endpoint

package
v1.5.13 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 4, 2020 License: Apache-2.0 Imports: 64 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// StateCreating is used to set the endpoint is being created.
	StateCreating = string(models.EndpointStateCreating)

	// StateWaitingForIdentity is used to set if the endpoint is waiting
	// for an identity from the KVStore.
	StateWaitingForIdentity = string(models.EndpointStateWaitingForIdentity)

	// StateReady specifies if the endpoint is ready to be used.
	StateReady = string(models.EndpointStateReady)

	// StateWaitingToRegenerate specifies when the endpoint needs to be regenerated, but regeneration has not started yet.
	StateWaitingToRegenerate = string(models.EndpointStateWaitingToRegenerate)

	// StateRegenerating specifies when the endpoint is being regenerated.
	StateRegenerating = string(models.EndpointStateRegenerating)

	// StateDisconnecting indicates that the endpoint is being disconnected
	StateDisconnecting = string(models.EndpointStateDisconnecting)

	// StateDisconnected is used to set the endpoint is disconnected.
	StateDisconnected = string(models.EndpointStateDisconnected)

	// StateRestoring is used to set the endpoint is being restored.
	StateRestoring = string(models.EndpointStateRestoring)

	// IpvlanMapName specifies the tail call map for EP on egress used with ipvlan.
	IpvlanMapName = "cilium_lxc_ipve_"

	// HealthCEPPrefix is the prefix used to name the cilium health endpoints' CEP
	HealthCEPPrefix = "cilium-health-"
)
View Source
const (
	// EndpointGenerationTimeout specifies timeout for proxy completion context
	EndpointGenerationTimeout = 330 * time.Second
)

Variables

View Source
var (
	EndpointMutableOptionLibrary = option.GetEndpointMutableOptionLibrary()
)
View Source
var (
	// ErrNotAlive is an error which indicates that the endpoint should not be
	// rlocked because it is currently being removed.
	ErrNotAlive = errors.New("rlock failed: endpoint is in the process of being removed")
)
View Source
var (
	Subsystem = "endpoint"
)

Functions

func APICanModify added in v1.5.0

func APICanModify(e *Endpoint) error

APICanModify determines whether API requests from a user are allowed to modify this endpoint.

func FilterEPDir

func FilterEPDir(dirFiles []os.FileInfo) []string

FilterEPDir returns a list of directories' names that possible belong to an endpoint.

func OrderEndpointAsc

func OrderEndpointAsc(eps []*Endpoint)

OrderEndpointAsc orders the slice of Endpoint in ascending ID order.

func OrderEndpointModelAsc added in v1.5.0

func OrderEndpointModelAsc(eps []*models.Endpoint)

OrderEndpointModelAsc orders the slice of Endpoint in ascending ID order.

Types

type DatapathRegenerationLevel added in v1.5.0

type DatapathRegenerationLevel int

DatapathRegenerationLevel determines what is expected of the datapath when a regeneration event is processed.

const (
	// RegenerateWithoutDatapath indicates that datapath rebuild or reload
	// is not required to implement this regeneration.
	RegenerateWithoutDatapath DatapathRegenerationLevel = iota
	// RegenerateWithDatapathLoad indicates that the datapath must be
	// reloaded but not recompiled to implement this regeneration.
	RegenerateWithDatapathLoad
	// RegenerateWithDatapathRebuild indicates the the datapath must be
	// recompiled and reloaded to implement this regeneration.
	RegenerateWithDatapathRebuild
)

func (DatapathRegenerationLevel) String added in v1.5.0

func (r DatapathRegenerationLevel) String() string

String converts a DatapathRegenerationLevel into a human-readable string.

type DeleteConfig added in v1.5.0

type DeleteConfig struct {
	NoIPRelease       bool
	NoIdentityRelease bool
}

DeleteConfig is the endpoint deletion configuration

type Endpoint

type Endpoint struct {
	// ID of the endpoint, unique in the scope of the node
	ID uint16

	// ContainerName is the name given to the endpoint by the container runtime
	ContainerName string

	// ContainerID is the container ID that docker has assigned to the endpoint
	// Note: The JSON tag was kept for backward compatibility.
	ContainerID string `json:"dockerID,omitempty"`

	// DockerNetworkID is the network ID of the libnetwork network if the
	// endpoint is a docker managed container which uses libnetwork
	DockerNetworkID string

	// DockerEndpointID is the Docker network endpoint ID if managed by
	// libnetwork
	DockerEndpointID string

	// Corresponding BPF map identifier for tail call map of ipvlan datapath
	DatapathMapID int

	// IfName is the name of the host facing interface (veth pair) which
	// connects into the endpoint
	IfName string

	// IfIndex is the interface index of the host face interface (veth pair)
	IfIndex int

	// OpLabels is the endpoint's label configuration
	//
	// FIXME: Rename this field to Labels
	OpLabels pkgLabels.OpLabels

	// LXCMAC is the MAC address of the endpoint
	//
	// FIXME: Rename this field to MAC
	LXCMAC mac.MAC // Container MAC address.

	// IPv6 is the IPv6 address of the endpoint
	IPv6 addressing.CiliumIPv6

	// IPv4 is the IPv4 address of the endpoint
	IPv4 addressing.CiliumIPv4

	// NodeMAC is the MAC of the node (agent). The MAC is different for every endpoint.
	NodeMAC mac.MAC

	// SecurityIdentity is the security identity of this endpoint. This is computed from
	// the endpoint's labels.
	SecurityIdentity *identityPkg.Identity `json:"SecLabel"`

	// PolicyMap is the policy related state of the datapath including
	// reference to all policy related BPF
	PolicyMap *policymap.PolicyMap `json:"-"`

	// Options determine the datapath configuration of the endpoint.
	Options *option.IntOptions

	// Status are the last n state transitions this endpoint went through
	Status *EndpointStatus

	// DNSHistory is the collection of still-valid DNS responses intercepted for
	// this endpoint.
	DNSHistory *fqdn.DNSCache

	// K8sPodName is the Kubernetes pod name of the endpoint
	K8sPodName string

	// K8sNamespace is the Kubernetes namespace of the endpoint
	K8sNamespace string

	// BuildMutex synchronizes builds of individual endpoints and locks out
	// deletion during builds
	//
	// FIXME: Mark private once endpoint deletion can be moved into
	// `pkg/endpoint`
	BuildMutex lock.Mutex `json:"-"`

	EventQueue *eventqueue.EventQueue `json:"-"`

	// DeprecatedOpts represents the mutable options for the endpoint, in
	// the format understood by Cilium 1.1 or earlier.
	//
	// Deprecated: Use Options instead.
	DeprecatedOpts deprecatedOptions `json:"Opts"`
	// contains filtered or unexported fields
}

Endpoint represents a container or similar which can be individually addresses on L3 with its own IP addresses. This structured is managed by the endpoint manager in pkg/endpointmanager.

WARNING - STABLE API This structure is written as JSON to StateDir/{ID}/lxc_config.h to allow to restore endpoints when the agent is being restarted. The restore operation will read the file and re-create all endpoints with all fields which are not marked as private to JSON marshal. Do NOT modify this structure in ways which is not JSON forward compatible.

func NewEndpointFromChangeModel

func NewEndpointFromChangeModel(base *models.EndpointChangeRequest) (*Endpoint, error)

NewEndpointFromChangeModel creates a new endpoint from a request

func NewEndpointWithState added in v1.5.0

func NewEndpointWithState(ID uint16, state string) *Endpoint

NewEndpointWithState creates a new endpoint useful for testing purposes

func ParseEndpoint

func ParseEndpoint(strEp string) (*Endpoint, error)

ParseEndpoint parses the given strEp which is in the form of: common.CiliumCHeaderPrefix + common.Version + ":" + endpointBase64

func (*Endpoint) Allows

func (e *Endpoint) Allows(id identityPkg.NumericIdentity) bool

func (*Endpoint) BPFConfigMapPath added in v1.5.0

func (e *Endpoint) BPFConfigMapPath() string

BPFConfigMapPath returns the path to the BPF config map of endpoint.

func (*Endpoint) BPFIpvlanMapPath added in v1.5.0

func (e *Endpoint) BPFIpvlanMapPath() string

BPFIpvlanMapPath returns the path to the ipvlan tail call map of an endpoint.

func (*Endpoint) BuilderSetStateLocked added in v1.5.0

func (e *Endpoint) BuilderSetStateLocked(toState, reason string) bool

BuilderSetStateLocked modifies the endpoint's state endpoint.Mutex must be held endpoint BuildMutex must be held!

func (*Endpoint) CallsMapPathLocked added in v0.9.0

func (e *Endpoint) CallsMapPathLocked() string

CallsMapPathLocked returns the path to cilium tail calls map of an endpoint.

func (*Endpoint) CloseBPFProgramChannel added in v1.5.0

func (e *Endpoint) CloseBPFProgramChannel()

CloseBPFProgramChannel closes the channel that signals whether the endpoint has had its BPF program compiled. If the channel is already closed, this is a no-op.

func (*Endpoint) ConntrackLocal added in v1.5.0

func (e *Endpoint) ConntrackLocal() bool

ConntrackLocal determines whether this endpoint is currently using a local table to handle connection tracking (true), or the global table (false).

func (*Endpoint) ConntrackLocalLocked added in v1.5.0

func (e *Endpoint) ConntrackLocalLocked() bool

ConntrackLocalLocked is the same as ConntrackLocal, but assumes that the endpoint is already locked for reading.

func (*Endpoint) DeleteBPFProgramLocked added in v1.5.0

func (e *Endpoint) DeleteBPFProgramLocked() error

DeleteBPFProgramLocked delete the BPF program associated with the endpoint's veth interface.

func (*Endpoint) DeleteMapsLocked added in v1.5.0

func (e *Endpoint) DeleteMapsLocked() []error

DeleteMapsLocked releases references to all BPF maps associated with this endpoint.

