policy

package
v0.0.0-...-c34bea4 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 20, 2022 License: Apache-2.0 Imports: 40 Imported by: 0

Documentation

Index

Constants

View Source
const (
	LabelKeyPolicyDerivedFrom   = "io.cilium.policy.derived-from"
	LabelAllowLocalHostIngress  = "allow-localhost-ingress"
	LabelAllowRemoteHostIngress = "allow-remotehost-ingress"
	LabelAllowAnyIngress        = "allow-any-ingress"
	LabelAllowAnyEgress         = "allow-any-egress"
	LabelVisibilityAnnotation   = "visibility-annotation"
)

Variables

View Source
var (
	ErrNilMap               = errors.New("nil map")
	ErrUnknownNamedPort     = errors.New("unknown named port")
	ErrIncompatibleProtocol = errors.New("incompatible protocol")
	ErrNamedPortIsZero      = errors.New("named port is zero")
	ErrDuplicateNamedPorts  = errors.New("duplicate named ports")
)

Functions

func GetCIDRPrefixes

func GetCIDRPrefixes(rules api.Rules) []*net.IPNet

GetCIDRPrefixes runs through the specified 'rules' to find every reference to a CIDR in the rules, and returns a slice containing all of these CIDRs. Multiple rules referring to the same CIDR will result in multiple copies of the CIDR in the returned slice.

Assumes that validation already occurred on 'rules'.

func GetPolicyEnabled

func GetPolicyEnabled() string

GetPolicyEnabled returns the policy enablement configuration

func GetPrefixesFromCIDRSet

func GetPrefixesFromCIDRSet(rules api.CIDRRuleSlice) []*net.IPNet

GetPrefixesFromCIDRSet fetches all CIDRs referred to by the specified slice and returns them as regular golang CIDR objects.

Assumes that validation already occurred on 'rules'.

func JSONMarshalRules

func JSONMarshalRules(rules api.Rules) string

JSONMarshalRules returns a slice of policy rules as string in JSON representation

func JoinPath

func JoinPath(a, b string) string

JoinPath returns a joined path from a and b.

func ParseProxyID

func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, err error)

ParseProxyID parses a proxy ID returned by ProxyID and returns its components.

func ProxyID

func ProxyID(endpointID uint16, ingress bool, protocol string, port uint16) string

ProxyID returns a unique string to identify a proxy mapping.

func ProxyIDFromKey

func ProxyIDFromKey(endpointID uint16, key Key) string

ProxyIDFromKey returns a unique string to identify a proxy mapping.

func SetPolicyEnabled

func SetPolicyEnabled(val string)

SetPolicyEnabled sets the policy enablement configuration. Valid values are: - endpoint.AlwaysEnforce - endpoint.NeverEnforce - endpoint.DefaultEnforcement

func ValidatePortName

func ValidatePortName(name string) (string, error)

ValidatePortName checks that the port name conforms to the IANA Service Names spec and converts the port name to lower case for case-insensitive comparisons.

Types

type AddOptions

type AddOptions struct {
	// Replace if true indicates that existing rules with identical labels should be replaced
	Replace bool
	// ReplaceWithLabels if present indicates that existing rules with the
	// given LabelArray should be deleted.
	ReplaceWithLabels labels.LabelArray
	// Generated should be set as true to signalize a the policy being inserted
	// was generated by cilium-agent, e.g. dns poller.
	Generated bool

	// The source of this policy, one of api, fqdn or k8s
	Source string
}

AddOptions are options which can be passed to PolicyAdd

type CachedSelectionUser

type CachedSelectionUser interface {
	// IdentitySelectionUpdated implementations MUST NOT call back
	// to the name manager or the selector cache while executing this function!
	//
	// The caller is responsible for making sure the same identity is not
	// present in both 'added' and 'deleted'.
	IdentitySelectionUpdated(selector CachedSelector, added, deleted []identity.NumericIdentity)
}

CachedSelectionUser inserts selectors into the cache and gets update callbacks whenever the set of selected numeric identities change for the CachedSelectors pushed by it.

type CachedSelector

type CachedSelector interface {
	// GetSelections returns the cached set of numeric identities
	// selected by the CachedSelector.  The retuned slice must NOT
	// be modified, as it is shared among multiple users.
	GetSelections() []identity.NumericIdentity

	// Selects return 'true' if the CachedSelector selects the given
	// numeric identity.
	Selects(nid identity.NumericIdentity) bool

	// IsWildcard returns true if the endpoint selector selects
	// all endpoints.
	IsWildcard() bool

	// IsNone returns true if the selector never selects anything
	IsNone() bool

	// String returns the string representation of this selector.
	// Used as a map key.
	String() string
}

CachedSelector represents an identity selector owned by the selector cache

type CachedSelectorSlice

type CachedSelectorSlice []CachedSelector

CachedSelectorSlice is a slice of CachedSelectors that can be sorted.

func (CachedSelectorSlice) Len

func (s CachedSelectorSlice) Len() int

func (CachedSelectorSlice) Less

func (s CachedSelectorSlice) Less(i, j int) bool

func (CachedSelectorSlice) MarshalJSON

func (s CachedSelectorSlice) MarshalJSON() ([]byte, error)

MarshalJSON returns the CachedSelectors as JSON formatted buffer

func (CachedSelectorSlice) SelectsAllEndpoints

func (s CachedSelectorSlice) SelectsAllEndpoints() bool

SelectsAllEndpoints returns whether the CachedSelectorSlice selects all endpoints, which is true if the wildcard endpoint selector is present in the slice.

func (CachedSelectorSlice) Swap

func (s CachedSelectorSlice) Swap(i, j int)

type CertificateManager

type CertificateManager interface {
	GetTLSContext(ctx context.Context, tls *api.TLSContext, defaultNs string) (ca, public, private string, err error)
	GetSecretString(ctx context.Context, secret *api.Secret, defaultNs string) (string, error)
}

type DirectionalVisibilityPolicy

type DirectionalVisibilityPolicy map[string]*VisibilityMetadata

DirectionalVisibilityPolicy is a mapping of VisibilityMetadata keyed by L4 Port / L4 Protocol (e.g., 80/TCP) for a given traffic direction (e.g., ingress or egress). This encodes at which L4 Port / L4 Protocol traffic should be redirected to a given L7 proxy. An empty instance of this type indicates that no traffic should be redirected.

type Endpoint

type Endpoint interface {
	GetID16() uint16
	GetSecurityIdentity() (*identity.Identity, error)
	PolicyRevisionBumpEvent(rev uint64)
	IsHost() bool
	GetOpLabels() []string
	GetK8sNamespace() string
}

Endpoint refers to any structure which has the following properties: * a node-local ID stored as a uint16 * a security identity * a means of incrementing its policy revision * a means of checking if it represents a node or a pod. * a set of labels * a kubernetes namespace

type EndpointPolicy

type EndpointPolicy struct {

	// PolicyMapState contains the state of this policy as it relates to the
	// datapath. In the future, this will be factored out of this object to
	// decouple the policy as it relates to the datapath vs. its userspace
	// representation.
	// It maps each Key to the proxy port if proxy redirection is needed.
	// Proxy port 0 indicates no proxy redirection.
	// All fields within the Key and the proxy port must be in host byte-order.
	// Must only be accessed with PolicyOwner (aka Endpoint) lock taken.
	PolicyMapState MapState

	// PolicyOwner describes any type which consumes this EndpointPolicy object.
	PolicyOwner PolicyOwner
	// contains filtered or unexported fields
}

EndpointPolicy is a structure which contains the resolved policy across all layers (L3, L4, and L7), distilled against a set of identities.

func NewEndpointPolicy

func NewEndpointPolicy(repo *Repository) *EndpointPolicy

NewEndpointPolicy returns an empty EndpointPolicy stub.

func (*EndpointPolicy) AllowsIdentity

func (p *EndpointPolicy) AllowsIdentity(identity identity.NumericIdentity) (ingress, egress bool)

AllowsIdentity returns whether the specified policy allows ingress and egress traffic for the specified numeric security identity. If the 'secID' is zero, it will check if all traffic is allowed.

Returning true for either return value indicates all traffic is allowed.

func (EndpointPolicy) Attach

func (p EndpointPolicy) Attach(ctx PolicyContext)

func (*EndpointPolicy) ConsumeMapChanges

func (p *EndpointPolicy) ConsumeMapChanges() (adds, deletes Keys)

ConsumeMapChanges transfers the changes from MapChanges to the caller, locking the selector cache to make sure concurrent identity updates have completed. PolicyOwner (aka Endpoint) is also locked during this call.

func (*EndpointPolicy) Detach

func (p *EndpointPolicy) Detach()

Detach removes EndpointPolicy references from selectorPolicy to allow the EndpointPolicy to be GC'd. PolicyOwner (aka Endpoint) is also locked during this call.

func (EndpointPolicy) DistillPolicy

func (p EndpointPolicy) DistillPolicy(policyOwner PolicyOwner, isHost bool) *EndpointPolicy

DistillPolicy filters down the specified selectorPolicy (which acts upon selectors) into a set of concrete map entries based on the SelectorCache. These can subsequently be plumbed into the datapath.

Must be performed while holding the Repository lock. PolicyOwner (aka Endpoint) is also locked during this call.

type EndpointSet

type EndpointSet struct {
	// contains filtered or unexported fields
}

EndpointSet is used to be able to group together a given set of Endpoints that need to have a specific operation performed upon them (e.g., policy revision updates).

func NewEndpointSet

func NewEndpointSet(m map[Endpoint]struct{}) *EndpointSet

NewEndpointSet returns an EndpointSet with the given Endpoints map

func (*EndpointSet) Delete

func (e *EndpointSet) Delete(ep Endpoint)

Delete removes ep from the EndpointSet.

func (*EndpointSet) ForEachGo

func (e *EndpointSet) ForEachGo(wg *sync.WaitGroup, epFunc func(epp Endpoint))

ForEachGo runs epFunc asynchronously inside a go routine for each endpoint in the EndpointSet. It signals to the provided WaitGroup when epFunc has been executed for each endpoint.

func (*EndpointSet) Insert

func (e *EndpointSet) Insert(ep Endpoint)

Insert adds ep to the EndpointSet.

func (*EndpointSet) Len

func (e *EndpointSet) Len() (nElem int)

Len returns the number of elements in the EndpointSet.

type Key

type Key struct {
	// Identity is the numeric identity to / from which traffic is allowed.
	Identity uint32
	// DestPort is the port at L4 to / from which traffic is allowed, in
	// host-byte order.
	DestPort uint16
	// NextHdr is the protocol which is allowed.
	Nexthdr uint8
	// TrafficDirection indicates in which direction Identity is allowed
	// communication (egress or ingress).
	TrafficDirection uint8
}

Key is the userspace representation of a policy key in BPF. It is intentionally duplicated from pkg/maps/policymap to avoid pulling in the BPF dependency to this package.

func (Key) AddDependent

func (owner Key) AddDependent(keys MapState, key Key)

AddDependent adds 'key' to the set of dependent keys.

func (Key) IsEgress

func (k Key) IsEgress() bool

IsEgress returns true if the key refers to an egress policy key

func (Key) IsIngress

func (k Key) IsIngress() bool

IsIngress returns true if the key refers to an ingress policy key

func (Key) String

func (k Key) String() string

String returns a string representation of the Key

type Keys

type Keys map[Key]struct{}

type L4Filter

type L4Filter struct {
	// Port is the destination port to allow. Port 0 indicates that all traffic
	// is allowed at L4.
	Port     int    `json:"port"`
	PortName string `json:"port-name,omitempty"`
	// Protocol is the L4 protocol to allow or NONE
	Protocol api.L4Proto `json:"protocol"`
	// U8Proto is the Protocol in numeric format, or 0 for NONE
	U8Proto u8proto.U8proto `json:"-"`

	// L7RulesPerSelector is a list of L7 rules per endpoint passed to the L7 proxy.
	// nil values represent cached selectors that have no L7 restriction.
	// Holds references to the cached selectors, which must be released!
	L7RulesPerSelector L7DataMap `json:"l7-rules,omitempty"`
	// L7Parser specifies the L7 protocol parser (optional). If specified as
	// an empty string, then means that no L7 proxy redirect is performed.
	L7Parser L7ParserType `json:"-"`
	// Ingress is true if filter applies at ingress; false if it applies at egress.
	Ingress bool `json:"-"`
	// The rule labels of this Filter
	DerivedFromRules labels.LabelArrayList `json:"-"`
	// contains filtered or unexported fields
}

L4Filter represents the policy (allowed remote sources / destinations of traffic) that applies at a specific L4 port/protocol combination (including all ports and protocols), at either ingress or egress. The policy here is specified in terms of selectors that are mapped to security identities via the selector cache.

func (*L4Filter) CopyL7RulesPerEndpoint

func (l4 *L4Filter) CopyL7RulesPerEndpoint() L7DataMap

CopyL7RulesPerEndpoint returns a shallow copy of the L7RulesPerSelector of the L4Filter.

func (*L4Filter) GetIngress

func (l4 *L4Filter) GetIngress() bool

GetIngress returns whether the L4Filter applies at ingress or egress.

func (*L4Filter) GetL7Parser

func (l4 *L4Filter) GetL7Parser() L7ParserType

GetL7Parser returns the L7ParserType of the L4Filter.

func (*L4Filter) GetPort

func (l4 *L4Filter) GetPort() uint16

GetPort returns the port at which the L4Filter applies as a uint16.

func (*L4Filter) IdentitySelectionUpdated

func (l4 *L4Filter) IdentitySelectionUpdated(selector CachedSelector, added, deleted []identity.NumericIdentity)

IdentitySelectionUpdated implements CachedSelectionUser interface This call is made from a single goroutine in FIFO order to keep add and delete events ordered properly. No locks are held.

The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.

func (*L4Filter) IsEnvoyRedirect

func (l4 *L4Filter) IsEnvoyRedirect() bool

IsEnvoyRedirect returns true if the L4 filter contains a port redirected to Envoy

func (*L4Filter) IsProxylibRedirect

func (l4 *L4Filter) IsProxylibRedirect() bool

IsProxylibRedirect returns true if the L4 filter contains a port redirected to Proxylib (via Envoy)

func (*L4Filter) IsRedirect

func (l4 *L4Filter) IsRedirect() bool

IsRedirect returns true if the L4 filter contains a port redirection

func (*L4Filter) MarshalIndent

func (l4 *L4Filter) MarshalIndent() string

MarshalIndent returns the `L4Filter` in indented JSON string.

func (*L4Filter) SelectsAllEndpoints

func (l4 *L4Filter) SelectsAllEndpoints() bool

SelectsAllEndpoints returns whether the L4Filter selects all endpoints, which is true if the wildcard endpoint selector is present in the map.

func (*L4Filter) String

func (l4 *L4Filter) String() string

String returns the `L4Filter` in a human-readable string.

func (*L4Filter) ToMapState

func (l4Filter *L4Filter) ToMapState(policyOwner PolicyOwner, direction trafficdirection.TrafficDirection) MapState

ToMapState converts filter into a MapState with two possible values:

  • Entry with ProxyPort = 0: No proxy redirection is needed for this key
  • Entry with any other port #: Proxy redirection is required for this key, caller must replace the ProxyPort with the actual listening port number.

Note: It is possible for two selectors to select the same security ID. To give priority for deny and L7 redirection (e.g., for visibility purposes), we use DenyPreferredInsert() instead of directly inserting the value to the map. PolicyOwner (aka Endpoint) is locked during this call.

type L4Policy

type L4Policy struct {
	Ingress L4PolicyMap
	Egress  L4PolicyMap

	// Revision is the repository revision used to generate this policy.
	Revision uint64
	// contains filtered or unexported fields
}

func NewL4Policy

func NewL4Policy(revision uint64) *L4Policy

NewL4Policy creates a new L4Policy

func (*L4Policy) AccumulateMapChanges

func (l4 *L4Policy) AccumulateMapChanges(cs CachedSelector, adds, deletes []identity.NumericIdentity, l4Filter *L4Filter,
	direction trafficdirection.TrafficDirection, redirect, isDeny bool)

AccumulateMapChanges distributes the given changes to the registered users.

The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.

func (*L4Policy) Attach

func (l4 *L4Policy) Attach(ctx PolicyContext)

Attach makes all the L4Filters to point back to the L4Policy that contains them. This is done before the L4Policy is exposed to concurrent access.

func (*L4Policy) Detach

func (l4 *L4Policy) Detach(selectorCache *SelectorCache)

Detach makes the L4Policy ready for garbage collection, removing circular pointer references. Note that the L4Policy itself is not modified in any way, so that it may still be used concurrently.

func (*L4Policy) GetModel

func (l4 *L4Policy) GetModel() *models.L4Policy

func (*L4Policy) HasEnvoyRedirect

func (l4 *L4Policy) HasEnvoyRedirect() bool

HasEnvoyRedirect returns true if the L4 policy contains at least one port redirection to Envoy

func (*L4Policy) HasProxylibRedirect

func (l4 *L4Policy) HasProxylibRedirect() bool

HasProxylibRedirect returns true if the L4 policy contains at least one port redirection to Proxylib

func (*L4Policy) HasRedirect

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

type L4PolicyMap

type L4PolicyMap map[string]*L4Filter

L4PolicyMap is a list of L4 filters indexable by protocol/port key format: "port/proto"

func (L4PolicyMap) Attach

func (l4 L4PolicyMap) Attach(ctx PolicyContext, l4Policy *L4Policy)

Attach makes all the L4Filters to point back to the L4Policy that contains them. This is done before the L4PolicyMap is exposed to concurrent access.

func (L4PolicyMap) Detach

func (l4 L4PolicyMap) Detach(selectorCache *SelectorCache)

Detach removes the cached selectors held by L4PolicyMap from the selectorCache, allowing the map to be garbage collected when there are no more references to it.

func (*L4PolicyMap) EgressCoversContext

func (l4 *L4PolicyMap) EgressCoversContext(ctx *SearchContext) api.Decision

EgressCoversContext checks if the receiver's egress L4Policy contains all `dPorts` and `labels`.

Note: Only used for policy tracing

func (L4PolicyMap) HasEnvoyRedirect

func (l4 L4PolicyMap) HasEnvoyRedirect() bool

HasEnvoyRedirect returns true if at least one L4 filter contains a port redirection that is forwarded to Envoy

func (L4PolicyMap) HasProxylibRedirect

func (l4 L4PolicyMap) HasProxylibRedirect() bool

HasProxylibRedirect returns true if at least one L4 filter contains a port redirection that is forwarded to Proxylib (via Envoy)

func (L4PolicyMap) HasRedirect

func (l4 L4PolicyMap) HasRedirect() bool

HasRedirect returns true if at least one L4 filter contains a port redirection

func (*L4PolicyMap) IngressCoversContext

func (l4 *L4PolicyMap) IngressCoversContext(ctx *SearchContext) api.Decision

IngressCoversContext checks if the receiver's ingress L4Policy contains all `dPorts` and `labels`.

Note: Only used for policy tracing

type L7DataMap

type L7DataMap map[CachedSelector]*PerSelectorPolicy

L7DataMap contains a map of L7 rules per endpoint where key is a CachedSelector

func (L7DataMap) MarshalJSON

func (l7 L7DataMap) MarshalJSON() ([]byte, error)

func (L7DataMap) ShallowCopy

func (l7 L7DataMap) ShallowCopy() L7DataMap

ShallowCopy returns a shallow copy of the L7DataMap.

type L7ParserType

type L7ParserType string

L7ParserType is the type used to indicate what L7 parser to use. Consts are defined for all well known L7 parsers. Unknown string values are created for key-value pair policies, which are then transparently used in redirect configuration.

const (
	// ParserTypeNone represents the case where no parser type is provided.
	ParserTypeNone L7ParserType = ""
	// ParserTypeHTTP specifies a HTTP parser type
	ParserTypeHTTP L7ParserType = "http"
	// ParserTypeKafka specifies a Kafka parser type
	ParserTypeKafka L7ParserType = "kafka"
	// ParserTypeDNS specifies a DNS parser type
	ParserTypeDNS L7ParserType = "dns"
)

func (L7ParserType) String

func (l7 L7ParserType) String() string

type MapChange

type MapChange struct {
	Add   bool // false deletes
	Key   Key
	Value MapStateEntry
}

type MapChanges

type MapChanges struct {
	// contains filtered or unexported fields
}

MapChanges collects updates to the endpoint policy on the granularity of individual mapstate key-value pairs for both adds and deletes. 'mutex' must be held for any access.

func (*MapChanges) AccumulateMapChanges

func (mc *MapChanges) AccumulateMapChanges(cs CachedSelector, adds, deletes []identity.NumericIdentity,
	port uint16, proto uint8, direction trafficdirection.TrafficDirection,
	redirect, isDeny bool, derivedFrom labels.LabelArrayList)

AccumulateMapChanges accumulates the given changes to the MapChanges.

The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.

type MapState

type MapState map[Key]MapStateEntry

MapState is a state of a policy map.

func (MapState) AddVisibilityKeys

func (keys MapState) AddVisibilityKeys(e PolicyOwner, redirectPort uint16, visMeta *VisibilityMetadata, adds Keys, oldValues MapState)

AddVisibilityKeys adjusts and expands PolicyMapState keys and values to redirect for visibility on the port of the visibility annotation while still denying traffic on this port for identities for which the traffic is denied.

Datapath lookup order is, from highest to lowest precedence: 1. L3/L4 2. L4-only (wildcard L3) 3. L3-only (wildcard L4) 4. Allow-all

This means that the L4-only allow visibility key can only be added if there is an allow-all key, and all L3-only deny keys are expanded to L3/L4 keys. If no L4-only key is added then also the L3-only allow keys need to be expanded to L3/L4 keys for visibility redirection. In addition the existing L3/L4 and L4-only allow keys need to be redirected to the proxy port, if not already redirected.

The above can be accomplished by:

  1. Change existing L4-only ALLOW key on matching port that does not already redirect to redirect. - e.g., 0:80=allow,0 -> 0:80=allow,<proxyport>
  2. If allow-all policy exists, add L4-only visibility redirect key if the L4-only key does not already exist. - e.g., 0:0=allow,0 -> add 0:80=allow,<proxyport> if 0:80 does not exist - this allows all traffic on port 80, but see step 5 below.
  3. Change all L3/L4 ALLOW keys on matching port that do not already redirect to redirect. - e.g, <ID1>:80=allow,0 -> <ID1>:80=allow,<proxyport>
  4. For each L3-only ALLOW key add the corresponding L3/L4 ALLOW redirect if no L3/L4 key already exists and no L4-only key already exists and one is not added. - e.g., <ID2>:0=allow,0 -> add <ID2>:80=allow,<proxyport> if <ID2>:80 and 0:80 do not exist
  5. If a new L4-only key was added: For each L3-only DENY key add the corresponding L3/L4 DENY key if no L3/L4 key already exists. - e.g., <ID3>:0=deny,0 -> add <ID3>:80=deny,0 if <ID3>:80 does not exist

With the above we only change/expand existing allow keys to redirect, and expand existing drop keys to also drop on the port of interest, if a new L4-only key allowing the port is added.

'adds' and 'oldValues' are updated with the changes made. 'adds' contains both the added and changed keys. 'oldValues' contains the old values for changed keys. This function does not delete any keys.

func (MapState) AllowAllIdentities

func (keys MapState) AllowAllIdentities(ingress, egress bool)

AllowAllIdentities translates all identities in selectorCache to their corresponding Keys in the specified direction (ingress, egress) which allows all at L3.

func (MapState) AllowsL4

func (keys MapState) AllowsL4(policyOwner PolicyOwner, l4 *L4Filter) bool

func (MapState) DenyPreferredInsert

func (keys MapState) DenyPreferredInsert(newKey Key, newEntry MapStateEntry)

DenyPreferredInsert inserts a key and entry into the map by given preference to deny entries, and L3-only deny entries over L3-L4 allows. This form may be used when a full policy is computed and we are not yet interested in accumulating incremental changes.

func (MapState) DetermineAllowLocalhostIngress

func (keys MapState) DetermineAllowLocalhostIngress()

DetermineAllowLocalhostIngress determines whether communication should be allowed from the localhost. It inserts the Key corresponding to the localhost in the desiredPolicyKeys if the localhost is allowed to communicate with the endpoint.

func (MapState) GetDenyIdentities

func (pms MapState) GetDenyIdentities(log *logrus.Logger) (ingIdentities, egIdentities []int64)

func (MapState) GetIdentities

func (pms MapState) GetIdentities(log *logrus.Logger) (ingIdentities, egIdentities []int64)

func (MapState) RemoveDependent

func (keys MapState) RemoveDependent(owner Key, dependent Key)

RemoveDependent removes 'key' from the list of dependent keys. This is called when a dependent entry is being deleted.

type MapStateEntry

type MapStateEntry struct {
	// The proxy port, in host byte order.
	// If 0 (default), there is no proxy redirection for the corresponding
	// Key. Any other value signifies proxy redirection.
	ProxyPort uint16

	// IsDeny is true when the policy should be denied.
	IsDeny bool

	// DerivedFromRules tracks the policy rules this entry derives from
	DerivedFromRules labels.LabelArrayList
	// contains filtered or unexported fields
}

MapStateEntry is the configuration associated with a Key in a MapState. This is a minimized version of policymap.PolicyEntry.

func NewMapStateEntry

func NewMapStateEntry(cs MapStateOwner, derivedFrom labels.LabelArrayList, redirect, deny bool) MapStateEntry

NewMapStateEntry creates a map state entry. If redirect is true, the caller is expected to replace the ProxyPort field before it is added to the actual BPF map. 'cs' is used to keep track of which policy selectors need this entry. If it is 'nil' this entry will become sticky and cannot be completely removed via incremental updates. Even in this case the entry may be overridden or removed by a deny entry.

func (*MapStateEntry) AddDependent

func (e *MapStateEntry) AddDependent(key Key)

AddDependent adds 'key' to the set of dependent keys.

func (*MapStateEntry) DatapathEqual

func (e *MapStateEntry) DatapathEqual(o *MapStateEntry) bool

DatapathEqual returns true of two entries are equal in the datapath's PoV, i.e., both Deny and ProxyPort are the same for both entries.

func (*MapStateEntry) IsRedirectEntry

func (e *MapStateEntry) IsRedirectEntry() bool

IsRedirectEntry returns true if e contains a redirect

func (*MapStateEntry) MergeReferences

func (e *MapStateEntry) MergeReferences(entry *MapStateEntry)

MergeReferences adds owners and dependents from entry 'entry' to 'e'. 'entry' is not modified.

func (*MapStateEntry) RemoveDependent

func (e *MapStateEntry) RemoveDependent(key Key)

RemoveDependent removes 'key' from the set of dependent keys.

func (MapStateEntry) String

func (e MapStateEntry) String() string

String returns a string representation of the MapStateEntry

type MapStateOwner

type MapStateOwner interface{}

type NamedPortMap

type NamedPortMap map[string]PortProto

NamedPortMap maps port names to port numbers and protocols.

func (NamedPortMap) AddPort

func (npm NamedPortMap) AddPort(name string, port int, protocol string) error

AddPort adds a new PortProto to the NamedPortMap

func (NamedPortMap) GetNamedPort

func (npm NamedPortMap) GetNamedPort(name string, proto uint8) (uint16, error)

GetNamedPort returns the port number for the named port, if any.

type NamedPortMultiMap

type NamedPortMultiMap map[string]PortProtoSet

NamedPortMultiMap may have multiple entries for a name if multiple PODs define the same name with different values.

func (NamedPortMultiMap) Equal

func (npm NamedPortMultiMap) Equal(other NamedPortMultiMap) bool

Equal returns true if the NamedPortMultiMaps are equal.

func (NamedPortMultiMap) GetNamedPort

func (npm NamedPortMultiMap) GetNamedPort(name string, proto uint8) (uint16, error)

GetNamedPort returns the port number for the named port, if any.

type PerSelectorPolicy

type PerSelectorPolicy struct {
	// TerminatingTLS is the TLS context for the connection terminated by
	// the L7 proxy.  For egress policy this specifies the server-side TLS
	// parameters to be applied on the connections originated from the local
	// POD and terminated by the L7 proxy. For ingress policy this specifies
	// the server-side TLS parameters to be applied on the connections
	// originated from a remote source and terminated by the L7 proxy.
	TerminatingTLS *TLSContext `json:"terminatingTLS,omitempty"`

	// OriginatingTLS is the TLS context for the connections originated by
	// the L7 proxy.  For egress policy this specifies the client-side TLS
	// parameters for the upstream connection originating from the L7 proxy
	// to the remote destination. For ingress policy this specifies the
	// client-side TLS parameters for the connection from the L7 proxy to
	// the local POD.
	OriginatingTLS *TLSContext `json:"originatingTLS,omitempty"`

	// Pre-computed HTTP rules with resolved k8s secrets
	// Computed after rule merging is complete!
	EnvoyHTTPRules *cilium.HttpNetworkPolicyRules `json:"-"`

	// CanShortCircuit is true if all 'EnvoyHTTPRules' may be
	// short-circuited by other matches.
	CanShortCircuit bool `json:"-"`

	api.L7Rules

	// IsDeny is set if this L4Filter contains should be denied
	IsDeny bool `json:",omitempty"`
}

func (*PerSelectorPolicy) Equal

Equal returns true if 'a' and 'b' represent the same L7 Rules

func (*PerSelectorPolicy) IsEmpty

func (a *PerSelectorPolicy) IsEmpty() bool

IsEmpty returns whether the `L7Rules` is nil or contains nil rules.

func (*PerSelectorPolicy) IsRedirect

func (a *PerSelectorPolicy) IsRedirect() bool

IsRedirect returns true if the L7Rules are a redirect.

type PolicyCache

type PolicyCache struct {
	lock.Mutex
	// contains filtered or unexported fields
}

PolicyCache represents a cache of resolved policies for identities.

func NewPolicyCache

func NewPolicyCache(repo *Repository, subscribe bool) *PolicyCache

NewPolicyCache creates a new cache of SelectorPolicy.

func (*PolicyCache) GetSelectorCache

func (cache *PolicyCache) GetSelectorCache() *SelectorCache

func (*PolicyCache) LocalEndpointIdentityAdded

func (cache *PolicyCache) LocalEndpointIdentityAdded(identity *identityPkg.Identity)

LocalEndpointIdentityAdded creates a SelectorPolicy cache entry for the specified Identity, without calculating any policy for it.

func (*PolicyCache) LocalEndpointIdentityRemoved

func (cache *PolicyCache) LocalEndpointIdentityRemoved(identity *identityPkg.Identity)

LocalEndpointIdentityRemoved deletes the cached SelectorPolicy for the specified Identity.

func (*PolicyCache) Lookup

func (cache *PolicyCache) Lookup(identity *identityPkg.Identity) SelectorPolicy

Lookup attempts to locate the SelectorPolicy corresponding to the specified identity. If policy is not cached for the identity, it returns nil.

func (*PolicyCache) UpdatePolicy

func (cache *PolicyCache) UpdatePolicy(identity *identityPkg.Identity) error

UpdatePolicy resolves the policy for the security identity of the specified endpoint and caches it for future use.

The caller must provide threadsafety for iteration over the policy repository.

type PolicyContext

type PolicyContext interface {
	// return the SelectorCache
	GetSelectorCache() *SelectorCache

	// GetTLSContext resolves the given 'api.TLSContext' into CA
	// certs and the public and private keys, using secrets from
	// k8s or from the local file system.
	GetTLSContext(tls *api.TLSContext) (ca, public, private string, err error)

	// GetEnvoyHTTPRules translates the given 'api.L7Rules' into
	// the protobuf representation the Envoy can consume. The bool
	// return parameter tells whether the the rule enforcement can
	// be short-circuited upon the first allowing rule. This is
	// false if any of the rules has side-effects, requiring all
	// such rules being evaluated.
	GetEnvoyHTTPRules(l7Rules *api.L7Rules) (*cilium.HttpNetworkPolicyRules, bool)

	// IsDeny returns true if the policy computation should be done for the
	// policy deny case. This function returns different values depending on the
	// code path as it can be changed during the policy calculation.
	IsDeny() bool

	// SetDeny sets the Deny field of the PolicyContext and returns the old
	// value stored.
	SetDeny(newValue bool) (oldValue bool)
}

PolicyContext is an interface policy resolution functions use to access the Repository. This way testing code can run without mocking a full Repository.

type PolicyOwner

type PolicyOwner interface {
	GetID() uint64
	LookupRedirectPortLocked(ingress bool, protocol string, port uint16) uint16
	GetNamedPort(ingress bool, name string, proto uint8) uint16
	GetNamedPortLocked(ingress bool, name string, proto uint8) uint16
	PolicyDebug(fields logrus.Fields, msg string)
}

PolicyOwner is anything which consumes a EndpointPolicy.

type PortProto

type PortProto struct {
	Port  uint16 // non-0
	Proto uint8  // 0 for any
}

PortProto is a pair of port number and protocol and is used as the value type in named port maps.

type PortProtoSet

type PortProtoSet map[PortProto]struct{}

PortProtoSet is a set of unique PortProto values.

func (PortProtoSet) Equal

func (pps PortProtoSet) Equal(other PortProtoSet) bool

Equal returns true if the PortProtoSets are equal.

type ProxyPolicy

type ProxyPolicy interface {
	CopyL7RulesPerEndpoint() L7DataMap
	GetL7Parser() L7ParserType
	GetIngress() bool
	GetPort() uint16
}

ProxyPolicy is any type which encodes state needed to redirect to an L7 proxy.

type Repository

type Repository struct {
	// Mutex protects the whole policy tree
	Mutex lock.RWMutex

	// RepositoryChangeQueue is a queue which serializes changes to the policy
	// repository.
	RepositoryChangeQueue *eventqueue.EventQueue

	// RuleReactionQueue is a queue which serializes the resultant events that
	// need to occur after updating the state of the policy repository. This
	// can include queueing endpoint regenerations, policy revision increments
	// for endpoints, etc.
	RuleReactionQueue *eventqueue.EventQueue
	// contains filtered or unexported fields
}

Repository is a list of policy rules which in combination form the security policy. A policy repository can be

func NewPolicyRepository

func NewPolicyRepository(idAllocator cache.IdentityAllocator, idCache cache.IdentityCache, certManager CertificateManager) *Repository

NewPolicyRepository creates a new policy repository.

func (*Repository) Add

func (p *Repository) Add(r api.Rule, localRuleConsumers []Endpoint) (uint64, map[uint16]struct{}, error)

Add inserts a rule into the policy repository This is just a helper function for unit testing. TODO: this should be in a test_helpers.go file or something similar so we can clearly delineate what helpers are for testing. NOTE: This is only called from unit tests, but from multiple packages.

func (*Repository) AddList

func (p *Repository) AddList(rules api.Rules) (ruleSlice, uint64)

AddList inserts a rule into the policy repository. It is used for unit-testing purposes only.

func (*Repository) AddListLocked

func (p *Repository) AddListLocked(rules api.Rules) (ruleSlice, uint64)

AddListLocked inserts a rule into the policy repository with the repository already locked Expects that the entire rule list has already been sanitized.

func (*Repository) AllowsEgressRLocked

func (p *Repository) AllowsEgressRLocked(ctx *SearchContext) api.Decision

AllowsEgressRLocked evaluates the policy repository for the provided search context and returns the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

NOTE: This is only called from unit tests, but from multiple packages.

func (*Repository) AllowsIngressRLocked

func (p *Repository) AllowsIngressRLocked(ctx *SearchContext) api.Decision

AllowsIngressRLocked evaluates the policy repository for the provided search context and returns the verdict for ingress. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

func (*Repository) BumpRevision

func (p *Repository) BumpRevision()

BumpRevision allows forcing policy regeneration

func (*Repository) DeleteByLabels

func (p *Repository) DeleteByLabels(lbls labels.LabelArray) (uint64, int)

DeleteByLabels deletes all rules in the policy repository which contain the specified labels

func (*Repository) DeleteByLabelsLocked

func (p *Repository) DeleteByLabelsLocked(lbls labels.LabelArray) (ruleSlice, uint64, int)

DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels. Returns the revision of the policy repository after deleting the rules, as well as now many rules were deleted.

func (*Repository) Empty

func (p *Repository) Empty() bool

Empty returns 'true' if repository has no rules, 'false' otherwise.

Must be called without p.Mutex held

func (*Repository) GetEnvoyHTTPRules

func (p *Repository) GetEnvoyHTTPRules(l7Rules *api.L7Rules, ns string) (*cilium.HttpNetworkPolicyRules, bool)

func (*Repository) GetJSON

func (p *Repository) GetJSON() string

GetJSON returns all rules of the policy repository as string in JSON representation

func (*Repository) GetPolicyCache

func (p *Repository) GetPolicyCache() *PolicyCache

GetPolicyCache() returns the policy cache used by the Repository

func (*Repository) GetRevision

func (p *Repository) GetRevision() uint64

GetRevision returns the revision of the policy repository

func (*Repository) GetRulesList

func (p *Repository) GetRulesList() *models.Policy

GetRulesList returns the current policy

func (*Repository) GetRulesMatching

func (p *Repository) GetRulesMatching(lbls labels.LabelArray) (ingressMatch bool, egressMatch bool)

GetRulesMatching returns whether any of the rules in a repository contain a rule with labels matching the labels in the provided LabelArray.

Must be called with p.Mutex held

func (*Repository) GetSelectorCache

func (p *Repository) GetSelectorCache() *SelectorCache

GetSelectorCache() returns the selector cache used by the Repository

func (*Repository) Iterate

func (p *Repository) Iterate(f func(rule *api.Rule))

Iterate iterates the policy repository, calling f for each rule. It is safe to execute Iterate concurrently.

func (*Repository) LocalEndpointIdentityAdded

func (p *Repository) LocalEndpointIdentityAdded(*identity.Identity)

LocalEndpointIdentityAdded handles local identity add events.

func (*Repository) LocalEndpointIdentityRemoved

func (p *Repository) LocalEndpointIdentityRemoved(identity *identity.Identity)

LocalEndpointIdentityRemoved handles local identity removal events to remove references from rules in the repository to the specified identity.

func (*Repository) NumRules

func (p *Repository) NumRules() int

NumRules returns the amount of rules in the policy repository.

Must be called with p.Mutex held

func (*Repository) ResolveL4EgressPolicy

func (p *Repository) ResolveL4EgressPolicy(ctx *SearchContext) (L4PolicyMap, error)

ResolveL4EgressPolicy resolves the L4 egress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.From`. `ctx.To` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

Caller must release resources by calling Detach() on the returned map!

NOTE: This is only called from unit tests, but from multiple packages.

func (*Repository) ResolveL4IngressPolicy

func (p *Repository) ResolveL4IngressPolicy(ctx *SearchContext) (L4PolicyMap, error)

ResolveL4IngressPolicy resolves the L4 ingress policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

TODO: Coalesce l7 rules?

Caller must release resources by calling Detach() on the returned map!

Note: Only used for policy tracing

func (*Repository) SearchRLocked

func (p *Repository) SearchRLocked(lbls labels.LabelArray) api.Rules

SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.

func (*Repository) SetEnvoyRulesFunc

func (p *Repository) SetEnvoyRulesFunc(f func(CertificateManager, *api.L7Rules, string) (*cilium.HttpNetworkPolicyRules, bool))

func (*Repository) TranslateRules

func (p *Repository) TranslateRules(translator Translator) (*TranslationResult, error)

TranslateRules traverses rules and applies provided translator to rules

Note: Only used by the k8s watcher.

type SearchContext

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *stdlog.Logger
	From    labels.LabelArray
	To      labels.LabelArray
	DPorts  []*models.Port
	// contains filtered or unexported fields
}

SearchContext defines the context while evaluating policy

func (*SearchContext) CallDepth

func (s *SearchContext) CallDepth() string

func (*SearchContext) PolicyTrace

func (s *SearchContext) PolicyTrace(format string, a ...interface{})

PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) PolicyTraceVerbose

func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})

PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) String

func (s *SearchContext) String() string

func (*SearchContext) TraceEnabled

func (s *SearchContext) TraceEnabled() bool

TraceEnabled returns true if the SearchContext requests tracing.

func (*SearchContext) WithLogger

func (s *SearchContext) WithLogger(log io.Writer) *SearchContext

WithLogger returns a shallow copy of the received SearchContext with the logging set to write to 'log'.

type SelectorCache

type SelectorCache struct {
	// contains filtered or unexported fields
}

SelectorCache caches identities, identity selectors, and the subsets of identities each selector selects.

func NewSelectorCache

func NewSelectorCache(allocator cache.IdentityAllocator, ids cache.IdentityCache) *SelectorCache

NewSelectorCache creates a new SelectorCache with the given identities.

func (*SelectorCache) AddFQDNSelector

func (sc *SelectorCache) AddFQDNSelector(user CachedSelectionUser, fqdnSelec api.FQDNSelector) (cachedSelector CachedSelector, added bool)

AddFQDNSelector adds the given api.FQDNSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding CachedSelector is returned, otherwise one is created and added to the cache.

func (*SelectorCache) AddIdentitySelector

func (sc *SelectorCache) AddIdentitySelector(user CachedSelectionUser, selector api.EndpointSelector) (cachedSelector CachedSelector, added bool)

AddIdentitySelector adds the given api.EndpointSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding CachedSelector is returned, otherwise one is created and added to the cache.

func (*SelectorCache) ChangeUser

func (sc *SelectorCache) ChangeUser(selector CachedSelector, from, to CachedSelectionUser)

ChangeUser changes the CachedSelectionUser that gets updates on the updates on the cached selector.

func (*SelectorCache) FindCachedIdentitySelector

func (sc *SelectorCache) FindCachedIdentitySelector(selector api.EndpointSelector) CachedSelector

FindCachedIdentitySelector finds the given api.EndpointSelector in the selector cache, returning nil if one can not be found.

func (*SelectorCache) GetModel

func (sc *SelectorCache) GetModel() models.SelectorCache

GetModel returns the API model of the SelectorCache.

func (*SelectorCache) RemoveIdentitiesFQDNSelectors

func (sc *SelectorCache) RemoveIdentitiesFQDNSelectors(fqdnSels []api.FQDNSelector, wg *sync.WaitGroup)

RemoveIdentitiesFQDNSelectors removes all identities from being mapped to the set of FQDNSelectors.

func (*SelectorCache) RemoveSelector

func (sc *SelectorCache) RemoveSelector(selector CachedSelector, user CachedSelectionUser)

RemoveSelector removes CachedSelector for the user.

func (*SelectorCache) RemoveSelectors

func (sc *SelectorCache) RemoveSelectors(selectors CachedSelectorSlice, user CachedSelectionUser)

RemoveSelectors removes CachedSelectorSlice for the user.

func (*SelectorCache) SetLocalIdentityNotifier

func (sc *SelectorCache) SetLocalIdentityNotifier(pop identityNotifier)

SetLocalIdentityNotifier injects the provided identityNotifier into the SelectorCache. Currently, this is used to inject the FQDN subsystem into the SelectorCache so the SelectorCache can notify the FQDN subsystem when it should be aware of a given FQDNSelector for which CIDR identities need to be provided upon DNS lookups which corespond to said FQDNSelector.

func (*SelectorCache) UpdateFQDNSelector

func (sc *SelectorCache) UpdateFQDNSelector(fqdnSelec api.FQDNSelector, identities []identity.NumericIdentity, wg *sync.WaitGroup)

UpdateFQDNSelector updates the mapping of fqdnKey (the FQDNSelector from a policy rule as a string) to to the provided list of identities. If the contents of the cachedSelections differ from those in the identities slice, all users are notified asynchronously. Caller should Wait() on the returned sync.WaitGroup before triggering any policy updates. Policy updates may need Endpoint locks, so this Wait() can deadlock if the caller is holding any endpoint locks.

func (*SelectorCache) UpdateIdentities

func (sc *SelectorCache) UpdateIdentities(added, deleted cache.IdentityCache, wg *sync.WaitGroup)

UpdateIdentities propagates identity updates to selectors

The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.

Caller should Wait() on the returned sync.WaitGroup before triggering any policy updates. Policy updates may need Endpoint locks, so this Wait() can deadlock if the caller is holding any endpoint locks.

type SelectorPolicy

type SelectorPolicy interface {
	// Consume returns the policy in terms of connectivity to peer
	// Identities.
	Consume(owner PolicyOwner) *EndpointPolicy
}

SelectorPolicy represents a cached selectorPolicy, previously resolved from the policy repository and ready to be distilled against a set of identities to compute datapath-level policy configuration.

type TLSContext

type TLSContext struct {
	TrustedCA        string `json:"trustedCA,omitempty"`
	CertificateChain string `json:"certificateChain,omitempty"`
	PrivateKey       string `json:"privateKey,omitempty"`
}

TLS context holds the secret values resolved from an 'api.TLSContext'

func (*TLSContext) Equal

func (a *TLSContext) Equal(b *TLSContext) bool

Equal returns true if 'a' and 'b' have the same contents.

func (*TLSContext) MarshalJSON

func (t *TLSContext) MarshalJSON() ([]byte, error)

MarshalJSON marsahls a redacted version of the TLSContext. We want to see which fields are present, but not reveal their values in any logs, etc.

type TLSDirection

type TLSDirection string
const (
	TerminatingTLS TLSDirection = "terminating"
	OriginatingTLS TLSDirection = "originating"
)

type Tracing

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

type TranslationResult

type TranslationResult struct {
	// NumToServicesRules is the number of ToServices rules processed while
	// translating the rules
	NumToServicesRules int
}

TranslationResult contains the results of the rule translation

type Translator

type Translator interface {
	Translate(*api.Rule, *TranslationResult) error
}

Translator is an interface for altering policy rules

type TriggerMetrics

type TriggerMetrics struct{}

TriggerMetrics handles the metrics for trigger policy recalculations.

func (*TriggerMetrics) PostRun

func (p *TriggerMetrics) PostRun(duration, latency time.Duration, folds int)

func (*TriggerMetrics) QueueEvent

func (p *TriggerMetrics) QueueEvent(reason string)

type Updater

type Updater struct {
	*trigger.Trigger
	// contains filtered or unexported fields
}

Updater is responsible for triggering policy updates, in order to perform policy recalculation.

func NewUpdater

func NewUpdater(r *Repository, regen regenerator) (*Updater, error)

NewUpdater returns a new Updater instance to handle triggering policy updates ready for use.

func (*Updater) TriggerPolicyUpdates

func (u *Updater) TriggerPolicyUpdates(force bool, reason string)

TriggerPolicyUpdates triggers the policy update trigger.

To follow what the trigger does, see NewUpdater.

type VisibilityMetadata

type VisibilityMetadata struct {
	// Parser represents the proxy to which traffic should be redirected.
	Parser L7ParserType

	// Port, in tandem with Proto, signifies which L4 port for which traffic
	// should be redirected.
	Port uint16

	// Proto, in tandem with port, signifies which L4 protocol for which traffic
	// should be redirected.
	Proto u8proto.U8proto

	// Ingress specifies whether ingress traffic at the given L4 port / protocol
	// should be redirected to the proxy.
	Ingress bool

	// L7Metadata encodes optional information what is allowed at L7 for
	// visibility. Some specific protocol parsers do not need this set for
	// allowing of traffic (e.g., HTTP), but some do (e.g., DNS).
	L7Metadata L7DataMap
}

VisibilityMetadata encodes state about what type of traffic should be redirected to an L7Proxy. Implements the ProxyPolicy interface. TODO: an L4Filter could be composed of this type.

func (*VisibilityMetadata) CopyL7RulesPerEndpoint

func (v *VisibilityMetadata) CopyL7RulesPerEndpoint() L7DataMap

CopyL7RulesPerEndpoint returns a shallow copy of the L7Metadata of the L4Filter.

func (*VisibilityMetadata) GetIngress

func (v *VisibilityMetadata) GetIngress() bool

GetIngress returns whether the VisibilityMetadata applies at ingress or egress.

func (*VisibilityMetadata) GetL7Parser

func (v *VisibilityMetadata) GetL7Parser() L7ParserType

GetL7Parser returns the L7ParserType for this VisibilityMetadata.

func (*VisibilityMetadata) GetPort

func (v *VisibilityMetadata) GetPort() uint16

GetPort returns at which port the VisibilityMetadata applies.

type VisibilityPolicy

type VisibilityPolicy struct {
	Ingress DirectionalVisibilityPolicy
	Egress  DirectionalVisibilityPolicy
	Error   error
}

VisibilityPolicy represents for both ingress and egress which types of traffic should be redirected to a given L7 proxy.

func NewVisibilityPolicy

func NewVisibilityPolicy(anno string) (*VisibilityPolicy, error)

NewVisibilityPolicy generates the VisibilityPolicy that is encoded in the annotation parameter. Returns an error:

  • if the annotation does not correspond to the expected format for a visibility annotation.
  • if there is a conflict between the state encoded in the annotation (e.g., different L7 protocols for the same L4 port / protocol / traffic direction.

Directories

Path Synopsis
api
Package api defines the API of the Cilium network policy interface +groupName=policy
Package api defines the API of the Cilium network policy interface +groupName=policy
kafka
Package kafka defines the Kafka API of the Cilium network policy interface +groupName=policy
Package kafka defines the Kafka API of the Cilium network policy interface +groupName=policy
aws
package trafficdirection specifies the directionality of policy in a numeric representation.
package trafficdirection specifies the directionality of policy in a numeric representation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL