return

func (*IPIdentityWatcher) Watch

func (iw *IPIdentityWatcher) Watch(ctx context.Context)

Watch starts the watcher and blocks waiting for events. When events are received from the kvstore, All IPIdentityMappingListener are notified. The function returns when IPIdentityWatcher.Close() is called. The watcher will automatically restart as required.

type IPKeyPair

type IPKeyPair struct {
	IP  net.IP
	Key uint8
}

IPKeyPair is the (IP, key) pair used of the identity

type IPMetadata added in v1.14.0

type IPMetadata any

IPMetadata is an empty interface intended to inform developers using the IPCache interface about which types are valid to be injected, and how to update this code, in particular the merge(),unmerge(),isValid() methods below.

In an ideal world, we would use Constraints here but as of Go 1.18, these cannot be used in conjunction with methods, which is how the information gets injected into the IPCache.

type Identity

type Identity struct {
	// ID is the numeric identity
	ID identity.NumericIdentity

	// Source is the source of the identity in the cache
	Source source.Source
	// contains filtered or unexported fields
}

Identity is the identity representation of an IP<->Identity cache.

type K8sMetadata added in v1.14.0

type K8sMetadata struct {
	// Namespace is the Kubernetes namespace of the pod behind the IP
	Namespace string
	// PodName is the Kubernetes pod name behind the IP
	PodName string
	// NamedPorts is the set of named ports for the pod
	NamedPorts types.NamedPortMap
}

K8sMetadata contains Kubernetes pod information of the IP

func (*K8sMetadata) Equal added in v1.14.0

func (m *K8sMetadata) Equal(o *K8sMetadata) bool

Equal returns true if two K8sMetadata pointers contain the same data or are both nil.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL