Documentation ¶
Index ¶
- Constants
- Variables
- type PolicySetMetadata
- type PolicySetType
- type PolicySets
- func (s *PolicySets) AddOrReplacePolicySet(setId string, policy interface{})
- func (s *PolicySets) GetPolicySetRules(setIds []string, isInbound bool) (rules []*hns.ACLPolicy)
- func (s *PolicySets) NewHostRule(isInbound bool) *hns.ACLPolicy
- func (s *PolicySets) NewRule(isInbound bool, priority uint16) *hns.ACLPolicy
- func (s *PolicySets) ProcessIpSetUpdate(ipSetId string) []string
- func (s *PolicySets) RemovePolicySet(setId string)
- type PolicySetsDataplane
Constants ¶
const ( // prefix to use for all policy names PolicyNamePrefix string = "policy-" // prefix to use for all profile names ProfileNamePrefix string = "profile-" )
Variables ¶
var ( SkipRule = errors.New("Rule skipped") MissingSet = errors.New("Missing IPSet") )
Functions ¶
This section is empty.
Types ¶
type PolicySetMetadata ¶
type PolicySetMetadata struct { SetId string Type PolicySetType }
PolicySetMetadata contains the metadata for a particular Policy set, such as its name and type.
type PolicySetType ¶
type PolicySetType string
PolicySetType constants for the different kinds of Policy set.
const ( PolicySetTypePolicy PolicySetType = "policy" PolicySetTypeProfile PolicySetType = "profile" )
func (PolicySetType) SetType ¶
func (t PolicySetType) SetType() string
type PolicySets ¶
PolicySets manages a whole plane of policies/profiles
func NewPolicySets ¶
func NewPolicySets(ipsets []*ipsets.IPSets) *PolicySets
func (*PolicySets) AddOrReplacePolicySet ¶
func (s *PolicySets) AddOrReplacePolicySet(setId string, policy interface{})
AddOrReplacePolicySet is responsible for the creation (or replacement) of a Policy set and it is capable of processing either Profiles or Policies from the datastore.
func (*PolicySets) GetPolicySetRules ¶
func (s *PolicySets) GetPolicySetRules(setIds []string, isInbound bool) (rules []*hns.ACLPolicy)
GetPolicySetRules receives a list of Policy set ids and it computes the complete set of resultant hns rules which are needed to enforce all of the Policy sets for the specified direction. As the Policy sets are processed, we increment a priority number and assign it to each rule from the current set. By incremening the rule priority for each set, we ensure that all of the sets will be enforced and considered by the dataplane in the order intended by felix. Once all rules are gathered, we add a final pair of rules to default deny any traffic which has not matched any rules from any Policy sets.
func (*PolicySets) NewHostRule ¶
func (s *PolicySets) NewHostRule(isInbound bool) *hns.ACLPolicy
NewHostRule returns a new hns rule object scoped to the host. This is only temporarily required for compatibility with RS3.
func (*PolicySets) NewRule ¶
func (s *PolicySets) NewRule(isInbound bool, priority uint16) *hns.ACLPolicy
NewRule returns a new hns switch rule object instantiated with default values.
func (*PolicySets) ProcessIpSetUpdate ¶
func (s *PolicySets) ProcessIpSetUpdate(ipSetId string) []string
ProcessIpSetUpdate locates any Policy set(s) which reference the provided IP set, and causes those Policy sets to be recomputed (to ensure any rule address conditions are using the latest addres values from the IP set). A list of the Policy sets which were found and recomputed are is returned to the caller.
func (*PolicySets) RemovePolicySet ¶
func (s *PolicySets) RemovePolicySet(setId string)
RemovePolicySet is responsible for the removal of a Policy set
type PolicySetsDataplane ¶
type PolicySetsDataplane interface { AddOrReplacePolicySet(setId string, policy interface{}) RemovePolicySet(setId string) NewRule(isInbound bool, priority uint16) *hns.ACLPolicy GetPolicySetRules(setIds []string, isInbound bool) (rules []*hns.ACLPolicy) ProcessIpSetUpdate(ipSetId string) []string }
PolicySetsDataplane is a interface for managing a plane of policySet objects