matcher

package
v0.0.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 25, 2021 License: MIT Imports: 15 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildIPBlockNamespacePodMatcher 

func BuildIPBlockNamespacePodMatcher(policyNamespace string, peer networkingv1.NetworkPolicyPeer) (*IPBlockMatcher, NamespaceMatcher, PodMatcher)

func BuildTarget 

func BuildTarget(netpol *networkingv1.NetworkPolicy) (*Target, *Target)

func RunBuilderTests 

func RunBuilderTests()

func RunPolicyTests 

func RunPolicyTests()

Types

type AllIPMatcher 

type AllIPMatcher struct{}

TODO why have this? it's not used anywhere ... is there a way to write a NetworkPolicy that would actually need this?

func (*AllIPMatcher) Allows 

func (aip *AllIPMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*AllIPMatcher) MarshalJSON 

func (aip *AllIPMatcher) MarshalJSON() (b []byte, e error)

type AllInternalMatcher 

type AllInternalMatcher struct{}

func (*AllInternalMatcher) Allows 

func (a *AllInternalMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*AllInternalMatcher) MarshalJSON 

func (a *AllInternalMatcher) MarshalJSON() (b []byte, e error)

type AllNamespaceMatcher 

type AllNamespaceMatcher struct{}

func (*AllNamespaceMatcher) Allows 

func (a *AllNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*AllNamespaceMatcher) MarshalJSON 

func (a *AllNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*AllNamespaceMatcher) PrimaryKey 

func (a *AllNamespaceMatcher) PrimaryKey() string

type AllPeerMatcher 

type AllPeerMatcher struct{}

func (*AllPeerMatcher) Allows 

func (aem *AllPeerMatcher) Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool

func (*AllPeerMatcher) MarshalJSON 

func (aem *AllPeerMatcher) MarshalJSON() (b []byte, e error)

type AllPodMatcher 

type AllPodMatcher struct{}

func (*AllPodMatcher) Allows 

func (p *AllPodMatcher) Allows(podLabels map[string]string) bool

func (*AllPodMatcher) MarshalJSON 

func (p *AllPodMatcher) MarshalJSON() (b []byte, e error)

func (*AllPodMatcher) PrimaryKey 

func (p *AllPodMatcher) PrimaryKey() string

type AllPortMatcher 

type AllPortMatcher struct{}

func (*AllPortMatcher) Allows 

func (ap *AllPortMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

func (*AllPortMatcher) MarshalJSON 

func (ap *AllPortMatcher) MarshalJSON() (b []byte, e error)

type AllowedResult 

type AllowedResult struct {
	Ingress *DirectionResult
	Egress  *DirectionResult
}

func (*AllowedResult) IsAllowed 

func (ar *AllowedResult) IsAllowed() bool

type DirectionResult 

type DirectionResult struct {
	IsAllowed       bool
	AllowingTargets []*Target
	MatchingTargets []*Target
}

type ExactNamespaceMatcher 

type ExactNamespaceMatcher struct {
	Namespace string
}

func (*ExactNamespaceMatcher) Allows 

func (p *ExactNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*ExactNamespaceMatcher) MarshalJSON 

func (p *ExactNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*ExactNamespaceMatcher) PrimaryKey 

func (p *ExactNamespaceMatcher) PrimaryKey() string

type IPBlockMatcher 

type IPBlockMatcher struct {
	IPBlock *networkingv1.IPBlock
	Port    PortMatcher
}

IPBlockMatcher models the case where IPBlock is not nil, and both PodSelector and NamespaceSelector are nil

func (*IPBlockMatcher) Allows 

func (i *IPBlockMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*IPBlockMatcher) Combine 

func (i *IPBlockMatcher) Combine(other *IPBlockMatcher) *IPBlockMatcher

func (*IPBlockMatcher) MarshalJSON 

func (i *IPBlockMatcher) MarshalJSON() (b []byte, e error)

func (*IPBlockMatcher) PrimaryKey 

func (i *IPBlockMatcher) PrimaryKey() string

PrimaryKey returns a content-based, deterministic key based on the IPBlock's CIDR and excepts.

type IPMatcher 

type IPMatcher interface {
	Allows(ip string, portProtocol *PortProtocol) bool
}

func CombineIPMatchers 

func CombineIPMatchers(a IPMatcher, b IPMatcher) IPMatcher

type InternalMatcher 

type InternalMatcher interface {
	Allows(peer *InternalPeer, portProtocol *PortProtocol) bool
}

func CombineInternalMatchers 

func CombineInternalMatchers(a InternalMatcher, b InternalMatcher) InternalMatcher

type InternalPeer 

type InternalPeer struct {
	PodLabels map[string]string
	//Pod             string
	NamespaceLabels map[string]string
	Namespace       string
}

type LabelSelectorNamespaceMatcher 

type LabelSelectorNamespaceMatcher struct {
	Selector metav1.LabelSelector
}

func (*LabelSelectorNamespaceMatcher) Allows 

func (p *LabelSelectorNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*LabelSelectorNamespaceMatcher) MarshalJSON 

func (p *LabelSelectorNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*LabelSelectorNamespaceMatcher) PrimaryKey 

func (p *LabelSelectorNamespaceMatcher) PrimaryKey() string

type LabelSelectorPodMatcher 

type LabelSelectorPodMatcher struct {
	Selector metav1.LabelSelector
}

func (*LabelSelectorPodMatcher) Allows 

func (p *LabelSelectorPodMatcher) Allows(podLabels map[string]string) bool

func (*LabelSelectorPodMatcher) MarshalJSON 

func (p *LabelSelectorPodMatcher) MarshalJSON() (b []byte, e error)

func (*LabelSelectorPodMatcher) PrimaryKey 

func (p *LabelSelectorPodMatcher) PrimaryKey() string

type NamespaceMatcher 

type NamespaceMatcher interface {
	Allows(namespace string, namespaceLabels map[string]string) bool
	PrimaryKey() string
}

type NamespacePodMatcher 

type NamespacePodMatcher struct {
	Namespace NamespaceMatcher
	Pod       PodMatcher
	Port      PortMatcher
}

func (*NamespacePodMatcher) Allows 

func (ppm *NamespacePodMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*NamespacePodMatcher) Combine 

func (ppm *NamespacePodMatcher) Combine(otherPort PortMatcher) *NamespacePodMatcher

func (*NamespacePodMatcher) PrimaryKey 

func (ppm *NamespacePodMatcher) PrimaryKey() string

type NoneIPMatcher 

type NoneIPMatcher struct{}

func (*NoneIPMatcher) Allows 

func (aip *NoneIPMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*NoneIPMatcher) MarshalJSON 

func (aip *NoneIPMatcher) MarshalJSON() (b []byte, e error)

type NoneInternalMatcher 

type NoneInternalMatcher struct{}

TODO is this possible, where only IPs are allowed? 

maybe indirectly through: 1) deny all, 2) allow external with 0.0.0.0

func (*NoneInternalMatcher) Allows 

func (n *NoneInternalMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*NoneInternalMatcher) MarshalJSON 

func (n *NoneInternalMatcher) MarshalJSON() (b []byte, e error)

type NonePeerMatcher 

type NonePeerMatcher struct{}

func (*NonePeerMatcher) Allows 

func (nem *NonePeerMatcher) Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool

func (*NonePeerMatcher) MarshalJSON 

func (nem *NonePeerMatcher) MarshalJSON() (b []byte, e error)

type NonePortMatcher 

type NonePortMatcher struct{}

func (*NonePortMatcher) Allows 

func (n *NonePortMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

func (*NonePortMatcher) MarshalJSON 

func (n *NonePortMatcher) MarshalJSON() (b []byte, e error)

type PeerMatcher 

type PeerMatcher interface {
	Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool
}

func BuildEgressMatcher 

func BuildEgressMatcher(policyNamespace string, egresses []networkingv1.NetworkPolicyEgressRule) PeerMatcher

func BuildIngressMatcher 

func BuildIngressMatcher(policyNamespace string, ingresses []networkingv1.NetworkPolicyIngressRule) PeerMatcher

func BuildPeerMatcher 

func BuildPeerMatcher(policyNamespace string, npPorts []networkingv1.NetworkPolicyPort, peers []networkingv1.NetworkPolicyPeer) PeerMatcher

func CombinePeerMatchers 

func CombinePeerMatchers(a PeerMatcher, b PeerMatcher) PeerMatcher

type PodMatcher 

type PodMatcher interface {
	Allows(podLabels map[string]string) bool
	PrimaryKey() string
}

type Policy 

type Policy struct {
	Ingress map[string]*Target
	Egress  map[string]*Target
}

This is the root type

func BuildNetworkPolicies 

func BuildNetworkPolicies(netpols []*networkingv1.NetworkPolicy) *Policy

func BuildNetworkPolicy 

func BuildNetworkPolicy(policy *networkingv1.NetworkPolicy) *Policy

func NewPolicy 

func NewPolicy() *Policy

func (*Policy) AddTarget 

func (np *Policy) AddTarget(isIngress bool, target *Target) *Target

func (*Policy) IsIngressOrEgressAllowed 

func (np *Policy) IsIngressOrEgressAllowed(traffic *Traffic, isIngress bool) *DirectionResult

func (*Policy) IsTrafficAllowed 

func (np *Policy) IsTrafficAllowed(traffic *Traffic) *AllowedResult

IsTrafficAllowed returns: - whether the traffic is allowed - which rules allowed the traffic - which rules matched the traffic target

func (*Policy) SortedTargets 

func (np *Policy) SortedTargets() ([]*Target, []*Target)

func (*Policy) TargetsApplyingToPod 

func (np *Policy) TargetsApplyingToPod(isIngress bool, namespace string, podLabels map[string]string) []*Target

type PortMatcher 

type PortMatcher interface {
	Allows(port intstr.IntOrString, protocol v1.Protocol) bool
}

func BuildPortMatcher 

func BuildPortMatcher(npPorts []networkingv1.NetworkPolicyPort) PortMatcher

func CombinePortMatchers 

func CombinePortMatchers(a PortMatcher, b PortMatcher) PortMatcher

type PortProtocol 

type PortProtocol struct {
	Protocol v1.Protocol
	Port     intstr.IntOrString
}

type PortProtocolMatcher 

type PortProtocolMatcher struct {
	Port     *intstr.IntOrString
	Protocol v1.Protocol
}

PortProtocolMatcher models a specific combination of port+protocol. If port is nil, all ports are matched.

func (*PortProtocolMatcher) Allows 

func (p *PortProtocolMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

func (*PortProtocolMatcher) Equals added in v0.0.10 

func (p *PortProtocolMatcher) Equals(other *PortProtocolMatcher) bool

type SpecificIPMatcher 

type SpecificIPMatcher struct {
	PortsForAllIPs PortMatcher
	IPBlocks       map[string]*IPBlockMatcher
}

func NewSpecificIPMatcher 

func NewSpecificIPMatcher(portsForAllIPs PortMatcher, blocks ...*IPBlockMatcher) *SpecificIPMatcher

func (*SpecificIPMatcher) AddIPMatcher 

func (sip *SpecificIPMatcher) AddIPMatcher(ip *IPBlockMatcher)

func (*SpecificIPMatcher) Allows 

func (sip *SpecificIPMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*SpecificIPMatcher) Combine 

func (sip *SpecificIPMatcher) Combine(other *SpecificIPMatcher) *SpecificIPMatcher

func (*SpecificIPMatcher) MarshalJSON 

func (sip *SpecificIPMatcher) MarshalJSON() (b []byte, e error)

func (*SpecificIPMatcher) SortedIPBlocks 

func (sip *SpecificIPMatcher) SortedIPBlocks() []*IPBlockMatcher

type SpecificInternalMatcher 

type SpecificInternalMatcher struct {
	NamespacePods map[string]*NamespacePodMatcher
}

func NewSpecificInternalMatcher 

func NewSpecificInternalMatcher(matchers ...*NamespacePodMatcher) *SpecificInternalMatcher

func (*SpecificInternalMatcher) Add 

func (a *SpecificInternalMatcher) Add(newMatcher *NamespacePodMatcher)

func (*SpecificInternalMatcher) Allows 

func (a *SpecificInternalMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*SpecificInternalMatcher) MarshalJSON 

func (a *SpecificInternalMatcher) MarshalJSON() (b []byte, e error)

func (*SpecificInternalMatcher) SortedNamespacePods 

func (a *SpecificInternalMatcher) SortedNamespacePods() []*NamespacePodMatcher

type SpecificPeerMatcher 

type SpecificPeerMatcher struct {
	IP       IPMatcher
	Internal InternalMatcher
}

func (*SpecificPeerMatcher) Allows 

func (em *SpecificPeerMatcher) Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool

func (*SpecificPeerMatcher) Combine 

func (em *SpecificPeerMatcher) Combine(other *SpecificPeerMatcher) *SpecificPeerMatcher

func (*SpecificPeerMatcher) MarshalJSON 

func (em *SpecificPeerMatcher) MarshalJSON() (b []byte, e error)

type SpecificPortMatcher 

type SpecificPortMatcher struct {
	Ports []*PortProtocolMatcher
}

SpecificPortMatcher models the case where traffic must match a named or numbered port

func (*SpecificPortMatcher) Allows 

func (s *SpecificPortMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

func (*SpecificPortMatcher) Combine added in v0.0.10 

func (s *SpecificPortMatcher) Combine(other *SpecificPortMatcher) *SpecificPortMatcher

func (*SpecificPortMatcher) MarshalJSON 

func (s *SpecificPortMatcher) MarshalJSON() (b []byte, e error)

type Target 

type Target struct {
	Namespace   string
	PodSelector metav1.LabelSelector
	Peer        PeerMatcher
	SourceRules []*networkingv1.NetworkPolicy
	// contains filtered or unexported fields
}

Target represents a NetworkPolicySpec.PodSelector, which is in a namespace

func CombineTargetsIgnoringPrimaryKey 

func CombineTargetsIgnoringPrimaryKey(namespace string, podSelector metav1.LabelSelector, targets []*Target) *Target

CombineTargetsIgnoringPrimaryKey creates a new target from the given namespace and pod selector, and combines all the edges and source rules from the original targets into the new target.

func (*Target) Combine 

func (t *Target) Combine(other *Target) *Target

CombinePeerMatchers creates a new Target combining the egress and ingress rules of the two original targets. Neither input is modified. The Primary Keys of the two targets must match.

func (*Target) GetPrimaryKey 

func (t *Target) GetPrimaryKey() string

The primary key is a deterministic combination of PodSelector and namespace

func (*Target) IsMatch 

func (t *Target) IsMatch(namespace string, podLabels map[string]string) bool

func (*Target) String 

func (t *Target) String() string

type Traffic 

type Traffic struct {
	Source      *TrafficPeer
	Destination *TrafficPeer

	PortProtocol *PortProtocol
}

type TrafficPeer 

type TrafficPeer struct {
	Internal *InternalPeer
	IP       string
}

func (*TrafficPeer) IsExternal 

func (p *TrafficPeer) IsExternal() bool

func (*TrafficPeer) Namespace 

func (p *TrafficPeer) Namespace() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.