For each error that occurs while releasing these references, an error is added to the resulting error slice which is returned.

Returns nil on success.

func (*Endpoint) DirectoryPath

func (e *Endpoint) DirectoryPath() string

DirectoryPath returns the directory name for this endpoint bpf program.

func (*Endpoint) FailedDirectoryPath added in v1.5.0

func (e *Endpoint) FailedDirectoryPath() string

FailedDirectoryPath returns the directory name for this endpoint bpf program failed builds.

func (*Endpoint) ForcePolicyCompute added in v1.5.0

func (e *Endpoint) ForcePolicyCompute()

ForcePolicyCompute marks the endpoint for forced bpf regeneration.

func (*Endpoint) FormatGlobalEndpointID added in v1.5.0

func (e *Endpoint) FormatGlobalEndpointID() string

FormatGlobalEndpointID returns the global ID of endpoint in the format / <global ID Prefix>:<cluster name>:<node name>:<endpoint ID> as a string.

func (*Endpoint) GetBPFKeys added in v0.10.0

func (e *Endpoint) GetBPFKeys() []*lxcmap.EndpointKey

GetBPFKeys returns all keys which should represent this endpoint in the BPF endpoints map

func (*Endpoint) GetBPFValue added in v0.10.0

func (e *Endpoint) GetBPFValue() (*lxcmap.EndpointInfo, error)

GetBPFValue returns the value which should represent this endpoint in the BPF endpoints map

func (*Endpoint) GetCIDRPrefixLengths added in v1.5.0

func (e *Endpoint) GetCIDRPrefixLengths() (s6, s4 []int)

GetCIDRPrefixLengths returns the sorted list of unique prefix lengths used for CIDR policy or IPcache lookup from this endpoint.

func (*Endpoint) GetCiliumEndpointStatus added in v1.5.0

func (e *Endpoint) GetCiliumEndpointStatus() *cilium_v2.EndpointStatus

GetCiliumEndpointStatus creates a cilium_v2.EndpointStatus of an endpoint. See cilium_v2.EndpointStatus for a detailed explanation of each field.

func (*Endpoint) GetContainerID added in v1.5.0

func (e *Endpoint) GetContainerID() string

GetContainerID returns the endpoint's container ID

func (*Endpoint) GetDockerNetworkID added in v1.5.0

func (e *Endpoint) GetDockerNetworkID() string

GetDockerNetworkID returns the endpoint's Docker Endpoint ID

func (*Endpoint) GetEgressPolicyEnabledLocked added in v1.5.0

func (e *Endpoint) GetEgressPolicyEnabledLocked() bool

GetEgressPolicyEnabledLocked returns whether egress policy enforcement is enabled for endpoint or not. The endpoint's mutex must be held.

func (*Endpoint) GetHealthModel added in v1.5.0

func (e *Endpoint) GetHealthModel() *models.EndpointHealth

GetHealthModel returns the endpoint's health object.

func (*Endpoint) GetID added in v0.10.0

func (e *Endpoint) GetID() uint64

GetID returns the endpoint's ID as a 64-bit unsigned integer.

func (*Endpoint) GetID16 added in v1.5.0

func (e *Endpoint) GetID16() uint16

GetID16 returns the endpoint's ID as a 16-bit unsigned integer.

func (*Endpoint) GetIPv4Address added in v0.10.0

func (e *Endpoint) GetIPv4Address() string

GetIPv4Address returns the IPv4 address of the endpoint as a string

func (*Endpoint) GetIPv6Address added in v0.10.0

func (e *Endpoint) GetIPv6Address() string

GetIPv6Address returns the IPv6 address of the endpoint as a string

func (*Endpoint) GetIdentity

func (e *Endpoint) GetIdentity() identityPkg.NumericIdentity

func (*Endpoint) GetIngressPolicyEnabledLocked added in v1.5.0

func (e *Endpoint) GetIngressPolicyEnabledLocked() bool

GetIngressPolicyEnabledLocked returns whether ingress policy enforcement is enabled for endpoint or not. The endpoint's mutex must be held.

func (*Endpoint) GetK8sNamespace added in v1.5.0

func (e *Endpoint) GetK8sNamespace() string

GetK8sNamespace returns the name of the pod if the endpoint represents a Kubernetes pod

func (*Endpoint) GetK8sNamespaceAndPodNameLocked added in v1.5.0

func (e *Endpoint) GetK8sNamespaceAndPodNameLocked() string

GetK8sNamespaceAndPodNameLocked returns the namespace and pod name. This function requires e.Mutex to be held.

func (*Endpoint) GetK8sPodLabels added in v1.5.0

func (e *Endpoint) GetK8sPodLabels() pkgLabels.Labels

GetK8sPodLabels returns all labels that exist in the endpoint and were derived from k8s pod.

func (*Endpoint) GetK8sPodName added in v1.5.0

func (e *Endpoint) GetK8sPodName() string

GetK8sPodName returns the name of the pod if the endpoint represents a Kubernetes pod

func (*Endpoint) GetLabels added in v0.10.0

func (e *Endpoint) GetLabels() []string

GetLabels returns the labels as slice

func (*Endpoint) GetLabelsSHA added in v1.5.0

func (e *Endpoint) GetLabelsSHA() string

GetLabelsSHA returns the SHA of labels

func (*Endpoint) GetModel

func (e *Endpoint) GetModel() *models.Endpoint

GetModel returns the API model of endpoint e.

func (*Endpoint) GetModelRLocked added in v1.5.0

func (e *Endpoint) GetModelRLocked() *models.Endpoint

GetModelRLocked returns the API model of endpoint e. e.mutex must be RLocked.

func (*Endpoint) GetNodeMAC added in v1.5.0

func (e *Endpoint) GetNodeMAC() mac.MAC

GetNodeMAC returns the MAC address of the node from this endpoint's perspective.

func (*Endpoint) GetOpLabels added in v1.5.0

func (e *Endpoint) GetOpLabels() []string

GetOpLabels returns the labels as slice

func (*Endpoint) GetOptions added in v1.5.0

func (e *Endpoint) GetOptions() *option.IntOptions

GetOptions returns the datapath configuration options of the endpoint.

func (*Endpoint) GetPolicyModel added in v1.5.0

func (e *Endpoint) GetPolicyModel() *models.EndpointPolicyStatus

GetPolicyModel returns the endpoint's policy as an API model.

Must be called with e.Mutex locked.

func (*Endpoint) GetSecurityIdentity added in v1.5.0

func (e *Endpoint) GetSecurityIdentity() *identityPkg.Identity

GetSecurityIdentity returns the security identity of the endpoint. It assumes the endpoint's mutex is held.

func (*Endpoint) GetShortContainerID added in v1.5.0

func (e *Endpoint) GetShortContainerID() string

GetShortContainerID returns the endpoint's shortened container ID

func (*Endpoint) GetState added in v1.5.0

func (e *Endpoint) GetState() string

GetState returns the endpoint's state endpoint.Mutex may only be.RLockAlive()ed

func (*Endpoint) GetStateLocked added in v1.5.0

func (e *Endpoint) GetStateLocked() string

GetState returns the endpoint's state endpoint.Mutex may only be.RLockAlive()ed

func (*Endpoint) HasBPFProgram added in v1.5.0

func (e *Endpoint) HasBPFProgram() bool

HasBPFProgram returns whether a BPF program has been generated for this endpoint.

func (*Endpoint) HasIpvlanDataPath added in v1.5.0

func (e *Endpoint) HasIpvlanDataPath() bool

HasIpvlanDataPath returns whether the daemon is running in ipvlan mode.

func (*Endpoint) HasLabels added in v0.10.0

func (e *Endpoint) HasLabels(l pkgLabels.Labels) bool

HasLabels returns whether endpoint e contains all labels l. Will return 'false' if any label in l is not in the endpoint's labels.

func (*Endpoint) HasSidecarProxy added in v1.5.0

func (e *Endpoint) HasSidecarProxy() bool

func (*Endpoint) HumanStringLocked added in v1.5.0

func (e *Endpoint) HumanStringLocked() string

HumanStringLocked returns the endpoint's most human readable identifier as string

func (*Endpoint) IPs added in v1.5.0

func (e *Endpoint) IPs() []net.IP

IPs returns the slice of valid IPs for this endpoint.

func (*Endpoint) IPv4Address added in v1.5.0

func (e *Endpoint) IPv4Address() addressing.CiliumIPv4

IPv4Address returns the IPv4 address of the endpoint

func (*Endpoint) IPv6Address added in v1.5.0

func (e *Endpoint) IPv6Address() addressing.CiliumIPv6

IPv6Address returns the IPv6 address of the endpoint

func (*Endpoint) InsertEvent added in v1.5.0

func (e *Endpoint) InsertEvent()

InsertEvent is called when the endpoint is inserted into the endpoint manager.

func (*Endpoint) IsDatapathMapPinnedLocked added in v1.5.0

func (e *Endpoint) IsDatapathMapPinnedLocked() bool

IsDatapathMapPinnedLocked returns whether the endpoint's datapath map has been pinned

func (*Endpoint) IsDisconnecting added in v1.5.0

func (e *Endpoint) IsDisconnecting() bool

IsDisconnecting returns true if the endpoint is being disconnected or already disconnected

This function must be called after re-aquiring the endpoint mutex to verify that the endpoint has not been removed in the meantime.

endpoint.mutex must be held in read mode at least

func (*Endpoint) IsInit added in v1.5.0

func (e *Endpoint) IsInit() bool

IsInit returns true if the endpoint still hasn't received identity labels, i.e. has the special identity with label reserved:init.

func (*Endpoint) LeaveLocked added in v0.9.0

func (e *Endpoint) LeaveLocked(owner Owner, proxyWaitGroup *completion.WaitGroup, conf DeleteConfig) []error

LeaveLocked removes the endpoint's directory from the system. Must be called with Endpoint's mutex AND BuildMutex locked.

Note: LeaveLocked() is called indirectly from endpoint restore logic for endpoints which failed to be restored. Any cleanup routine of LeaveLocked() which depends on kvstore connectivity must be protected by a flag in DeleteConfig and the restore logic must opt-out of it.

func (*Endpoint) LockAlive added in v1.5.0

func (e *Endpoint) LockAlive() error

LockAlive returns error if endpoint was removed, locks underlying mutex otherwise

func (*Endpoint) LogDisconnectedMutexAction added in v1.5.0

func (e *Endpoint) LogDisconnectedMutexAction(err error, context string)

LogDisconnectedMutexAction gets the logger and logs given error with context

func (*Endpoint) LogStatus

func (e *Endpoint) LogStatus(typ StatusType, code StatusCode, msg string)

func (*Endpoint) LogStatusOK

func (e *Endpoint) LogStatusOK(typ StatusType, msg string)

func (*Endpoint) LogStatusOKLocked added in v1.5.0

func (e *Endpoint) LogStatusOKLocked(typ StatusType, msg string)

LogStatusOKLocked will log an OK message of the given status type with the given msg string. must be called with endpoint.Mutex held

func (*Endpoint) Logger added in v1.5.0

func (e *Endpoint) Logger(subsystem string) *logrus.Entry

Logger returns a logrus object with EndpointID, ContainerID and the Endpoint revision fields. The caller must specify their subsystem.

func (*Endpoint) LookupRedirectPort added in v1.5.0

func (e *Endpoint) LookupRedirectPort(l4Filter *policy.L4Filter) uint16

lookupRedirectPort returns the redirect L4 proxy port for the given L4 policy map key, in host byte order. Returns 0 if not found or the filter doesn't require a redirect. Must be called with Endpoint.Mutex held.

func (*Endpoint) ModifyIdentityLabels added in v1.5.0

func (e *Endpoint) ModifyIdentityLabels(owner Owner, addLabels, delLabels pkgLabels.Labels) error

ModifyIdentityLabels changes the custom and orchestration identity labels of an endpoint. Labels can be added or deleted. If a label change is performed, the endpoint will receive a new identity and will be regenerated. Both of these operations will happen in the background.

func (*Endpoint) NextDirectoryPath added in v1.5.0

func (e *Endpoint) NextDirectoryPath() string

NextDirectoryPath returns the directory name for this endpoint bpf program next bpf builds.

func (*Endpoint) OnProxyPolicyUpdate added in v1.5.0

func (e *Endpoint) OnProxyPolicyUpdate(revision uint64)

OnProxyPolicyUpdate is a callback used to update the Endpoint's proxyPolicyRevision when the specified revision has been applied in the proxy.

func (*Endpoint) PinDatapathMap added in v1.5.0

func (e *Endpoint) PinDatapathMap() error

PinDatapathMap retrieves a file descriptor from the map ID from the API call and pins the corresponding map into the BPF file system.

func (*Endpoint) PolicyMapPathLocked added in v0.9.0

func (e *Endpoint) PolicyMapPathLocked() string

PolicyMapPathLocked returns the path to the policy map of endpoint.

func (*Endpoint) PolicyRevisionBumpEvent added in v1.5.0

func (e *Endpoint) PolicyRevisionBumpEvent(rev uint64)

PolicyRevisionBumpEvent queues an event for the given endpoint to set its realized policy revision to rev. This may block depending on if events have been queued up for the given endpoint. It blocks until the event has succeeded, or if the event has been cancelled.

func (*Endpoint) ProxyID added in v0.10.0

func (e *Endpoint) ProxyID(l4 *policy.L4Filter) string

ProxyID returns a unique string to identify a proxy mapping.

func (*Endpoint) RLockAlive added in v1.5.0

func (e *Endpoint) RLockAlive() error

RLockAlive returns error if endpoint was removed, read locks underlying mutex otherwise

func (*Endpoint) RUnlock added in v0.10.0

func (e *Endpoint) RUnlock()

RUnlock read unlocks endpoint mutex

func (*Endpoint) Regenerate

func (e *Endpoint) Regenerate(owner Owner, regenMetadata *ExternalRegenerationMetadata) <-chan bool

Regenerate forces the regeneration of endpoint programs & policy Should only be called with e.state == StateWaitingToRegenerate or with e.state == StateWaitingForIdentity

func (*Endpoint) RegenerateWait added in v1.5.0

func (e *Endpoint) RegenerateWait(owner Owner, reason string) error

RegenerateWait should only be called when endpoint's state has successfully been changed to "waiting-to-regenerate"

func (*Endpoint) SetContainerID added in v1.5.0

func (e *Endpoint) SetContainerID(id string)

SetContainerID modifies the endpoint's container ID

func (*Endpoint) SetContainerName added in v1.5.0

func (e *Endpoint) SetContainerName(name string)

SetContainerName modifies the endpoint's container name

func (*Endpoint) SetDatapathMapIDAndPinMapLocked added in v1.5.0

func (e *Endpoint) SetDatapathMapIDAndPinMapLocked(id int) error

SetDatapathMapIDAndPinMapLocked modifies the endpoint's datapath map ID

func (*Endpoint) SetDefaultOpts

func (e *Endpoint) SetDefaultOpts(opts *option.IntOptions)

SetDefaultOpts initializes the endpoint Options and configures the specified options.

func (*Endpoint) SetDesiredEgressPolicyEnabled added in v1.5.0

func (e *Endpoint) SetDesiredEgressPolicyEnabled(egress bool)

SetDesiredEgressPolicyEnabled sets Endpoint's egress policy enforcement configuration to the specified value. The endpoint's mutex must not be held.

func (*Endpoint) SetDesiredEgressPolicyEnabledLocked added in v1.5.0

func (e *Endpoint) SetDesiredEgressPolicyEnabledLocked(egress bool)

SetDesiredEgressPolicyEnabledLocked sets Endpoint's egress policy enforcement configuration to the specified value. The endpoint's mutex must be held.

func (*Endpoint) SetDesiredIngressPolicyEnabled added in v1.5.0

func (e *Endpoint) SetDesiredIngressPolicyEnabled(ingress bool)

SetDesiredIngressPolicyEnabled sets Endpoint's ingress policy enforcement configuration to the specified value. The endpoint's mutex must not be held.

func (*Endpoint) SetDesiredIngressPolicyEnabledLocked added in v1.5.0

func (e *Endpoint) SetDesiredIngressPolicyEnabledLocked(ingress bool)

SetDesiredIngressPolicyEnabledLocked sets Endpoint's ingress policy enforcement configuration to the specified value. The endpoint's mutex must be held.

func (*Endpoint) SetDockerEndpointID added in v1.5.0

func (e *Endpoint) SetDockerEndpointID(id string)

SetDockerEndpointID modifies the endpoint's Docker Endpoint ID

func (*Endpoint) SetDockerNetworkID added in v1.5.0

func (e *Endpoint) SetDockerNetworkID(id string)

SetDockerNetworkID modifies the endpoint's Docker Endpoint ID

func (*Endpoint) SetIdentity

func (e *Endpoint) SetIdentity(identity *identityPkg.Identity)

SetIdentity resets endpoint's policy identity to 'id'. Caller triggers policy regeneration if needed. Called with e.Mutex Locked

func (*Endpoint) SetK8sNamespace added in v1.5.0

func (e *Endpoint) SetK8sNamespace(name string)

SetK8sNamespace modifies the endpoint's pod name

func (*Endpoint) SetK8sPodName added in v1.5.0

func (e *Endpoint) SetK8sPodName(name string)

SetK8sPodName modifies the endpoint's pod name

func (*Endpoint) SetNodeMACLocked added in v1.5.0

func (e *Endpoint) SetNodeMACLocked(m mac.MAC)

SetNodeMACLocked updates the node MAC inside the endpoint.

func (*Endpoint) SetPolicyRevision added in v1.5.0

func (e *Endpoint) SetPolicyRevision(rev uint64)

SetPolicyRevision sets the endpoint's policy revision with the given revision.

func (*Endpoint) SetStateLocked added in v1.5.0

func (e *Endpoint) SetStateLocked(toState, reason string) bool

SetStateLocked modifies the endpoint's state endpoint.Mutex must be held Returns true only if endpoints state was changed as requested

func (*Endpoint) SkipStateClean added in v1.5.0

func (e *Endpoint) SkipStateClean()

SkipStateClean can be called on a endpoint before its first build to skip the cleaning of state such as the conntrack table. This is useful when an endpoint is being restored from state and the datapath state should not be claned.

The endpoint lock must NOT be held.

func (*Endpoint) StateDirectoryPath added in v1.5.0

func (e *Endpoint) StateDirectoryPath() string

StateDirectoryPath returns the directory name for this endpoint bpf program.

func (*Endpoint) String

func (e *Endpoint) String() string

String returns endpoint on a JSON format.

func (*Endpoint) StringID

func (e *Endpoint) StringID() string

StringID returns the endpoint's ID in a string.

func (*Endpoint) SyncEndpointHeaderFile added in v1.5.0

func (e *Endpoint) SyncEndpointHeaderFile(owner Owner) error

SyncEndpointHeaderFile it bumps the current DNS History information for the endpoint in the lxc_config.h file.

func (*Endpoint) UnconditionalLock added in v1.5.0

func (e *Endpoint) UnconditionalLock()

UnconditionalLock should be used only for locking endpoint for - setting its state to StateDisconnected - handling regular Lock errors - reporting endpoint status (like in LogStatus method) Use Lock in all other cases

func (*Endpoint) UnconditionalRLock added in v1.5.0

func (e *Endpoint) UnconditionalRLock()

UnconditionalRLock should be used only for reporting endpoint state

func (*Endpoint) Unlock added in v1.5.0

func (e *Endpoint) Unlock()

Unlock unlocks endpoint mutex

func (*Endpoint) Update

func (e *Endpoint) Update(owner Owner, cfg *models.EndpointConfigurationSpec) error

Update modifies the endpoint options and *always* tries to regenerate the endpoint's program. Returns an error if the provided options are not valid, if there was an issue triggering policy updates for the given endpoint, or if endpoint regeneration was unable to be triggered. Note that the LabelConfiguration in the EndpointConfigurationSpec is *not* consumed here.

func (*Endpoint) UpdateController added in v1.5.0

func (e *Endpoint) UpdateController(name string, params controller.ControllerParams) *controller.Controller

UpdateController updates the controller with the specified name with the provided list of parameters in endpoint's list of controllers.

func (*Endpoint) UpdateLabels added in v1.5.0

func (e *Endpoint) UpdateLabels(ctx context.Context, owner Owner, identityLabels, infoLabels pkgLabels.Labels, blocking bool)

UpdateLabels is called to update the labels of an endpoint. Calls to this function do not necessarily mean that the labels actually changed. The container runtime layer will periodically synchronize labels.

If a net label changed was performed, the endpoint will receive a new identity and will be regenerated. Both of these operations will happen in the background.

func (*Endpoint) UpdateLogger added in v1.5.0

func (e *Endpoint) UpdateLogger(fields map[string]interface{})

UpdateLogger creates a logger instance specific to this endpoint. It will create a custom Debug logger for this endpoint when the option on it is set. If fields is not nil only the those specific fields will be updated in the endpoint's logger, otherwise a full update of those fields is executed. Note: You must hold Endpoint.Mutex for reading if fields is nil.

func (*Endpoint) UpdateProxyStatistics added in v1.5.0

func (e *Endpoint) UpdateProxyStatistics(l7Protocol string, port uint16, ingress, request bool, verdict accesslog.FlowVerdict)

UpdateProxyStatistics updates the Endpoint's proxy statistics to account for a new observed flow with the given characteristics.

func (*Endpoint) WaitForPolicyRevision added in v1.5.0

func (e *Endpoint) WaitForPolicyRevision(ctx context.Context, rev uint64, done func(ts time.Time)) <-chan struct{}

WaitForPolicyRevision returns a channel that is closed when one or more of the following conditions have met:

  • the endpoint is disconnected state
  • the endpoint's policy revision reaches the wanted revision

When the done callback is non-nil it will be called just before the channel is closed.

func (*Endpoint) WaitForProxyCompletions added in v1.5.0

func (e *Endpoint) WaitForProxyCompletions(proxyWaitGroup *completion.WaitGroup) error

WaitForProxyCompletions blocks until all proxy changes have been completed. Called with BuildMutex held.

type EndpointRegenerationEvent added in v1.5.0

type EndpointRegenerationEvent struct {
	// contains filtered or unexported fields
}

EndpointRegenerationEvent contains all fields necessary to regenerate an endpoint.

func (*EndpointRegenerationEvent) Handle added in v1.5.0

func (ev *EndpointRegenerationEvent) Handle(res chan interface{})

Handle handles the regeneration event for the endpoint.

type EndpointRegenerationResult added in v1.5.0

type EndpointRegenerationResult struct {
	// contains filtered or unexported fields
}

EndpointRegenerationResult contains the results of an endpoint regeneration.

type EndpointRevisionBumpEvent added in v1.5.0

type EndpointRevisionBumpEvent struct {
	Rev uint64
	// contains filtered or unexported fields
}

EndpointRevisionBumpEvent contains all fields necessary to bump the policy revision of a given endpoint.

func (*EndpointRevisionBumpEvent) Handle added in v1.5.0

func (ev *EndpointRevisionBumpEvent) Handle(res chan interface{})

Handle handles the revision bump event for the Endpoint.

type EndpointStatus

type EndpointStatus struct {
	// CurrentStatuses is the last status of a given priority.
	CurrentStatuses componentStatus `json:"current-status,omitempty"`
	// Contains the last maxLogs messages for this endpoint.
	Log statusLog `json:"log,omitempty"`
	// Index is the index in the statusLog, is used to keep track the next
	// available position to write a new log message.
	Index int `json:"index"`
	// contains filtered or unexported fields
}

EndpointStatus represents the endpoint status.

func NewEndpointStatus

func NewEndpointStatus() *EndpointStatus

func (*EndpointStatus) CurrentStatus

func (e *EndpointStatus) CurrentStatus() StatusCode

func (*EndpointStatus) GetModel

func (e *EndpointStatus) GetModel() []*models.EndpointStatusChange

func (*EndpointStatus) String

func (e *EndpointStatus) String() string

type ExternalRegenerationMetadata added in v1.5.0

type ExternalRegenerationMetadata struct {
	// Reason provides context to source for the regeneration, which is
	// used to generate useful log messages.
	Reason string

	// RegenerationLevel forces datapath regeneration according to the
	// levels defined in the DatapathRegenerationLevel description.
	RegenerationLevel DatapathRegenerationLevel

	ParentContext context.Context
}

ExternalRegenerationMetadata contains any information about a regeneration that the endpoint subsystem should be made aware of for a given endpoint.

type Owner

type Owner interface {

	// Must return the policy repository
	GetPolicyRepository() *policy.Repository

	// UpdateProxyRedirect must update the redirect configuration of an endpoint in the proxy
	UpdateProxyRedirect(e *Endpoint, l4 *policy.L4Filter, proxyWaitGroup *completion.WaitGroup) (uint16, error, revert.FinalizeFunc, revert.RevertFunc)

	// RemoveProxyRedirect must remove the redirect installed by UpdateProxyRedirect
	RemoveProxyRedirect(e *Endpoint, id string, proxyWaitGroup *completion.WaitGroup) (error, revert.FinalizeFunc, revert.RevertFunc)

	// UpdateNetworkPolicy adds or updates a network policy in the set
	// published to L7 proxies.
	UpdateNetworkPolicy(e *Endpoint, policy *policy.L4Policy,
		labelsMap, deniedIngressIdentities, deniedEgressIdentities cache.IdentityCache, proxyWaitGroup *completion.WaitGroup) (error, revert.RevertFunc)

	// RemoveNetworkPolicy removes a network policy from the set published to
	// L7 proxies.
	RemoveNetworkPolicy(e *Endpoint)

	// QueueEndpointBuild puts the given endpoint in the processing queue
	QueueEndpointBuild(ctx context.Context, epID uint64) (func(), error)

	// RemoveFromEndpointQueue removes an endpoint from the working queue
	RemoveFromEndpointQueue(epID uint64)

	// GetCompilationLock returns the mutex responsible for synchronizing compilation
	// of BPF programs.
	GetCompilationLock() *lock.RWMutex

	// SendNotification is called to emit an agent notification
	SendNotification(typ monitorAPI.AgentNotification, text string) error

	// Datapath returns a reference to the datapath implementation.
	Datapath() datapath.Datapath

	// ClearPolicyConsumers removes references to the specified id from the
	// policy rules managed by Owner.
	ClearPolicyConsumers(id uint16) *sync.WaitGroup
}

Owner is the interface defines the requirements for anybody owning policies.

type Status

type Status struct {
	Code  StatusCode `json:"code"`
	Msg   string     `json:"msg"`
	Type  StatusType `json:"status-type"`
	State string     `json:"state"`
}

func (Status) String

func (s Status) String() string

type StatusCode

type StatusCode int
const (
	OK       StatusCode = 0
	Warning  StatusCode = -1
	Failure  StatusCode = -2
	Disabled StatusCode = -3
)

func (StatusCode) ColorString

func (sc StatusCode) ColorString() string

func (StatusCode) String

func (sc StatusCode) String() string

type StatusResponse

type StatusResponse struct {
	KVStore    Status              `json:"kvstore"`
	Docker     Status              `json:"docker"`
	Kubernetes Status              `json:"kubernetes"`
	Cilium     Status              `json:"cilium"`
	IPAMStatus map[string][]string `json:",omitempty"`
}

type StatusType

type StatusType int

StatusType represents the type for the given status, higher the value, higher the priority.

const (
	BPF    StatusType = 200
	Policy StatusType = 100
	Other  StatusType = 0
)

type UpdateCompilationError

type UpdateCompilationError struct {
	// contains filtered or unexported fields
}

func (UpdateCompilationError) Error

func (e UpdateCompilationError) Error() string

type UpdateStateChangeError added in v1.5.0

type UpdateStateChangeError struct {
	// contains filtered or unexported fields
}

UpdateStateChangeError is an error that indicates that updating the state of an endpoint was unsuccessful. Implements error interface.

func (UpdateStateChangeError) Error added in v1.5.0

func (e UpdateStateChangeError) Error() string

type UpdateValidationError

type UpdateValidationError struct {
	// contains filtered or unexported fields
}

func (UpdateValidationError) Error

func (e UpdateValidationError) Error() string

Directories

Path Synopsis
Package connector is responsible for the datapath specific plumbing to connect an endpoint to the network
Package connector is responsible for the datapath specific plumbing to connect an endpoint to the network

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL