api

package
v0.9.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 30, 2017 License: Apache-2.0 Imports: 9 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type CIDR

type CIDR struct {
	// IP specifies the block of IP addresses to allow
	//
	// Example:
	// 10.0.1.0/24
	IP string `json:"ip"`
}

CIDR specifies a block of IP addresses

type Decision

type Decision byte

Decision is a reachability policy decision

const (
	// Undecided means that we have not come to a decision yet
	Undecided Decision = iota
	// Allowed means that reachability is allowed
	Allowed
	// Denied means that reachability is denied
	Denied
)

func (Decision) MarshalJSON

func (d Decision) MarshalJSON() ([]byte, error)

MarshalJSON returns the decision as JSON formatted buffer

func (Decision) String

func (d Decision) String() string

String returns the decision in human readable format

func (*Decision) UnmarshalJSON

func (d *Decision) UnmarshalJSON(b []byte) error

UnmarshalJSON parses a JSON formatted buffer and returns a decision

type EgressRule

type EgressRule struct {
	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is allowed to
	// connect to.
	//
	// Example:
	// Any endpoint with the label "role=frontend" is allowed to initiate
	// connections to destination port 8080/tcp
	//
	// +optional
	ToPorts []PortRule `json:"toPorts,omitempty"`

	// ToCIDR is a list of IP blocks which the endpoint subject to the rule
	// is allowed to initiate connections to in addition to connections
	// which are allowed via FromEndpoints. This will match on the
	// destination IP address of outgoing connections.
	//
	// Example:
	// Any endpoint with the label "app=database-proxy" is allowed to
	// initiate connections to 10.2.3.0/24
	//
	// +optional
	ToCIDR []CIDR `json:"toCIDR,omitempty"`
}

EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector.

  • All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.
  • All members of this structure are evaluated independently, i.e. L4 ports allowed with ToPorts do not depend on a match of the FromCIDR in the same EgressRule.

func (EgressRule) Validate

func (e EgressRule) Validate() error

Validate validates an egress policy rule

type EndpointSelector

type EndpointSelector struct {
	*metav1.LabelSelector
}

EndpointSelector is a wrapper for k8s LabelSelector.

func NewESFromK8sLabelSelector

func NewESFromK8sLabelSelector(srcPrefix string, ls *metav1.LabelSelector) EndpointSelector

NewESFromK8sLabelSelector returns a new endpoint selector from the label where it the given srcPrefix will be encoded in the label's keys.

func NewESFromLabels

func NewESFromLabels(lbls ...*labels.Label) EndpointSelector

NewESFromLabels creates a new endpoint selector from the given labels.

func (EndpointSelector) HasKeyPrefix

func (n EndpointSelector) HasKeyPrefix(prefix string) bool

HasKeyPrefix checks if the endpoint selector contains the given key prefix in its MatchLabels map and MatchExpressions slice.

func (EndpointSelector) MarshalJSON

func (n EndpointSelector) MarshalJSON() ([]byte, error)

MarshalJSON returns a JSON representation of the byte array.

func (*EndpointSelector) Matches

func (n *EndpointSelector) Matches(lblsToMatch k8sLbls.Labels) bool

Matches returns true if the endpoint selector Matches the `lblsToMatch`. Returns always true if the endpoint selector contains the reserved label for "all".

func (EndpointSelector) String

func (n EndpointSelector) String() string

String returns a string representation of EndpointSelector.

func (*EndpointSelector) UnmarshalJSON

func (n *EndpointSelector) UnmarshalJSON(b []byte) error

UnmarshalJSON unmarshals the endpoint selector from the byte array.

type IngressRule

type IngressRule struct {
	// FromEndpoints is a list of endpoints identified by an
	// EndpointSelector which are allowed to communicate with the endpoint
	// subject to the rule.
	//
	// Example:
	// Any endpoint with the label "role=backend" can be consumed by any
	// endpoint carrying the label "role=frontend".
	//
	// +optional
	FromEndpoints []EndpointSelector `json:"fromEndpoints,omitempty"`

	// FromRequires is a list of additional constraints which must be met
	// in order for the selected endpoints to be reachable. These
	// additional constraints do no by itself grant access privileges and
	// must always be accompanied with at least one matching FromEndpoints.
	//
	// Example:
	// Any Endpoint with the label "team=A" requires consuming endpoint
	// to also carry the label "team=A".
	//
	// +optional
	FromRequires []EndpointSelector `json:"fromRequires,omitempty"`

	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is allowed to
	// receive connections on.
	//
	// Example:
	// Any endpoint with the label "app=httpd" can only accept incoming
	// connections on port 80/tcp.
	//
	// +optional
	ToPorts []PortRule `json:"toPorts,omitempty"`

	// FromCIDR is a list of IP blocks which the endpoint subject to the
	// rule is allowed to receive connections from in addition to FromEndpoints.
	// This will match on the source IP address of incoming connections.
	//
	// Example:
	// Any endpoint with the label "app=my-legacy-pet" is allowed to receive
	// connections from 10.3.9.1
	//
	// +optional
	FromCIDR []CIDR `json:"fromCIDR,omitempty"`
}

IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector.

  • All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.
  • All members of this structure are evaluated independently, i.e. L4 ports allowed with ToPorts do not depend on a match of the FromEndpoints in the same IngressRule.

func (IngressRule) Validate

func (i IngressRule) Validate() error

Validate validates an ingress policy rule

type L7Rules

type L7Rules struct {
	// HTTP specific rules.
	//
	// +optional
	HTTP []PortRuleHTTP `json:"http,omitempty"`
}

L7Rules is a union of port level rule types. Mixing of different port level rule types is disallowed, so exactly one of the following must be set. If none are specified, then no additional port level rules are applied.

type PortProtocol

type PortProtocol struct {
	// Port is an L4 port number. For now the string will be strictly
	// parsed as a single uint16. In the future, this field may support
	// ranges in the form "1024-2048
	Port string `json:"port"`

	// Protocol is the L4 protocol. If omitted or empty, any protocol
	// matches. Accepted values: "tcp", "udp", ""/"any"
	//
	// Matching on ICMP is not supported.
	//
	// +optional
	Protocol string `json:"protocol,omitempty"`
}

PortProtocol specifies an L4 port with an optional transport protocol

func (PortProtocol) Validate

func (pp PortProtocol) Validate() error

Validate validates a port/protocol pair

type PortRule

type PortRule struct {
	// Ports is a list of L4 port/protocol
	//
	// If omitted or empty but RedirectPort is set, then all ports of the
	// endpoint subject to either the ingress or egress rule are being
	// redirected.
	//
	// +optional
	Ports []PortProtocol `json:"ports,omitempty"`

	// RedirectPort is the L4 port which, if set, all traffic matching the
	// Ports is being redirected to. Whatever listener behind that port
	// becomes responsible to enforce the port rules and is also
	// responsible to reinject all traffic back and ensure it reaches its
	// original destination.
	RedirectPort int `json:"redirectPort,omitempty"`

	// Rules is a list of additional port level rules which must be met in
	// order for the PortRule to allow the traffic. If omitted or empty,
	// no layer 7 rules are enforced.
	//
	// +optional
	Rules *L7Rules `json:"rules,omitempty"`
}

PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.

func (PortRule) Validate

func (pr PortRule) Validate() error

Validate validates a port policy rule

type PortRuleHTTP

type PortRuleHTTP struct {
	// Path is an extended POSIX regex matched against the path of a
	// request. Currently it can contain characters disallowed from the
	// conventional "path" part of a URL as defined by RFC 3986. Paths must
	// begin with a '/'.
	//
	// If omitted or empty, all paths are all allowed.
	//
	// +optional
	Path string `json:"path,omitempty" protobuf:"bytes,1,opt,name=path"`

	// Method is an extended POSIX regex matched against the method of a
	// request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ...
	//
	// If omitted or empty, all methods are allowed.
	//
	// +optional
	Method string `json:"method,omitempty" protobuf:"bytes,1,opt,name=method"`

	// Host is an extended POSIX regex matched against the host header of a
	// request, e.g. "foo.com"
	//
	// If omitted or empty, the value of the host header is ignored.
	//
	// +optional
	Host string `json:"host,omitempty" protobuf:"bytes,1,opt,name=method"`

	// Headers is a list of HTTP headers which must be present in the
	// request. If omitted or empty, requests are allowed regardless of
	// headers present.
	//
	// +optional
	Headers []string `json:"headers,omitempty"`
}

PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.

All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986.

type Rule

type Rule struct {
	// EndpointSelector selects all endpoints which should be subject to
	// this rule. Cannot be empty.
	EndpointSelector EndpointSelector `json:"endpointSelector"`

	// Ingress is a list of IngressRule which are enforced at ingress.
	// If omitted or empty, this rule does not apply at ingress.
	//
	// +optional
	Ingress []IngressRule `json:"ingress,omitempty"`

	// Egress is a list of EgressRule which are enforced at egress.
	// If omitted or empty, this rule does not apply at egress.
	//
	// +optional
	Egress []EgressRule `json:"egress,omitempty"`

	// Labels is a list of optional strings which can be used to
	// re-identify the rule or to store metadata. It is possible to lookup
	// or delete strings based on labels. Labels are not required to be
	// unique, multiple rules can have overlapping or identical labels.
	//
	// +optional
	Labels labels.LabelArray `json:"labels,omitempty"`

	// Description is a free form string, it can be used by the creator of
	// the rule to store human readable explanation of the purpose of this
	// rule. Rules cannot be identified by comment.
	//
	// +optional
	Description string `json:"description,omitempty"`
}

Rule is a policy rule which must be applied to all endpoints which match the labels contained in the endpointSelector

Each rule is split into an ingress section which contains all rules applicable at ingress, and an egress section applicable at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both ingress and egress, both ingress and egress side have to either specifically allow the connection or one side has to be omitted.

Either ingress, egress, or both can be provided. If both ingress and egress are omitted, the rule has no effect.

func (Rule) Validate

func (r Rule) Validate() error

Validate validates a policy rule

type Rules

type Rules []*Rule

Rules is a collection of api.Rule.

All rules must be evaluated in order to come to a conclusion. While it is sufficient to have a single fromEndpoints rule match, none of the fromRequires may be violated at the same time.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL