ipcache

package
v1.5.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 16, 2019 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Package ipcache provides a local cache of the mapping of IPs of endpoints managed by Cilium to their corresponding security identities.

Index

Constants

View Source
const (
	// DefaultAddressSpace is the address space used if none is provided.
	// TODO - once pkg/node adds this to clusterConfiguration, remove.
	DefaultAddressSpace = "default"
)

Variables

View Source
var (
	// IPIdentitiesPath is the path to where endpoint IPs are stored in the key-value
	//store.
	IPIdentitiesPath = path.Join(kvstore.BaseKeyPrefix, "state", "ip", "v1")

	// AddressSpace is the address space (cluster, etc.) in which policy is
	// computed. It is determined by the orchestration system / runtime.
	AddressSpace = DefaultAddressSpace
)
View Source
var (
	// IPIdentityCache caches the mapping of endpoint IPs to their corresponding
	// security identities across the entire cluster in which this instance of
	// Cilium is running.
	IPIdentityCache = NewIPCache()
)

Functions

func AllocateCIDRs

func AllocateCIDRs(impl Implementation, prefixes []*net.IPNet) error

AllocateCIDRs attempts to allocate identities for a list of CIDRs. If any allocation fails, all allocations are rolled back and the error is returned. When an identity is freshly allocated for a CIDR, it is added to the ipcache.

func DeleteIPFromKVStore

func DeleteIPFromKVStore(ctx context.Context, ip string) error

DeleteIPFromKVStore removes the IP->Identity mapping for the specified ip from the kvstore, which will subsequently trigger an event in NewIPIdentityWatcher().

func GetIPIdentityMapModel

func GetIPIdentityMapModel()

GetIPIdentityMapModel returns all known endpoint IP to security identity mappings stored in the key-value store.

func InitIPIdentityWatcher

func InitIPIdentityWatcher()

InitIPIdentityWatcher initializes the watcher for ip-identity mapping events in the key-value store.

func ReleaseCIDRs

func ReleaseCIDRs(prefixes []*net.IPNet)

ReleaseCIDRs releases the identities of a list of CIDRs. When the last use of the identity is released, the ipcache entry is deleted.

func UpsertIPToKVStore

func UpsertIPToKVStore(ctx context.Context, IP, hostIP net.IP, ID identity.NumericIdentity, key uint8, metadata string) error

UpsertIPToKVStore updates / inserts the provided IP->Identity mapping into the kvstore, which will subsequently trigger an event in NewIPIdentityWatcher().

func WaitForInitialSync

func WaitForInitialSync()

WaitForInitialSync waits until the ipcache has been synchronized from the kvstore

Types

type CacheModification

type CacheModification string

CacheModification represents the type of operation performed upon IPCache.

const (
	// Upsert represents Upsertion into IPCache.
	Upsert CacheModification = "Upsert"

	// Delete represents deletion of an entry in IPCache.
	Delete CacheModification = "Delete"
)

type IPCache

type IPCache struct {
	// contains filtered or unexported fields
}

IPCache is a collection of mappings:

  • mapping of endpoint IP or CIDR to security identities of all endpoints which are part of the same cluster, and vice-versa
  • mapping of endpoint IP or CIDR to host IP (maybe nil)

func NewIPCache

func NewIPCache() *IPCache

NewIPCache returns a new IPCache with the mappings of endpoint IP to security identity (and vice-versa) initialized.

func (*IPCache) Delete

func (ipc *IPCache) Delete(IP string, source Source)

Delete removes the provided IP-to-security-identity mapping from the IPCache.

func (*IPCache) DumpToListenerLocked

func (ipc *IPCache) DumpToListenerLocked(listener IPIdentityMappingListener)

DumpToListenerLocked dumps the entire contents of the IPCache by triggering the listener's "OnIPIdentityCacheChange" method for each entry in the cache.

func (*IPCache) Lock

func (ipc *IPCache) Lock()

Lock locks the IPCache's mutex.

func (*IPCache) LookupByIP

func (ipc *IPCache) LookupByIP(IP string) (Identity, bool)

LookupByIP returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.

func (*IPCache) LookupByIPRLocked

func (ipc *IPCache) LookupByIPRLocked(IP string) (Identity, bool)

LookupByIPRLocked returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.

func (*IPCache) LookupByIdentity

func (ipc *IPCache) LookupByIdentity(id identity.NumericIdentity) (map[string]struct{}, bool)

LookupByIdentity returns the set of IPs (endpoint or CIDR prefix) that have security identity ID, as well as whether the corresponding entry exists in the IPCache.

func (*IPCache) LookupByPrefix

func (ipc *IPCache) LookupByPrefix(IP string) (Identity, bool)

LookupByPrefix returns the corresponding security identity that endpoint IP maps to within the provided IPCache, as well as if the corresponding entry exists in the IPCache.

func (*IPCache) LookupByPrefixRLocked

func (ipc *IPCache) LookupByPrefixRLocked(prefix string) (identity Identity, exists bool)

LookupByPrefixRLocked looks for either the specified CIDR prefix, or if the prefix is fully specified (ie, w.x.y.z/32 for IPv4), find the host for the identity in the provided IPCache, and returns the corresponding security identity as well as whether the entry exists in the IPCache.

func (*IPCache) RLock

func (ipc *IPCache) RLock()

RLock RLocks the IPCache's mutex.

func (*IPCache) RUnlock

func (ipc *IPCache) RUnlock()

RUnlock RUnlocks the IPCache's mutex.

func (*IPCache) SetListeners

func (ipc *IPCache) SetListeners(listeners []IPIdentityMappingListener)

SetListeners sets the listeners for this IPCache.

func (*IPCache) Unlock

func (ipc *IPCache) Unlock()

Unlock unlocks the IPCache's mutex.

func (*IPCache) Upsert

func (ipc *IPCache) Upsert(ip string, hostIP net.IP, hostKey uint8, newIdentity Identity) bool

Upsert adds / updates the provided IP (endpoint or CIDR prefix) and identity into the IPCache.

Returns false if the entry is not owned by the self declared source, i.e. returns false if the kubernetes layer is trying to upsert an entry now managed by the kvstore layer. See allowOverwrite() for rules on ownership. hostIP is the location of the given IP. It is optional (may be nil) and is propagated to the listeners.

type IPIdentityMappingListener

type IPIdentityMappingListener interface {
	// OnIPIdentityCacheChange will be called whenever there the state of the
	// IPCache has changed. If an existing CIDR->ID mapping is updated, then
	// oldID is not nil; otherwise it is nil.
	// hostIP is the IP address of the location of the cidr.
	// hostIP is optional and may only be non-nil for an Upsert modification.
	OnIPIdentityCacheChange(modType CacheModification, cidr net.IPNet, oldHostIP, newHostIP net.IP,
		oldID *identity.NumericIdentity, newID identity.NumericIdentity, encryptKey uint8)

	// OnIPIdentityCacheGC will be called to sync other components which are
	// reliant upon the IPIdentityCache with the IPIdentityCache.
	OnIPIdentityCacheGC()
}

IPIdentityMappingListener represents a component that is interested in learning about IP to Identity mapping events.

type IPIdentityWatcher

type IPIdentityWatcher struct {
	// contains filtered or unexported fields
}

IPIdentityWatcher is a watcher that will notify when IP<->identity mappings change in the kvstore

func NewIPIdentityWatcher

func NewIPIdentityWatcher(backend kvstore.BackendOperations) *IPIdentityWatcher

NewIPIdentityWatcher creates a new IPIdentityWatcher using the specified kvstore backend

func (*IPIdentityWatcher) Close

func (iw *IPIdentityWatcher) Close()

Close stops the IPIdentityWatcher and causes Watch() to return

func (*IPIdentityWatcher) Watch

func (iw *IPIdentityWatcher) Watch()

Watch starts the watcher and blocks waiting for events. When events are received from the kvstore, All IPIdentityMappingListener are notified. The function returns when IPIdentityWatcher.Close() is called. The watcher will automatically restart as required.

type IPKeyPair

type IPKeyPair struct {
	IP  net.IP
	Key uint8
}

IPKeyPair is the (IP, key) pair used of the identity

type Identity

type Identity struct {
	// ID is the numeric identity
	ID identity.NumericIdentity

	// Source is the source of the identity in the cache
	Source Source
}

Identity is the identity representation of an IP<->Identity cache.

type Implementation

type Implementation interface {
	GetMaxPrefixLengths(ipv6 bool) int
}

Implementation represents a concrete datapath implementation of the IPCache which may restrict the ability to apply IPCache mappings, depending on the underlying details of that implementation.

type Source

type Source string

Source is the description of the source of an identity

const (
	// FromKubernetes is the source used for identities derived from k8s
	// resources (pods)
	FromKubernetes Source = "k8s"

	// FromKVStore is the source used for identities derived from the
	// kvstore
	FromKVStore Source = "kvstore"

	// FromAgentLocal is the source used for identities derived during the
	// agent bootup process. This includes identities for endpoint IPs.
	FromAgentLocal Source = "agent-local"

	// FromCIDR is the source used for identities that have been derived
	// from local CIDR representations
	FromCIDR Source = "cidr"
)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL