controller

package
v0.0.8 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 11, 2024 License: Apache-2.0 Imports: 46 Imported by: 0

Documentation

Overview

Copyright 2024 Illumio, Inc. All Rights Reserved.

Copyright 2024 Illumio, Inc. All Rights Reserved.

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrHubbleNotFound   = errors.New("hubble Relay service not found; disabling Cilium flow collection")
	ErrNoPortsAvailable = errors.New("hubble Relay service has no ports; disabling Cilium flow collection")
)
View Source
var ErrFalcoEventIsNotFlow = errors.New("ignoring falco event, not a network flow")
View Source
var ErrStopRetries = errors.New("stop retries")

Functions

func ConnectStreams added in v0.0.6

func ConnectStreams(ctx context.Context, logger *zap.SugaredLogger, envMap EnvironmentConfig, bufferedGrpcSyncer *BufferedGrpcWriteSyncer)

ConnectStreams will continue to reboot and restart the main operations within the operator if any disconnects or errors occur.

func GetClusterID

func GetClusterID(ctx context.Context, logger *zap.SugaredLogger) (string, error)

GetClusterID returns the uid of the k8s cluster's kube-system namespace, which is used as the cluster's globally unique ID.

func GetTLSConfig added in v0.0.8

func GetTLSConfig(skipVerify bool) *tls.Config

GetTLSConfig returns a TLS configuration.

func GetTokenSource added in v0.0.8

func GetTokenSource(ctx context.Context, config clientcredentials.Config, tlsConfig *tls.Config) oauth2.TokenSource

GetTokenSource returns an OAuth2 token source.

func IsRunningInCluster

func IsRunningInCluster() bool

IsRunningInCluster helps determine if the application is running inside a Kubernetes cluster.

func NewAuthenticatedConnection added in v0.0.6

func NewAuthenticatedConnection(ctx context.Context, logger *zap.SugaredLogger, envMap EnvironmentConfig) (*grpc.ClientConn, pb.KubernetesInfoServiceClient, error)

NewAuthenticatedConnection gets a valid token and creats a connection to CloudSecure.

func NewClientSet

func NewClientSet() (*kubernetes.Clientset, error)

NewClientSet returns a new Kubernetes clientset based on the execution environment.

func NewFalcoEventHandler added in v0.0.8

func NewFalcoEventHandler(eventChan chan<- string) http.HandlerFunc

NewFalcoEventHandler creates a new HTTP handler function for processing Falco events.

func NewGRPClogger added in v0.0.2

func NewGRPClogger(grpcSyncer *BufferedGrpcWriteSyncer) *zap.SugaredLogger

NewGRPClogger will define a new zap logger with multiple writesyncs one to stdout and one for GRPC writestream

func ParseToken added in v0.0.8

func ParseToken(tokenString string) (jwt.MapClaims, error)

ParseToken parses the JWT token and returns the claims.

func ServerIsHealthy

func ServerIsHealthy() bool

ServerIsHealthy checks if a deadlock has occured within the threaded resource listing process.

func SetUpOAuthConnection

func SetUpOAuthConnection(
	ctx context.Context,
	logger *zap.SugaredLogger,
	tokenURL string,
	tlsSkipVerify bool,
	clientID string,
	clientSecret string,
) (*grpc.ClientConn, error)

SetUpOAuthConnection establishes a gRPC connection using OAuth credentials and logging the process.

Types

type Authenticator added in v0.0.6

type Authenticator struct {
	Logger *zap.SugaredLogger
}

Authenticator keeps a logger for its own methods.

func (*Authenticator) DoesK8sSecretExist added in v0.0.6

func (authn *Authenticator) DoesK8sSecretExist(ctx context.Context, secretName string) bool

func (*Authenticator) GetOnboardingCredentials added in v0.0.6

func (authn *Authenticator) GetOnboardingCredentials(ctx context.Context, clientID string, clientSecret string) (Credentials, error)

GetOnboardingCredentials returns credentials to onboard this cluster with CloudSecure.

func (*Authenticator) ReadCredentialsK8sSecrets added in v0.0.6

func (authn *Authenticator) ReadCredentialsK8sSecrets(ctx context.Context, secretName string) (string, string, error)

ReadK8sSecret takes a secretName and reads the file.

func (*Authenticator) WriteK8sSecret added in v0.0.6

func (authn *Authenticator) WriteK8sSecret(ctx context.Context, keyData OnboardResponse, ClusterCreds string) error

WriteK8sSecret takes an OnboardResponse and writes it to a locally kept secret.

type BufferedGrpcWriteSyncer added in v0.0.2

type BufferedGrpcWriteSyncer struct {
	// contains filtered or unexported fields
}

BufferedGrpcWriteSyncer is a custom zap writesync that writes to a grpc stream In case stream is not connected it will buffer to memory

func NewBufferedGrpcWriteSyncer added in v0.0.2

func NewBufferedGrpcWriteSyncer() *BufferedGrpcWriteSyncer

NewBufferedGrpcWriteSyncer returns a new BufferedGrpcWriteSyncer

func (*BufferedGrpcWriteSyncer) Close added in v0.0.2

func (b *BufferedGrpcWriteSyncer) Close() error

Close flushes buffered log data into grpc stream if possible, and closes the connection.

func (*BufferedGrpcWriteSyncer) ListenToLogStream added in v0.0.2

func (b *BufferedGrpcWriteSyncer) ListenToLogStream() error

ListenToLogStream will wait for responses from server and will update log level depending on response contents

func (*BufferedGrpcWriteSyncer) UpdateClient added in v0.0.2

UpdateClient will update BufferedGrpcWriteSyncer with new client stream and GRPC connection

type Cache added in v0.0.6

type Cache struct {
	// contains filtered or unexported fields
}

Cache contains the cache that is used to store seen events.

type CiliumFlowCollector added in v0.0.5

type CiliumFlowCollector struct {
	// contains filtered or unexported fields
}

CiliumFlowCollector collects flows from Cilium Hubble Relay running in this cluster.

type ClientConnInterface added in v0.0.2

type ClientConnInterface interface {
	GetState() connectivity.State
	Close() error
}

type Credentials

type Credentials struct {
	ClientID     string `json:"client_id"`
	ClientSecret string `json:"client_secret"`
}

Credentials contains attributes that are needed for onboarding.

type EnvironmentConfig

type EnvironmentConfig struct {
	// Namspace of Cilium.
	CiliumNamespace string
	// K8s cluster secret name.
	ClusterCreds string
	// Client ID for onboarding. "" if not specified, i.e. if the operator is not meant to onboard itself.
	OnboardingClientId string
	// Client secret for onboarding. "" if not specified, i.e. if the operator is not meant to onboard itself.
	OnboardingClientSecret string
	// URL of the onboarding endpoint.
	OnboardingEndpoint string
	// URL of the token endpoint.
	TokenEndpoint string
	// Whether to skip TLS certificate verification when starting a stream.
	TlsSkipVerify bool
}

type FalcoEvent added in v0.0.8

type FalcoEvent struct {
	// SrcIP is the source IP address involved in the network event.
	SrcIP string `json:"srcip"`
	// DstIP is the destination IP address involved in the network event.
	DstIP string `json:"dstip"`
	// SrcPort is the source port number involved in the network event.
	SrcPort string `json:"srcport"`
	// DstPort is the destination port number involved in the network event.
	DstPort string `json:"dstport"`
	// Proto is the protocol used in the network event (e.g., TCP, UDP).
	Proto string `json:"proto"`
	// IpVersion is the version used in the network event (e.g. ipv4, ipv6).
	IpVersion string `json:"prototype"`
}

FalcoEvent represents the network information extracted from a Falco event.

type OnboardResponse

type OnboardResponse struct {
	ClusterClientId     string `json:"cluster_client_id"`
	ClusterClientSecret string `json:"cluster_client_secret"`
}

func Onboard added in v0.0.6

func Onboard(ctx context.Context, TlsSkipVerify bool, OnboardingEndpoint string, credentials Credentials, logger *zap.SugaredLogger) (OnboardResponse, error)

Onboard onboards this cluster with CloudSecure using the onboarding credentials and obtains OAuth 2 credentials for this cluster.

type ResourceManager

type ResourceManager struct {
	// contains filtered or unexported fields
}

ResourceManager encapsulates components for listing and managing Kubernetes resources.

func (*ResourceManager) DyanmicListAndWatchResources

func (r *ResourceManager) DyanmicListAndWatchResources(ctx context.Context, cancel context.CancelFunc, resource string, apiGroup string, allResourcesSnapshotted *sync.WaitGroup, snapshotCompleted *sync.WaitGroup)

DynamicListAndWatchResources lists and watches the specified resource dynamically, managing context cancellation and synchronization with wait groups.

func (*ResourceManager) DynamicListResources

func (r *ResourceManager) DynamicListResources(ctx context.Context, resource string, apiGroup string) (string, Cache, error)

DynamicListResources lists a specifed resource dynamically and sends down the current gRPC stream.

func (*ResourceManager) ExtractObjectMetas added in v0.0.8

func (r *ResourceManager) ExtractObjectMetas(resources *unstructured.UnstructuredList) ([]metav1.ObjectMeta, error)

ExtractObjectMetas extracts ObjectMeta from a list of unstructured resources.

func (*ResourceManager) FetchResources added in v0.0.8

func (r *ResourceManager) FetchResources(ctx context.Context, resource schema.GroupVersionResource, namespace string) (*unstructured.UnstructuredList, error)

FetchResources retrieves unstructured resources from the K8s API.

func (*ResourceManager) ListResources added in v0.0.8

func (r *ResourceManager) ListResources(ctx context.Context, resource schema.GroupVersionResource, namespace string) ([]metav1.ObjectMeta, string, error)

ListResources fetches resources of a specified type and namespace, returning their ObjectMeta, the last resource version observed, and any error encountered.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL