policy

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2017 License: Apache-2.0 Imports: 17 Imported by: 0

Documentation

Index

Constants

View Source 
const (

	// MinimalNumericIdentity represents the minimal numeric identity not
	// used for reserved purposes.
	MinimalNumericIdentity = NumericIdentity(256)

	// InvalidIdentity is the identity assigned if the identity is invalid
	// or not determined yet
	InvalidIdentity = NumericIdentity(0)
)

Variables

View Source 
var (
	ReservedIdentities = map[string]NumericIdentity{
		labels.IDNameHost:  ID_HOST,
		labels.IDNameWorld: ID_WORLD,
	}
	ReservedIdentityNames = map[NumericIdentity]string{
		ID_HOST:  labels.IDNameHost,
		ID_WORLD: labels.IDNameWorld,
	}
)

Functions

func ConsumablesInANotInB added in v0.10.0 

func ConsumablesInANotInB(a, b map[NumericIdentity][]NumericIdentity) map[NumericIdentity][]NumericIdentity

ConsumablesInANotInB returns a map of consumables numeric identity mapped to consumers numeric identities which are present in `a` but not in `b`. Example: a = {3: [1, 2, 4], 4: [2, 1]} b = {1: [5, 1, 7], 3: [1, 2, 5]} c := ConsumablesInANotInB(a, b) println(c) {3: [4], 4: [2, 1]}

func JSONMarshalRules added in v0.9.0 

func JSONMarshalRules(rules api.Rules) string

JSONMarshalRules returns a slice of policy rules as string in JSON representation

func JoinPath 

func JoinPath(a, b string) string

JoinPath returns a joined path from a and b.

Types

type AuxRule 

type AuxRule struct {
	Expr string `json:"expr"`
}

type Consumable 

type Consumable struct {
	// ID of the consumable
	ID NumericIdentity `json:"id"`
	// Mutex protects all variables from this structure below this line
	Mutex sync.RWMutex
	// Labels are the Identity of this consumable
	Labels *Identity `json:"labels"`
	// LabelArray contains the same labels from identity in a form of a list, used for faster lookup
	LabelArray labels.LabelArray `json:"-"`
	// Iteration policy of the Consumable
	Iteration uint64 `json:"-"`
	// Map from bpf map fd to the policymap, the go representation of an endpoint's bpf policy map.
	Maps map[int]*policymap.PolicyMap `json:"-"`
	// Consumers contains the list of consumers where the key is the Consumers ID
	// FIXME change key to NumericIdentity?
	Consumers map[string]*Consumer `json:"consumers"`
	// ReverseRules contains the consumers that are allowed to receive a reply from this Consumable
	ReverseRules map[NumericIdentity]*Consumer `json:"-"`
	// L4Policy contains the policy of this consumable
	L4Policy *L4Policy `json:"l4-policy"`
	// contains filtered or unexported fields
}

Consumable is the entity that is being consumed by a Consumer.

func NewConsumable 

func NewConsumable(id NumericIdentity, lbls *Identity, cache *ConsumableCache) *Consumable

NewConsumable creates a new consumable

func (*Consumable) AddMap 

func (c *Consumable) AddMap(m *policymap.PolicyMap)

func (*Consumable) AllowConsumerAndReverseLocked added in v0.9.0 

func (c *Consumable) AllowConsumerAndReverseLocked(cache *ConsumableCache, id NumericIdentity)

AllowConsumerAndReverseLocked adds the given consumer ID to the Consumable's consumers map and the given consumable to the given consumer's consumers map. Must be called with Consumable mutex Locked.

func (*Consumable) AllowConsumerLocked added in v0.9.0 

func (c *Consumable) AllowConsumerLocked(cache *ConsumableCache, id NumericIdentity)

AllowConsumerLocked adds the given consumer ID to the Consumable's consumers map. Must be called with Consumable mutex Locked.

func (*Consumable) Allows 

func (c *Consumable) Allows(id NumericIdentity) bool

func (*Consumable) BanConsumerLocked added in v0.9.0 

func (c *Consumable) BanConsumerLocked(id NumericIdentity)

BanConsumerLocked removes the given consumer from the Consumable's consumers map. Must be called with the Consumable mutex locked.

func (*Consumable) DeepCopy 

func (c *Consumable) DeepCopy() *Consumable

func (*Consumable) GetModel 

func (c *Consumable) GetModel() *models.EndpointPolicy

func (*Consumable) RemoveMap 

func (c *Consumable) RemoveMap(m *policymap.PolicyMap)

type ConsumableCache 

type ConsumableCache struct {
	// contains filtered or unexported fields
}

func NewConsumableCache 

func NewConsumableCache() *ConsumableCache

func (*ConsumableCache) AddReserved 

func (c *ConsumableCache) AddReserved(elem *Consumable)

func (*ConsumableCache) GetConsumables added in v0.10.0 

func (c *ConsumableCache) GetConsumables() map[NumericIdentity][]NumericIdentity

GetConsumables returns a map of consumables numeric identity mapped to consumers numeric identities.

func (*ConsumableCache) GetIteration added in v0.9.0 

func (c *ConsumableCache) GetIteration() int

GetIteration returns the current iteration of the ConsumableCache.

func (*ConsumableCache) GetOrCreate 

func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable

func (*ConsumableCache) GetReservedIDs added in v0.9.0 

func (c *ConsumableCache) GetReservedIDs() []NumericIdentity

GetReservedIDs returns a slice of NumericIdentity present in the ConsumableCache.

func (*ConsumableCache) IncrementIteration added in v0.9.0 

func (c *ConsumableCache) IncrementIteration()

IncrementIteration increments by 1 the current iteration of the ConsumableCache.

func (*ConsumableCache) Lookup 

func (c *ConsumableCache) Lookup(id NumericIdentity) *Consumable

func (*ConsumableCache) Remove 

func (c *ConsumableCache) Remove(elem *Consumable)

type Consumer 

type Consumer struct {
	ID           NumericIdentity
	Reverse      *Consumer
	DeletionMark bool
	Decision     api.Decision
}

Consumer is the entity that consumes a Consumable.

func NewConsumer 

func NewConsumer(id NumericIdentity) *Consumer

func (*Consumer) DeepCopy 

func (c *Consumer) DeepCopy() *Consumer

func (*Consumer) StringID 

func (c *Consumer) StringID() string

type Identity 

type Identity struct {
	// Identity's ID.
	ID NumericIdentity `json:"id"`
	// Endpoints that have this Identity where their value is the last time they were seen.
	Labels labels.Labels `json:"labels"`
	// Set of labels that belong to this Identity.
	Endpoints map[string]time.Time `json:"containers"`
}

Identity is the representation of the security context for a particular set of labels.

func NewIdentity 

func NewIdentity() *Identity

func NewIdentityFromModel 

func NewIdentityFromModel(base *models.Identity) *Identity

func (*Identity) AssociateEndpoint 

func (id *Identity) AssociateEndpoint(epID string)

AssociateEndpoint associates the endpoint with identity.

func (*Identity) DeepCopy 

func (id *Identity) DeepCopy() *Identity

func (*Identity) DisassociateEndpoint 

func (id *Identity) DisassociateEndpoint(epID string) bool

DisassociateEndpoint disassociates the endpoint endpoint with identity and returns true if successful.

func (*Identity) GetModel 

func (id *Identity) GetModel() *models.Identity

func (*Identity) RefCount 

func (id *Identity) RefCount() int

type L3Policy added in v0.10.0 

type L3Policy struct {
	Ingress L3PolicyMap
	Egress  L3PolicyMap
}

L3Policy contains L3 policy maps for ingress and egress.

func NewL3Policy added in v0.10.0 

func NewL3Policy() *L3Policy

NewL3Policy creates a new L3Policy.

func (*L3Policy) DeepCopy added in v0.10.0 

func (l3 *L3Policy) DeepCopy() *L3Policy

DeepCopy duplicates 'l3'.

type L3PolicyMap added in v0.10.0 

type L3PolicyMap struct {
	Map         map[string]net.IPNet // Allowed L3 prefixes
	IPv6Changed bool
	IPv6Count   int // Count of IPv6 prefixes in 'Map'
	IPv4Changed bool
	IPv4Count   int // Count of IPv4 prefixes in 'Map'
}

L3PolicyMap is a list of CIDR filters indexable by address/prefixlen key format: "address/prefixlen", e.g., "10.1.1.0/24"

L3PolicyMap does no locking internally, so the user is responsible for synchronizing between multiple threads when applicable.

func (L3PolicyMap) DeepCopy added in v0.10.0 

func (m L3PolicyMap) DeepCopy() L3PolicyMap

DeepCopy makes a duplicate of 'm'.

func (*L3PolicyMap) Insert added in v0.10.0 

func (m *L3PolicyMap) Insert(cidr string) int

Insert places 'cidr' in to map 'm'. Returns `1` if `cidr` is added to the map, `0` otherwise

func (*L3PolicyMap) PopulateBPF added in v0.10.0 

func (m *L3PolicyMap) PopulateBPF(cidrmap *cidrmap.CIDRMap) error

PopulateBPF inserts the entries in map 'm' in to 'cidrmap'.

func (*L3PolicyMap) ToBPFData added in v0.10.0 

func (m *L3PolicyMap) ToBPFData() (s6, s4 []string)

ToBPFData converts map 'm' into string slices 's6' and 's4', formatted for insertion into bpf program.

type L4Filter 

type L4Filter struct {
	// Port is the destination port to allow
	Port int
	// Protocol is the L4 protocol to allow or NONE
	Protocol string
	// L7Parser specifies the L7 protocol parser (optional)
	L7Parser string
	// L7RedirectPort is the L7 proxy port to redirect to (optional)
	L7RedirectPort int
	// L7Rules is a list of L7 rules which are passed to the L7 proxy (optional)
	L7Rules []AuxRule
	// Ingress is true if filter applies at ingress
	Ingress bool
}

func CreateL4Filter added in v0.9.0 

func CreateL4Filter(rule api.PortRule, port api.PortProtocol, direction string, protocol string) L4Filter

CreateL4Filter creates an L4Filter based on an api.PortRule and api.PortProtocol

func (*L4Filter) IsRedirect 

func (l4 *L4Filter) IsRedirect() bool

IsRedirect returns true if the L4 filter contains a port redirection

func (*L4Filter) MarshalIndent added in v0.9.0 

func (l4 *L4Filter) MarshalIndent() string

MarshalIndent returns the `L4Filter` in indented JSON string.

func (L4Filter) String 

func (l4 L4Filter) String() string

String returns the `L4Filter` in a human-readable string.

type L4Policy 

type L4Policy struct {
	Ingress L4PolicyMap
	Egress  L4PolicyMap
}

func NewL4Policy 

func NewL4Policy() *L4Policy

func (*L4Policy) DeepCopy 

func (l4 *L4Policy) DeepCopy() *L4Policy

func (*L4Policy) EgressCoversDPorts added in v0.9.0 

func (l4 *L4Policy) EgressCoversDPorts(dPorts []*models.Port) api.Decision

EgressCoversDPorts checks if the receiver's egress `L4Policy` contains all `dPorts`.

func (*L4Policy) GetModel 

func (l4 *L4Policy) GetModel() *models.L4Policy

func (*L4Policy) HasRedirect 

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

func (*L4Policy) IngressCoversDPorts added in v0.9.0 

func (l4 *L4Policy) IngressCoversDPorts(dPorts []*models.Port) api.Decision

IngressCoversDPorts checks if the receiver's ingress `L4Policy` contains all `dPorts`.

func (*L4Policy) RequiresConntrack 

func (l4 *L4Policy) RequiresConntrack() bool

RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.

type L4PolicyMap 

type L4PolicyMap map[string]L4Filter

L4PolicyMap is a list of L4 filters indexable by protocol/port key format: "port/proto"

func (L4PolicyMap) HasRedirect 

func (l4 L4PolicyMap) HasRedirect() bool

HasRedirect returns true if at least one L4 filter contains a port redirection

type NumericIdentity 

type NumericIdentity uint32

NumericIdentity represents an identity of an entity to which consumer policy can be applied to. 

const (
	ID_UNKNOWN NumericIdentity = iota
	ID_HOST
	ID_WORLD
)

func GetReservedID 

func GetReservedID(name string) NumericIdentity

func ParseNumericIdentity 

func ParseNumericIdentity(id string) (NumericIdentity, error)

func (NumericIdentity) String 

func (id NumericIdentity) String() string

func (NumericIdentity) StringID 

func (id NumericIdentity) StringID() string

func (NumericIdentity) Uint32 

func (id NumericIdentity) Uint32() uint32

Uint32 normalizes the ID for use in BPF program.

type Repository added in v0.9.0 

type Repository struct {
	// Mutex protects the whole policy tree
	Mutex sync.RWMutex
	// contains filtered or unexported fields
}

Repository is a list of policy rules which in combination form the security policy. A policy repository can be

func NewPolicyRepository added in v0.9.0 

func NewPolicyRepository() *Repository

NewPolicyRepository allocates a new policy repository

func (*Repository) Add added in v0.9.0 

func (p *Repository) Add(r api.Rule) (uint64, error)

Add inserts a rule into the policy repository

func (*Repository) AddList added in v0.9.0 

func (p *Repository) AddList(rules api.Rules) (uint64, error)

AddList inserts a rule into the policy repository

func (*Repository) AddListLocked added in v0.9.0 

func (p *Repository) AddListLocked(rules api.Rules) (uint64, error)

AddListLocked inserts a rule into the policy repository with the repository already locked

func (*Repository) AllowsRLocked added in v0.9.0 

func (p *Repository) AllowsRLocked(ctx *SearchContext) api.Decision

AllowsRLocked evaluates the policy repository for the provided search context and return the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

func (*Repository) CanReachRLocked added in v0.9.0 

func (p *Repository) CanReachRLocked(ctx *SearchContext) api.Decision

CanReachRLocked evaluates the policy repository for the provided search context and returns the verdict or api.Undecided if no rule matches. The policy repository mutex must be held.

func (*Repository) DeleteByLabels added in v0.9.0 

func (p *Repository) DeleteByLabels(labels labels.LabelArray) (uint64, int)

DeleteByLabels deletes all rules in the policy repository which contain the specified labels

func (*Repository) DeleteByLabelsLocked added in v0.9.0 

func (p *Repository) DeleteByLabelsLocked(labels labels.LabelArray) (uint64, int)

DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels

func (*Repository) GetJSON added in v0.9.0 

func (p *Repository) GetJSON() string

GetJSON returns all rules of the policy repository as string in JSON representation

func (*Repository) GetRevision added in v0.10.0 

func (p *Repository) GetRevision() uint64

GetRevision returns the revision of the policy repository

func (*Repository) GetRulesMatching added in v0.9.0 

func (p *Repository) GetRulesMatching(labels labels.LabelArray) bool

GetRulesMatching returns whether any of the rules in a repository contain a rule with labels matching the labels in the provided LabelArray.

Must be called with p.Mutex held

func (*Repository) NumRules added in v0.9.0 

func (p *Repository) NumRules() int

NumRules returns the amount of rules in the policy repository.

Must be called with p.Mutex held

func (*Repository) ResolveL3Policy added in v0.10.0 

func (p *Repository) ResolveL3Policy(ctx *SearchContext) *L3Policy

ResolveL3Policy resolves the L3 policy for a set of endpoints by searching the policy repository for `CIDR` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search.

func (*Repository) ResolveL4Policy added in v0.9.0 

func (p *Repository) ResolveL4Policy(ctx *SearchContext) *L4Policy

ResolveL4Policy resolves the L4 policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

TODO: Need better rule merging on conflicting port definitions, concat l7 rules?

func (*Repository) SearchRLocked added in v0.9.0 

func (p *Repository) SearchRLocked(labels labels.LabelArray) api.Rules

SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.

type SearchContext 

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *logging.LogBackend
	From    labels.LabelArray
	To      labels.LabelArray
	DPorts  []*models.Port

	// IngressL4Only is true if only ingress L4 policy should be evaluated
	IngressL4Only bool
	// EgressL4Only is true if only egress L4 policy should be evaluated
	EgressL4Only bool
}

SearchContext defines the context while evaluating policy

func (*SearchContext) CallDepth 

func (s *SearchContext) CallDepth() string

func (*SearchContext) PolicyTrace added in v0.9.0 

func (s *SearchContext) PolicyTrace(format string, a ...interface{})

PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) PolicyTraceVerbose added in v0.9.0 

func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})

PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) String 

func (s *SearchContext) String() string

type Tracing 

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.