policy

package
v0.9.0-rc1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 24, 2017 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// MinimalNumericIdentity represents the minimal numeric identity not
	// used for reserved purposes.
	MinimalNumericIdentity = NumericIdentity(256)

	// InvalidIdentity is the identity assigned if the identity is invalid
	// or not determined yet
	InvalidIdentity = NumericIdentity(0)
)

Variables

Functions

func JSONMarshalRules added in v0.9.0

func JSONMarshalRules(rules api.Rules) string

JSONMarshalRules returns a slice of policy rules as string in JSON representation

func JoinPath

func JoinPath(a, b string) string

JoinPath returns a joined path from a and b.

Types

type AuxRule

type AuxRule struct {
	Expr string `json:"expr"`
}

type Consumable

type Consumable struct {
	// ID of the consumable
	ID NumericIdentity `json:"id"`
	// Mutex protects all variables from this structure below this line
	Mutex sync.RWMutex
	// Labels are the Identity of this consumable
	Labels *Identity `json:"labels"`
	// LabelList contains the same labels from identity in a form of a list, used for faster lookup
	LabelList []*labels.Label `json:"-"`
	// Iteration policy of the Consumable
	Iteration int `json:"-"`
	// FIXME what is this for?
	Maps map[int]*policymap.PolicyMap `json:"-"`
	// Consumers contains the list of consumers where the key is the Consumers ID
	// FIXME change key to NumericIdentity?
	Consumers map[string]*Consumer `json:"consumers"`
	// ReverseRules contains the consumers that are allowed to receive a reply from this Consumable
	ReverseRules map[NumericIdentity]*Consumer `json:"-"`
	// L4Policy contains the policy of this consumable
	L4Policy *L4Policy `json:"l4-policy"`
	// contains filtered or unexported fields
}

Consumable is the entity that is being consumed by a Consumer.

func NewConsumable

func NewConsumable(id NumericIdentity, lbls *Identity, cache *ConsumableCache) *Consumable

NewConsumable creates a new consumable

func (*Consumable) AddMap

func (c *Consumable) AddMap(m *policymap.PolicyMap)

func (*Consumable) AllowConsumerAndReverseLocked added in v0.9.0

func (c *Consumable) AllowConsumerAndReverseLocked(cache *ConsumableCache, id NumericIdentity)

AllowConsumerAndReverseLocked adds the given consumer ID to the Consumable's consumers map and the given consumable to the given consumer's consumers map. Must be called with Consumable mutex Locked.

func (*Consumable) AllowConsumerLocked added in v0.9.0

func (c *Consumable) AllowConsumerLocked(cache *ConsumableCache, id NumericIdentity)

AllowConsumerLocked adds the given consumer ID to the Consumable's consumers map. Must be called with Consumable mutex Locked.

func (*Consumable) Allows

func (c *Consumable) Allows(id NumericIdentity) bool

func (*Consumable) BanConsumerLocked added in v0.9.0

func (c *Consumable) BanConsumerLocked(id NumericIdentity)

BanConsumerLocked removes the given consumer from the Consumable's consumers map. Must be called with the Consumable mutex locked.

func (*Consumable) DeepCopy

func (c *Consumable) DeepCopy() *Consumable

func (*Consumable) GetModel

func (c *Consumable) GetModel() *models.EndpointPolicy

func (*Consumable) RemoveMap

func (c *Consumable) RemoveMap(m *policymap.PolicyMap)

type ConsumableCache

type ConsumableCache struct {
	// contains filtered or unexported fields
}

func NewConsumableCache

func NewConsumableCache() *ConsumableCache

func (*ConsumableCache) AddReserved

func (c *ConsumableCache) AddReserved(elem *Consumable)

func (*ConsumableCache) GetIteration added in v0.9.0

func (c *ConsumableCache) GetIteration() int

GetIteration returns the current iteration of the ConsumableCache.

func (*ConsumableCache) GetOrCreate

func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable

func (*ConsumableCache) GetReservedIDs added in v0.9.0

func (c *ConsumableCache) GetReservedIDs() []NumericIdentity

GetReservedIDs returns a slice of NumericIdentity present in the ConsumableCache.

func (*ConsumableCache) IncrementIteration added in v0.9.0

func (c *ConsumableCache) IncrementIteration()

IncrementIteration increments by 1 the current iteration of the ConsumableCache.

func (*ConsumableCache) Lookup

func (*ConsumableCache) Remove

func (c *ConsumableCache) Remove(elem *Consumable)

type Consumer

type Consumer struct {
	ID           NumericIdentity
	Reverse      *Consumer
	DeletionMark bool
	Decision     api.Decision
}

Consumer is the entity that consumes a Consumable.

func NewConsumer

func NewConsumer(id NumericIdentity) *Consumer

func (*Consumer) DeepCopy

func (c *Consumer) DeepCopy() *Consumer

func (*Consumer) StringID

func (c *Consumer) StringID() string

type Identity

type Identity struct {
	// Identity's ID.
	ID NumericIdentity `json:"id"`
	// Endpoints that have this Identity where their value is the last time they were seen.
	Labels labels.Labels `json:"labels"`
	// Set of labels that belong to this Identity.
	Endpoints map[string]time.Time `json:"containers"`
}

Identity is the representation of the security context for a particular set of labels.

func NewIdentity

func NewIdentity() *Identity

func NewIdentityFromModel

func NewIdentityFromModel(base *models.Identity) *Identity

func (*Identity) AssociateEndpoint

func (id *Identity) AssociateEndpoint(epID string)

AssociateEndpoint associates the endpoint with identity.

func (*Identity) DeepCopy

func (id *Identity) DeepCopy() *Identity

func (*Identity) DisassociateEndpoint

func (id *Identity) DisassociateEndpoint(epID string) bool

DisassociateEndpoint disassociates the endpoint endpoint with identity and return true if successful.

func (*Identity) GetModel

func (id *Identity) GetModel() *models.Identity

func (*Identity) RefCount

func (id *Identity) RefCount() int

type L4Filter

type L4Filter struct {
	// Port is the destination port to allow
	Port int `json:"port,omitempty"`
	// Protocol is the L4 protocol to allow or NONE
	Protocol string `json:"protocol,omitempty"`
	// L7Parser specifies the L7 protocol parser (optional)
	L7Parser string `json:"l7-parser,omitempty"`
	// L7RedirectPort is the L7 proxy port to redirect to (optional)
	L7RedirectPort int `json:"l7-redirect-port,omitempty"`
	// L7Rules is a list of L7 rules which are passed to the L7 proxy (optional)
	L7Rules []AuxRule `json:"l7-rules,omitempty"`
}

func CreateL4Filter added in v0.9.0

func CreateL4Filter(rule api.PortRule, port api.PortProtocol, protocol string) L4Filter

CreateL4Filter creates an L4Filter based on an api.PortRule and api.PortProtocol

func (*L4Filter) IsRedirect

func (l4 *L4Filter) IsRedirect() bool

IsRedirect returns true if the L4 filter contains a port redirection

func (*L4Filter) MarshalIndent added in v0.9.0

func (l4 *L4Filter) MarshalIndent() string

MarshalIndent returns the `L4Filter` in indented JSON string.

func (L4Filter) String

func (l4 L4Filter) String() string

String returns the `L4Filter` in a human-readable string.

type L4Policy

type L4Policy struct {
	Ingress L4PolicyMap
	Egress  L4PolicyMap
}

func NewL4Policy

func NewL4Policy() *L4Policy

func (*L4Policy) DeepCopy

func (l4 *L4Policy) DeepCopy() *L4Policy

func (*L4Policy) EgressCoversDPorts added in v0.9.0

func (l4 *L4Policy) EgressCoversDPorts(dPorts []*models.Port) api.Decision

EgressCoversDPorts checks if the receiver's egress `L4Policy` contains all `dPorts`.

func (*L4Policy) GetModel

func (l4 *L4Policy) GetModel() *models.L4Policy

func (*L4Policy) HasRedirect

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

func (*L4Policy) IngressCoversDPorts added in v0.9.0

func (l4 *L4Policy) IngressCoversDPorts(dPorts []*models.Port) api.Decision

IngressCoversDPorts checks if the receiver's ingress `L4Policy` contains all `dPorts`.

func (*L4Policy) RequiresConntrack

func (l4 *L4Policy) RequiresConntrack() bool

RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.

type L4PolicyMap

type L4PolicyMap map[string]L4Filter

L4PolicyMap is a list of L4 filters indexable by protocol/port key format: "port/proto"

func (L4PolicyMap) HasRedirect

func (l4 L4PolicyMap) HasRedirect() bool

HasRedirect returns true if at least one L4 filter contains a port redirection

type NumericIdentity

type NumericIdentity uint32

NumericIdentity represents an identity of an entity to which consumer policy can be applied to.

const (
	ID_UNKNOWN NumericIdentity = iota
	ID_HOST
	ID_WORLD
)

func GetReservedID

func GetReservedID(name string) NumericIdentity

func ParseNumericIdentity

func ParseNumericIdentity(id string) (NumericIdentity, error)

func (NumericIdentity) String

func (id NumericIdentity) String() string

func (NumericIdentity) StringID

func (id NumericIdentity) StringID() string

func (NumericIdentity) Uint32

func (id NumericIdentity) Uint32() uint32

Uint32 normalizes the ID for use in BPF program.

type Repository added in v0.9.0

type Repository struct {
	// Mutex protects the whole policy tree
	Mutex sync.RWMutex
	// contains filtered or unexported fields
}

Repository is a list of policy rules which in combination form the security policy. A policy repository can be

func NewPolicyRepository added in v0.9.0

func NewPolicyRepository() *Repository

NewPolicyRepository allocates a new policy repository

func (*Repository) Add added in v0.9.0

func (p *Repository) Add(r api.Rule) error

Add inserts a rule into the policy repository

func (*Repository) AddList added in v0.9.0

func (p *Repository) AddList(rules api.Rules) error

AddList inserts a rule into the policy repository

func (*Repository) AddListLocked added in v0.9.0

func (p *Repository) AddListLocked(rules api.Rules) error

AddListLocked inserts a rule into the policy repository with the repository already locked

func (*Repository) AllowsRLocked added in v0.9.0

func (p *Repository) AllowsRLocked(ctx *SearchContext) api.Decision

AllowsRLocked evaluates the policy repository for the provided search context and return the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.

func (*Repository) CanReachRLocked added in v0.9.0

func (p *Repository) CanReachRLocked(ctx *SearchContext) api.Decision

CanReachRLocked evaluates the policy repository for the provided search context and returns the verdict or api.Undecided if no rule matches. The policy repository mutex must be held.

func (*Repository) DeleteByLabels added in v0.9.0

func (p *Repository) DeleteByLabels(labels labels.LabelArray) int

DeleteByLabels deletes all rules in the policy repository which contain the specified labels

func (*Repository) DeleteByLabelsLocked added in v0.9.0

func (p *Repository) DeleteByLabelsLocked(labels labels.LabelArray) int

DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels

func (*Repository) GetJSON added in v0.9.0

func (p *Repository) GetJSON() string

GetJSON returns all rules of the policy repository as string in JSON representation

func (*Repository) ResolveL4Policy added in v0.9.0

func (p *Repository) ResolveL4Policy(ctx *SearchContext) *L4Policy

ResolveL4Policy resolves the L4 policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.

TODO: Need better rule merging on conflicting port definitions, concat l7 rules?

func (*Repository) SearchRLocked added in v0.9.0

func (p *Repository) SearchRLocked(labels labels.LabelArray) api.Rules

SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.

type SearchContext

type SearchContext struct {
	Trace   Tracing
	Depth   int
	Logging *logging.LogBackend
	From    labels.LabelArray
	To      labels.LabelArray
	DPorts  []*models.Port

	// IngressL4Only is true if only ingress L4 policy should be evaluated
	IngressL4Only bool
	// EgressL4Only is true if only egress L4 policy should be evaluated
	EgressL4Only bool
}

SearchContext defines the context while evaluating policy

func (*SearchContext) CallDepth

func (s *SearchContext) CallDepth() string

func (*SearchContext) PolicyTrace added in v0.9.0

func (s *SearchContext) PolicyTrace(format string, a ...interface{})

PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) PolicyTraceVerbose added in v0.9.0

func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})

PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.

func (*SearchContext) String

func (s *SearchContext) String() string

type Tracing

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL