Documentation ¶
Overview ¶
Package ipcache provides a local cache of the mapping of IPs of endpoints managed by Cilium to their corresponding security identities.
Index ¶
- Constants
- Variables
- func AllocateCIDRs(impl Implementation, prefixes []*net.IPNet) error
- func DeleteIPFromKVStore(ctx context.Context, ip string) error
- func GetIPIdentityMapModel()
- func InitIPIdentityWatcher()
- func ReleaseCIDRs(prefixes []*net.IPNet)
- func UpsertIPToKVStore(ctx context.Context, IP, hostIP net.IP, ID identity.NumericIdentity, key uint8, ...) error
- func WaitForInitialSync()
- type CacheModification
- type IPCache
- func (ipc *IPCache) Delete(IP string, source Source)
- func (ipc *IPCache) DumpToListenerLocked(listener IPIdentityMappingListener)
- func (ipc *IPCache) Lock()
- func (ipc *IPCache) LookupByIP(IP string) (Identity, bool)
- func (ipc *IPCache) LookupByIPRLocked(IP string) (Identity, bool)
- func (ipc *IPCache) LookupByIdentity(id identity.NumericIdentity) (map[string]struct{}, bool)
- func (ipc *IPCache) LookupByPrefix(IP string) (Identity, bool)
- func (ipc *IPCache) LookupByPrefixRLocked(prefix string) (identity Identity, exists bool)
- func (ipc *IPCache) RLock()
- func (ipc *IPCache) RUnlock()
- func (ipc *IPCache) SetListeners(listeners []IPIdentityMappingListener)
- func (ipc *IPCache) Unlock()
- func (ipc *IPCache) Upsert(ip string, hostIP net.IP, hostKey uint8, newIdentity Identity) bool
- type IPIdentityMappingListener
- type IPIdentityWatcher
- type IPKeyPair
- type Identity
- type Implementation
- type Source
Constants ¶
const ( // DefaultAddressSpace is the address space used if none is provided. // TODO - once pkg/node adds this to clusterConfiguration, remove. DefaultAddressSpace = "default" )
Variables ¶
var ( // IPIdentitiesPath is the path to where endpoint IPs are stored in the key-value //store. IPIdentitiesPath = path.Join(kvstore.BaseKeyPrefix, "state", "ip", "v1") // AddressSpace is the address space (cluster, etc.) in which policy is // computed. It is determined by the orchestration system / runtime. AddressSpace = DefaultAddressSpace )
var ( // IPIdentityCache caches the mapping of endpoint IPs to their corresponding // security identities across the entire cluster in which this instance of // Cilium is running. IPIdentityCache = NewIPCache() )
Functions ¶
func AllocateCIDRs ¶
func AllocateCIDRs(impl Implementation, prefixes []*net.IPNet) error
AllocateCIDRs attempts to allocate identities for a list of CIDRs. If any allocation fails, all allocations are rolled back and the error is returned. When an identity is freshly allocated for a CIDR, it is added to the ipcache.
func DeleteIPFromKVStore ¶
DeleteIPFromKVStore removes the IP->Identity mapping for the specified ip from the kvstore, which will subsequently trigger an event in NewIPIdentityWatcher().
func GetIPIdentityMapModel ¶
func GetIPIdentityMapModel()
GetIPIdentityMapModel returns all known endpoint IP to security identity mappings stored in the key-value store.
func InitIPIdentityWatcher ¶
func InitIPIdentityWatcher()
InitIPIdentityWatcher initializes the watcher for ip-identity mapping events in the key-value store.
func ReleaseCIDRs ¶
ReleaseCIDRs releases the identities of a list of CIDRs. When the last use of the identity is released, the ipcache entry is deleted.
func UpsertIPToKVStore ¶
func UpsertIPToKVStore(ctx context.Context, IP, hostIP net.IP, ID identity.NumericIdentity, key uint8, metadata string) error
UpsertIPToKVStore updates / inserts the provided IP->Identity mapping into the kvstore, which will subsequently trigger an event in NewIPIdentityWatcher().
func WaitForInitialSync ¶
func WaitForInitialSync()
WaitForInitialSync waits until the ipcache has been synchronized from the kvstore
Types ¶
type CacheModification ¶
type CacheModification string
CacheModification represents the type of operation performed upon IPCache.
const ( // Upsert represents Upsertion into IPCache. Upsert CacheModification = "Upsert" // Delete represents deletion of an entry in IPCache. Delete CacheModification = "Delete" )
type IPCache ¶
type IPCache struct {
// contains filtered or unexported fields
}
IPCache is a collection of mappings:
- mapping of endpoint IP or CIDR to security identities of all endpoints which are part of the same cluster, and vice-versa
- mapping of endpoint IP or CIDR to host IP (maybe nil)
func NewIPCache ¶
func NewIPCache() *IPCache
NewIPCache returns a new IPCache with the mappings of endpoint IP to security identity (and vice-versa) initialized.
func (*IPCache) Delete ¶
Delete removes the provided IP-to-security-identity mapping from the IPCache.
func (*IPCache) DumpToListenerLocked ¶
func (ipc *IPCache) DumpToListenerLocked(listener IPIdentityMappingListener)
DumpToListenerLocked dumps the entire contents of the IPCache by triggering the listener's "OnIPIdentityCacheChange" method for each entry in the cache.
func (*IPCache) LookupByIP ¶
LookupByIP returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.
func (*IPCache) LookupByIPRLocked ¶
LookupByIPRLocked returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.
func (*IPCache) LookupByIdentity ¶
func (ipc *IPCache) LookupByIdentity(id identity.NumericIdentity) (map[string]struct{}, bool)
LookupByIdentity returns the set of IPs (endpoint or CIDR prefix) that have security identity ID, as well as whether the corresponding entry exists in the IPCache.
func (*IPCache) LookupByPrefix ¶
LookupByPrefix returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.
func (*IPCache) LookupByPrefixRLocked ¶
LookupByPrefixRLocked looks for either the specified CIDR prefix, or if the prefix is fully specified (ie, w.x.y.z/32 for IPv4), find the host for the identity in the provided IPCache, and returns the corresponding security identity as well as whether the entry exists in the IPCache.
func (*IPCache) SetListeners ¶
func (ipc *IPCache) SetListeners(listeners []IPIdentityMappingListener)
SetListeners sets the listeners for this IPCache.
func (*IPCache) Upsert ¶
Upsert adds / updates the provided IP (endpoint or CIDR prefix) and identity into the IPCache.
Returns false if the entry is not owned by the self declared source, i.e. returns false if the kubernetes layer is trying to upsert an entry now managed by the kvstore layer. See allowOverwrite() for rules on ownership. hostIP is the location of the given IP. It is optional (may be nil) and is propagated to the listeners.
type IPIdentityMappingListener ¶
type IPIdentityMappingListener interface { // OnIPIdentityCacheChange will be called whenever there the state of the // IPCache has changed. If an existing CIDR->ID mapping is updated, then // oldID is not nil; otherwise it is nil. // hostIP is the IP address of the location of the cidr. // hostIP is optional and may only be non-nil for an Upsert modification. OnIPIdentityCacheChange(modType CacheModification, cidr net.IPNet, oldHostIP, newHostIP net.IP, oldID *identity.NumericIdentity, newID identity.NumericIdentity, encryptKey uint8) // OnIPIdentityCacheGC will be called to sync other components which are // reliant upon the IPIdentityCache with the IPIdentityCache. OnIPIdentityCacheGC() }
IPIdentityMappingListener represents a component that is interested in learning about IP to Identity mapping events.
type IPIdentityWatcher ¶
type IPIdentityWatcher struct {
// contains filtered or unexported fields
}
IPIdentityWatcher is a watcher that will notify when IP<->identity mappings change in the kvstore
func NewIPIdentityWatcher ¶
func NewIPIdentityWatcher(backend kvstore.BackendOperations) *IPIdentityWatcher
NewIPIdentityWatcher creates a new IPIdentityWatcher using the specified kvstore backend
func (*IPIdentityWatcher) Close ¶
func (iw *IPIdentityWatcher) Close()
Close stops the IPIdentityWatcher and causes Watch() to return
func (*IPIdentityWatcher) Watch ¶
func (iw *IPIdentityWatcher) Watch()
Watch starts the watcher and blocks waiting for events. When events are received from the kvstore, All IPIdentityMappingListener are notified. The function returns when IPIdentityWatcher.Close() is called. The watcher will automatically restart as required.
type Identity ¶
type Identity struct { // ID is the numeric identity ID identity.NumericIdentity // Source is the source of the identity in the cache Source Source }
Identity is the identity representation of an IP<->Identity cache.
type Implementation ¶
Implementation represents a concrete datapath implementation of the IPCache which may restrict the ability to apply IPCache mappings, depending on the underlying details of that implementation.
type Source ¶
type Source string
Source is the description of the source of an identity
const ( // FromKubernetes is the source used for identities derived from k8s // resources (pods) FromKubernetes Source = "k8s" // FromKVStore is the source used for identities derived from the // kvstore FromKVStore Source = "kvstore" // FromAgentLocal is the source used for identities derived during the // agent bootup process. This includes identities for endpoint IPs. FromAgentLocal Source = "agent-local" // FromCIDR is the source used for identities that have been derived // from local CIDR representations FromCIDR Source = "cidr" )