Documentation ¶
Index ¶
- Constants
- Variables
- func JSONMarshalRules(rules api.Rules) string
- func JoinPath(a, b string) string
- type AuxRule
- type Consumable
- func (c *Consumable) AddMap(m *policymap.PolicyMap)
- func (c *Consumable) AllowConsumerAndReverseLocked(cache *ConsumableCache, id NumericIdentity)
- func (c *Consumable) AllowConsumerLocked(cache *ConsumableCache, id NumericIdentity)
- func (c *Consumable) Allows(id NumericIdentity) bool
- func (c *Consumable) BanConsumerLocked(id NumericIdentity)
- func (c *Consumable) DeepCopy() *Consumable
- func (c *Consumable) GetModel() *models.EndpointPolicy
- func (c *Consumable) RemoveMap(m *policymap.PolicyMap)
- type ConsumableCache
- func (c *ConsumableCache) AddReserved(elem *Consumable)
- func (c *ConsumableCache) GetIteration() int
- func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable
- func (c *ConsumableCache) GetReservedIDs() []NumericIdentity
- func (c *ConsumableCache) IncrementIteration()
- func (c *ConsumableCache) Lookup(id NumericIdentity) *Consumable
- func (c *ConsumableCache) Remove(elem *Consumable)
- type Consumer
- type Identity
- type L4Filter
- type L4Policy
- func (l4 *L4Policy) DeepCopy() *L4Policy
- func (l4 *L4Policy) EgressCoversDPorts(dPorts []*models.Port) api.Decision
- func (l4 *L4Policy) GetModel() *models.L4Policy
- func (l4 *L4Policy) HasRedirect() bool
- func (l4 *L4Policy) IngressCoversDPorts(dPorts []*models.Port) api.Decision
- func (l4 *L4Policy) RequiresConntrack() bool
- type L4PolicyMap
- type NumericIdentity
- type Repository
- func (p *Repository) Add(r api.Rule) error
- func (p *Repository) AddList(rules api.Rules) error
- func (p *Repository) AddListLocked(rules api.Rules) error
- func (p *Repository) AllowsRLocked(ctx *SearchContext) api.Decision
- func (p *Repository) CanReachRLocked(ctx *SearchContext) api.Decision
- func (p *Repository) DeleteByLabels(labels labels.LabelArray) int
- func (p *Repository) DeleteByLabelsLocked(labels labels.LabelArray) int
- func (p *Repository) GetJSON() string
- func (p *Repository) ResolveL4Policy(ctx *SearchContext) *L4Policy
- func (p *Repository) SearchRLocked(labels labels.LabelArray) api.Rules
- type SearchContext
- type Tracing
Constants ¶
const ( // MinimalNumericIdentity represents the minimal numeric identity not // used for reserved purposes. MinimalNumericIdentity = NumericIdentity(256) // InvalidIdentity is the identity assigned if the identity is invalid // or not determined yet InvalidIdentity = NumericIdentity(0) )
Variables ¶
var ( ReservedIdentities = map[string]NumericIdentity{ labels.IDNameHost: ID_HOST, labels.IDNameWorld: ID_WORLD, } ReservedIdentityNames = map[NumericIdentity]string{ ID_HOST: labels.IDNameHost, ID_WORLD: labels.IDNameWorld, } )
Functions ¶
func JSONMarshalRules ¶ added in v0.9.0
JSONMarshalRules returns a slice of policy rules as string in JSON representation
Types ¶
type Consumable ¶
type Consumable struct { // ID of the consumable ID NumericIdentity `json:"id"` // Mutex protects all variables from this structure below this line Mutex sync.RWMutex // Labels are the Identity of this consumable Labels *Identity `json:"labels"` // LabelList contains the same labels from identity in a form of a list, used for faster lookup LabelList []*labels.Label `json:"-"` // Iteration policy of the Consumable Iteration int `json:"-"` // FIXME what is this for? Maps map[int]*policymap.PolicyMap `json:"-"` // Consumers contains the list of consumers where the key is the Consumers ID // FIXME change key to NumericIdentity? Consumers map[string]*Consumer `json:"consumers"` // ReverseRules contains the consumers that are allowed to receive a reply from this Consumable ReverseRules map[NumericIdentity]*Consumer `json:"-"` // L4Policy contains the policy of this consumable L4Policy *L4Policy `json:"l4-policy"` // contains filtered or unexported fields }
Consumable is the entity that is being consumed by a Consumer.
func NewConsumable ¶
func NewConsumable(id NumericIdentity, lbls *Identity, cache *ConsumableCache) *Consumable
NewConsumable creates a new consumable
func (*Consumable) AddMap ¶
func (c *Consumable) AddMap(m *policymap.PolicyMap)
func (*Consumable) AllowConsumerAndReverseLocked ¶ added in v0.9.0
func (c *Consumable) AllowConsumerAndReverseLocked(cache *ConsumableCache, id NumericIdentity)
AllowConsumerAndReverseLocked adds the given consumer ID to the Consumable's consumers map and the given consumable to the given consumer's consumers map. Must be called with Consumable mutex Locked.
func (*Consumable) AllowConsumerLocked ¶ added in v0.9.0
func (c *Consumable) AllowConsumerLocked(cache *ConsumableCache, id NumericIdentity)
AllowConsumerLocked adds the given consumer ID to the Consumable's consumers map. Must be called with Consumable mutex Locked.
func (*Consumable) Allows ¶
func (c *Consumable) Allows(id NumericIdentity) bool
func (*Consumable) BanConsumerLocked ¶ added in v0.9.0
func (c *Consumable) BanConsumerLocked(id NumericIdentity)
BanConsumerLocked removes the given consumer from the Consumable's consumers map. Must be called with the Consumable mutex locked.
func (*Consumable) DeepCopy ¶
func (c *Consumable) DeepCopy() *Consumable
func (*Consumable) GetModel ¶
func (c *Consumable) GetModel() *models.EndpointPolicy
func (*Consumable) RemoveMap ¶
func (c *Consumable) RemoveMap(m *policymap.PolicyMap)
type ConsumableCache ¶
type ConsumableCache struct {
// contains filtered or unexported fields
}
func NewConsumableCache ¶
func NewConsumableCache() *ConsumableCache
func (*ConsumableCache) AddReserved ¶
func (c *ConsumableCache) AddReserved(elem *Consumable)
func (*ConsumableCache) GetIteration ¶ added in v0.9.0
func (c *ConsumableCache) GetIteration() int
GetIteration returns the current iteration of the ConsumableCache.
func (*ConsumableCache) GetOrCreate ¶
func (c *ConsumableCache) GetOrCreate(id NumericIdentity, lbls *Identity) *Consumable
func (*ConsumableCache) GetReservedIDs ¶ added in v0.9.0
func (c *ConsumableCache) GetReservedIDs() []NumericIdentity
GetReservedIDs returns a slice of NumericIdentity present in the ConsumableCache.
func (*ConsumableCache) IncrementIteration ¶ added in v0.9.0
func (c *ConsumableCache) IncrementIteration()
IncrementIteration increments by 1 the current iteration of the ConsumableCache.
func (*ConsumableCache) Lookup ¶
func (c *ConsumableCache) Lookup(id NumericIdentity) *Consumable
func (*ConsumableCache) Remove ¶
func (c *ConsumableCache) Remove(elem *Consumable)
type Consumer ¶
type Consumer struct { ID NumericIdentity Reverse *Consumer DeletionMark bool Decision api.Decision }
Consumer is the entity that consumes a Consumable.
func NewConsumer ¶
func NewConsumer(id NumericIdentity) *Consumer
type Identity ¶
type Identity struct { // Identity's ID. ID NumericIdentity `json:"id"` // Endpoints that have this Identity where their value is the last time they were seen. Labels labels.Labels `json:"labels"` // Set of labels that belong to this Identity. Endpoints map[string]time.Time `json:"containers"` }
Identity is the representation of the security context for a particular set of labels.
func NewIdentity ¶
func NewIdentity() *Identity
func NewIdentityFromModel ¶
func (*Identity) AssociateEndpoint ¶
AssociateEndpoint associates the endpoint with identity.
func (*Identity) DisassociateEndpoint ¶
DisassociateEndpoint disassociates the endpoint endpoint with identity and return true if successful.
type L4Filter ¶
type L4Filter struct { // Port is the destination port to allow Port int `json:"port,omitempty"` // Protocol is the L4 protocol to allow or NONE Protocol string `json:"protocol,omitempty"` // L7Parser specifies the L7 protocol parser (optional) L7Parser string `json:"l7-parser,omitempty"` // L7RedirectPort is the L7 proxy port to redirect to (optional) L7RedirectPort int `json:"l7-redirect-port,omitempty"` // L7Rules is a list of L7 rules which are passed to the L7 proxy (optional) L7Rules []AuxRule `json:"l7-rules,omitempty"` }
func CreateL4Filter ¶ added in v0.9.0
CreateL4Filter creates an L4Filter based on an api.PortRule and api.PortProtocol
func (*L4Filter) IsRedirect ¶
IsRedirect returns true if the L4 filter contains a port redirection
func (*L4Filter) MarshalIndent ¶ added in v0.9.0
MarshalIndent returns the `L4Filter` in indented JSON string.
type L4Policy ¶
type L4Policy struct { Ingress L4PolicyMap Egress L4PolicyMap }
func NewL4Policy ¶
func NewL4Policy() *L4Policy
func (*L4Policy) EgressCoversDPorts ¶ added in v0.9.0
EgressCoversDPorts checks if the receiver's egress `L4Policy` contains all `dPorts`.
func (*L4Policy) HasRedirect ¶
HasRedirect returns true if the L4 policy contains at least one port redirection
func (*L4Policy) IngressCoversDPorts ¶ added in v0.9.0
IngressCoversDPorts checks if the receiver's ingress `L4Policy` contains all `dPorts`.
func (*L4Policy) RequiresConntrack ¶
RequiresConntrack returns true if if the L4 configuration requires connection tracking to be enabled.
type L4PolicyMap ¶
L4PolicyMap is a list of L4 filters indexable by protocol/port key format: "port/proto"
func (L4PolicyMap) HasRedirect ¶
func (l4 L4PolicyMap) HasRedirect() bool
HasRedirect returns true if at least one L4 filter contains a port redirection
type NumericIdentity ¶
type NumericIdentity uint32
NumericIdentity represents an identity of an entity to which consumer policy can be applied to.
const ( ID_UNKNOWN NumericIdentity = iota ID_HOST ID_WORLD )
func GetReservedID ¶
func GetReservedID(name string) NumericIdentity
func ParseNumericIdentity ¶
func ParseNumericIdentity(id string) (NumericIdentity, error)
func (NumericIdentity) String ¶
func (id NumericIdentity) String() string
func (NumericIdentity) StringID ¶
func (id NumericIdentity) StringID() string
func (NumericIdentity) Uint32 ¶
func (id NumericIdentity) Uint32() uint32
Uint32 normalizes the ID for use in BPF program.
type Repository ¶ added in v0.9.0
type Repository struct { // Mutex protects the whole policy tree Mutex sync.RWMutex // contains filtered or unexported fields }
Repository is a list of policy rules which in combination form the security policy. A policy repository can be
func NewPolicyRepository ¶ added in v0.9.0
func NewPolicyRepository() *Repository
NewPolicyRepository allocates a new policy repository
func (*Repository) Add ¶ added in v0.9.0
func (p *Repository) Add(r api.Rule) error
Add inserts a rule into the policy repository
func (*Repository) AddList ¶ added in v0.9.0
func (p *Repository) AddList(rules api.Rules) error
AddList inserts a rule into the policy repository
func (*Repository) AddListLocked ¶ added in v0.9.0
func (p *Repository) AddListLocked(rules api.Rules) error
AddListLocked inserts a rule into the policy repository with the repository already locked
func (*Repository) AllowsRLocked ¶ added in v0.9.0
func (p *Repository) AllowsRLocked(ctx *SearchContext) api.Decision
AllowsRLocked evaluates the policy repository for the provided search context and return the verdict. If no matching policy allows for the connection, the request will be denied. The policy repository mutex must be held.
func (*Repository) CanReachRLocked ¶ added in v0.9.0
func (p *Repository) CanReachRLocked(ctx *SearchContext) api.Decision
CanReachRLocked evaluates the policy repository for the provided search context and returns the verdict or api.Undecided if no rule matches. The policy repository mutex must be held.
func (*Repository) DeleteByLabels ¶ added in v0.9.0
func (p *Repository) DeleteByLabels(labels labels.LabelArray) int
DeleteByLabels deletes all rules in the policy repository which contain the specified labels
func (*Repository) DeleteByLabelsLocked ¶ added in v0.9.0
func (p *Repository) DeleteByLabelsLocked(labels labels.LabelArray) int
DeleteByLabelsLocked deletes all rules in the policy repository which contain the specified labels
func (*Repository) GetJSON ¶ added in v0.9.0
func (p *Repository) GetJSON() string
GetJSON returns all rules of the policy repository as string in JSON representation
func (*Repository) ResolveL4Policy ¶ added in v0.9.0
func (p *Repository) ResolveL4Policy(ctx *SearchContext) *L4Policy
ResolveL4Policy resolves the L4 policy for a set of endpoints by searching the policy repository for `PortRule` rules that are attached to a `Rule` where the EndpointSelector matches `ctx.To`. `ctx.From` takes no effect and is ignored in the search. If multiple `PortRule` rules are found, all rules are merged together. If rules contains overlapping port definitions, the first rule found in the repository takes precedence.
TODO: Need better rule merging on conflicting port definitions, concat l7 rules?
func (*Repository) SearchRLocked ¶ added in v0.9.0
func (p *Repository) SearchRLocked(labels labels.LabelArray) api.Rules
SearchRLocked searches the policy repository for rules which match the specified labels and will return an array of all rules which matched.
type SearchContext ¶
type SearchContext struct { Trace Tracing Depth int Logging *logging.LogBackend From labels.LabelArray To labels.LabelArray DPorts []*models.Port // IngressL4Only is true if only ingress L4 policy should be evaluated IngressL4Only bool // EgressL4Only is true if only egress L4 policy should be evaluated EgressL4Only bool }
SearchContext defines the context while evaluating policy
func (*SearchContext) CallDepth ¶
func (s *SearchContext) CallDepth() string
func (*SearchContext) PolicyTrace ¶ added in v0.9.0
func (s *SearchContext) PolicyTrace(format string, a ...interface{})
PolicyTrace logs the given message into the SearchContext logger only if TRACE_ENABLED or TRACE_VERBOSE is enabled in the receiver's SearchContext.
func (*SearchContext) PolicyTraceVerbose ¶ added in v0.9.0
func (s *SearchContext) PolicyTraceVerbose(format string, a ...interface{})
PolicyTraceVerbose logs the given message into the SearchContext logger only if TRACE_VERBOSE is enabled in the receiver's SearchContext.
func (*SearchContext) String ¶
func (s *SearchContext) String() string