matcher

package
v0.0.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 20, 2021 License: MIT Imports: 17 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func BuildIPBlockNamespacePodMatcher

func BuildIPBlockNamespacePodMatcher(policyNamespace string, peer networkingv1.NetworkPolicyPeer) (*IPBlockMatcher, NamespaceMatcher, PodMatcher)

func BuildTarget

func BuildTarget(netpol *networkingv1.NetworkPolicy) (*Target, *Target)

func Explain

func Explain(policies *Policy) string

func ExplainAllPortMatcher

func ExplainAllPortMatcher(indent string) []string

func ExplainIPBlockMatcher

func ExplainIPBlockMatcher(ip *IPBlockMatcher, indent string) []string

func ExplainIPMatcher

func ExplainIPMatcher(ip IPMatcher, indent string) []string

func ExplainInternalMatcher

func ExplainInternalMatcher(i InternalMatcher, indent string) []string

func ExplainNamespaceMatcher

func ExplainNamespaceMatcher(pm NamespaceMatcher, indent string) string

func ExplainNamespacePod

func ExplainNamespacePod(peer *NamespacePodMatcher, indent string) []string

func ExplainPodMatcher

func ExplainPodMatcher(pm PodMatcher, indent string) string

func ExplainPortMatcher

func ExplainPortMatcher(pm PortMatcher, indent string) []string

func ExplainSourceRules

func ExplainSourceRules(sourceRules []*networkingv1.NetworkPolicy, indent string) []string

func ExplainSpecificPeerMatcher

func ExplainSpecificPeerMatcher(tp *SpecificPeerMatcher, indent string) []string

func ExplainSpecificPortMatcher

func ExplainSpecificPortMatcher(spm *SpecificPortMatcher, indent string) []string

func ExplainTarget

func ExplainTarget(target *Target, isIngress bool) []string

func LabelSelectorTableLines added in v0.0.2

func LabelSelectorTableLines(selector metav1.LabelSelector) string

func PortMatcherTableLines added in v0.0.2

func PortMatcherTableLines(pm PortMatcher) []string

func RunBuilderTests

func RunBuilderTests()

func RunExplainerTests

func RunExplainerTests()

func RunPolicyTests

func RunPolicyTests()

func SerializeLabelSelector

func SerializeLabelSelector(ls metav1.LabelSelector) string

SerializeLabelSelector deterministically converts a metav1.LabelSelector into a string

func TableExplainer added in v0.0.2

func TableExplainer(policies *Policy) *tablewriter.Table

func TargetsTableLines added in v0.0.2

func TargetsTableLines(table *tablewriter.Table, targets []*Target, isIngress bool)

Types

type AllIPMatcher

type AllIPMatcher struct{}

func (*AllIPMatcher) Allows

func (aip *AllIPMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*AllIPMatcher) MarshalJSON

func (aip *AllIPMatcher) MarshalJSON() (b []byte, e error)

type AllInternalMatcher

type AllInternalMatcher struct{}

func (*AllInternalMatcher) Allows

func (a *AllInternalMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*AllInternalMatcher) MarshalJSON

func (a *AllInternalMatcher) MarshalJSON() (b []byte, e error)

type AllNamespaceMatcher

type AllNamespaceMatcher struct{}

func (*AllNamespaceMatcher) Allows

func (a *AllNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*AllNamespaceMatcher) MarshalJSON

func (a *AllNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*AllNamespaceMatcher) PrimaryKey

func (a *AllNamespaceMatcher) PrimaryKey() string

type AllPeerMatcher

type AllPeerMatcher struct{}

func (*AllPeerMatcher) Allows

func (aem *AllPeerMatcher) Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool

func (*AllPeerMatcher) MarshalJSON

func (aem *AllPeerMatcher) MarshalJSON() (b []byte, e error)

type AllPodMatcher

type AllPodMatcher struct{}

func (*AllPodMatcher) Allows

func (p *AllPodMatcher) Allows(podLabels map[string]string) bool

func (*AllPodMatcher) MarshalJSON

func (p *AllPodMatcher) MarshalJSON() (b []byte, e error)

func (*AllPodMatcher) PrimaryKey

func (p *AllPodMatcher) PrimaryKey() string

type AllPortMatcher

type AllPortMatcher struct{}

func (*AllPortMatcher) Allows

func (ap *AllPortMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

func (*AllPortMatcher) MarshalJSON

func (ap *AllPortMatcher) MarshalJSON() (b []byte, e error)

type AllowedResult

type AllowedResult struct {
	Ingress *DirectionResult
	Egress  *DirectionResult
}

func (*AllowedResult) IsAllowed

func (ar *AllowedResult) IsAllowed() bool

type DirectionResult

type DirectionResult struct {
	IsAllowed       bool
	AllowingTargets []*Target
	MatchingTargets []*Target
}

type ExactNamespaceMatcher

type ExactNamespaceMatcher struct {
	Namespace string
}

func (*ExactNamespaceMatcher) Allows

func (p *ExactNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*ExactNamespaceMatcher) MarshalJSON

func (p *ExactNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*ExactNamespaceMatcher) PrimaryKey

func (p *ExactNamespaceMatcher) PrimaryKey() string

type IPBlockMatcher

type IPBlockMatcher struct {
	IPBlock *networkingv1.IPBlock
	Port    PortMatcher
}

IPBlockMatcher models the case where IPBlock is not nil, and both PodSelector and NamespaceSelector are nil

func (*IPBlockMatcher) Allows

func (i *IPBlockMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*IPBlockMatcher) Combine

func (i *IPBlockMatcher) Combine(other *IPBlockMatcher) *IPBlockMatcher

func (*IPBlockMatcher) MarshalJSON

func (i *IPBlockMatcher) MarshalJSON() (b []byte, e error)

func (*IPBlockMatcher) PrimaryKey

func (i *IPBlockMatcher) PrimaryKey() string

PrimaryKey returns a content-based, deterministic key based on the IPBlock's CIDR and excepts.

type IPMatcher

type IPMatcher interface {
	Allows(ip string, portProtocol *PortProtocol) bool
}

func CombineIPMatchers

func CombineIPMatchers(a IPMatcher, b IPMatcher) IPMatcher

type InternalMatcher

type InternalMatcher interface {
	Allows(peer *InternalPeer, portProtocol *PortProtocol) bool
}

type InternalPeer

type InternalPeer struct {
	PodLabels map[string]string
	//Pod             string
	NamespaceLabels map[string]string
	Namespace       string
}

type LabelSelectorNamespaceMatcher

type LabelSelectorNamespaceMatcher struct {
	Selector metav1.LabelSelector
}

func (*LabelSelectorNamespaceMatcher) Allows

func (p *LabelSelectorNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*LabelSelectorNamespaceMatcher) MarshalJSON

func (p *LabelSelectorNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*LabelSelectorNamespaceMatcher) PrimaryKey

func (p *LabelSelectorNamespaceMatcher) PrimaryKey() string

type LabelSelectorPodMatcher

type LabelSelectorPodMatcher struct {
	Selector metav1.LabelSelector
}

func (*LabelSelectorPodMatcher) Allows

func (p *LabelSelectorPodMatcher) Allows(podLabels map[string]string) bool

func (*LabelSelectorPodMatcher) MarshalJSON

func (p *LabelSelectorPodMatcher) MarshalJSON() (b []byte, e error)

func (*LabelSelectorPodMatcher) PrimaryKey

func (p *LabelSelectorPodMatcher) PrimaryKey() string

type NamespaceMatcher

type NamespaceMatcher interface {
	Allows(namespace string, namespaceLabels map[string]string) bool
	PrimaryKey() string
}

type NamespacePodMatcher

type NamespacePodMatcher struct {
	Namespace NamespaceMatcher
	Pod       PodMatcher
	Port      PortMatcher
}

func (*NamespacePodMatcher) Allows

func (ppm *NamespacePodMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*NamespacePodMatcher) Combine

func (ppm *NamespacePodMatcher) Combine(otherPort PortMatcher) *NamespacePodMatcher

func (*NamespacePodMatcher) PrimaryKey

func (ppm *NamespacePodMatcher) PrimaryKey() string

type NoneIPMatcher

type NoneIPMatcher struct{}

func (*NoneIPMatcher) Allows

func (aip *NoneIPMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*NoneIPMatcher) MarshalJSON

func (aip *NoneIPMatcher) MarshalJSON() (b []byte, e error)

type NoneInternalMatcher

type NoneInternalMatcher struct{}

TODO is this possible, where only IPs are allowed?

maybe indirectly through: 1) deny all, 2) allow external with 0.0.0.0

func (*NoneInternalMatcher) Allows

func (n *NoneInternalMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*NoneInternalMatcher) MarshalJSON

func (n *NoneInternalMatcher) MarshalJSON() (b []byte, e error)

type NonePeerMatcher

type NonePeerMatcher struct{}

func (*NonePeerMatcher) Allows

func (nem *NonePeerMatcher) Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool

func (*NonePeerMatcher) MarshalJSON

func (nem *NonePeerMatcher) MarshalJSON() (b []byte, e error)

type NonePortMatcher

type NonePortMatcher struct{}

func (*NonePortMatcher) Allows

func (n *NonePortMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

func (*NonePortMatcher) MarshalJSON

func (n *NonePortMatcher) MarshalJSON() (b []byte, e error)

type PeerMatcher

type PeerMatcher interface {
	Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool
}

func BuildEgressMatcher

func BuildEgressMatcher(policyNamespace string, egresses []networkingv1.NetworkPolicyEgressRule) PeerMatcher

func BuildIngressMatcher

func BuildIngressMatcher(policyNamespace string, ingresses []networkingv1.NetworkPolicyIngressRule) PeerMatcher

func BuildPeerMatcher

func BuildPeerMatcher(policyNamespace string, npPorts []networkingv1.NetworkPolicyPort, peers []networkingv1.NetworkPolicyPeer) PeerMatcher

func CombinePeerMatchers

func CombinePeerMatchers(a PeerMatcher, b PeerMatcher) PeerMatcher

type PodMatcher

type PodMatcher interface {
	Allows(podLabels map[string]string) bool
	PrimaryKey() string
}

type Policy

type Policy struct {
	Ingress map[string]*Target
	Egress  map[string]*Target
}

This is the root type

func BuildNetworkPolicies

func BuildNetworkPolicies(netpols []*networkingv1.NetworkPolicy) *Policy

func BuildNetworkPolicy

func BuildNetworkPolicy(policy *networkingv1.NetworkPolicy) *Policy

func NewPolicy

func NewPolicy() *Policy

func (*Policy) AddTarget

func (np *Policy) AddTarget(isIngress bool, target *Target) *Target

func (*Policy) IsIngressOrEgressAllowed

func (np *Policy) IsIngressOrEgressAllowed(traffic *Traffic, isIngress bool) *DirectionResult

func (*Policy) IsTrafficAllowed

func (np *Policy) IsTrafficAllowed(traffic *Traffic) *AllowedResult

IsTrafficAllowed returns: - whether the traffic is allowed - which rules allowed the traffic - which rules matched the traffic target

func (*Policy) SortedTargets added in v0.0.2

func (np *Policy) SortedTargets() ([]*Target, []*Target)

func (*Policy) TargetsApplyingToPod

func (np *Policy) TargetsApplyingToPod(isIngress bool, namespace string, podLabels map[string]string) []*Target

type PortMatcher

type PortMatcher interface {
	Allows(port intstr.IntOrString, protocol v1.Protocol) bool
}

func BuildPortMatcher

func BuildPortMatcher(npPorts []networkingv1.NetworkPolicyPort) PortMatcher

func CombinePortMatchers

func CombinePortMatchers(a PortMatcher, b PortMatcher) PortMatcher

type PortProtocol

type PortProtocol struct {
	Protocol v1.Protocol
	Port     intstr.IntOrString
}

type PortProtocolMatcher

type PortProtocolMatcher struct {
	Port     *intstr.IntOrString
	Protocol v1.Protocol
}

PortProtocolMatcher models a specific combination of port+protocol. If port is nil, all ports are matched.

func (*PortProtocolMatcher) Allows

func (ppm *PortProtocolMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

type SpecificIPMatcher

type SpecificIPMatcher struct {
	PortsForAllIPs PortMatcher
	IPBlocks       map[string]*IPBlockMatcher
}

func NewSpecificIPMatcher

func NewSpecificIPMatcher(portsForAllIPs PortMatcher, blocks ...*IPBlockMatcher) *SpecificIPMatcher

func (*SpecificIPMatcher) AddIPMatcher

func (sip *SpecificIPMatcher) AddIPMatcher(ip *IPBlockMatcher)

func (*SpecificIPMatcher) Allows

func (sip *SpecificIPMatcher) Allows(ip string, portProtocol *PortProtocol) bool

func (*SpecificIPMatcher) Combine

func (*SpecificIPMatcher) MarshalJSON

func (sip *SpecificIPMatcher) MarshalJSON() (b []byte, e error)

func (*SpecificIPMatcher) SortedIPBlocks added in v0.0.2

func (sip *SpecificIPMatcher) SortedIPBlocks() []*IPBlockMatcher

type SpecificInternalMatcher

type SpecificInternalMatcher struct {
	NamespacePods map[string]*NamespacePodMatcher
}

func NewSpecificInternalMatcher

func NewSpecificInternalMatcher(matchers ...*NamespacePodMatcher) *SpecificInternalMatcher

func (*SpecificInternalMatcher) Add

func (a *SpecificInternalMatcher) Add(newMatcher *NamespacePodMatcher)

func (*SpecificInternalMatcher) Allows

func (a *SpecificInternalMatcher) Allows(peer *InternalPeer, portProtocol *PortProtocol) bool

func (*SpecificInternalMatcher) MarshalJSON

func (a *SpecificInternalMatcher) MarshalJSON() (b []byte, e error)

func (*SpecificInternalMatcher) SortedNamespacePods added in v0.0.2

func (a *SpecificInternalMatcher) SortedNamespacePods() []*NamespacePodMatcher

type SpecificPeerMatcher

type SpecificPeerMatcher struct {
	IP       IPMatcher
	Internal InternalMatcher
}

func (*SpecificPeerMatcher) Allows

func (em *SpecificPeerMatcher) Allows(peer *TrafficPeer, portProtocol *PortProtocol) bool

func (*SpecificPeerMatcher) Combine

func (*SpecificPeerMatcher) MarshalJSON

func (em *SpecificPeerMatcher) MarshalJSON() (b []byte, e error)

type SpecificPortMatcher

type SpecificPortMatcher struct {
	Ports []*PortProtocolMatcher
}

SpecificPortMatcher models the case where traffic must match a named or numbered port

func (*SpecificPortMatcher) Allows

func (epp *SpecificPortMatcher) Allows(port intstr.IntOrString, protocol v1.Protocol) bool

func (*SpecificPortMatcher) MarshalJSON

func (epp *SpecificPortMatcher) MarshalJSON() (b []byte, e error)

type Target

type Target struct {
	Namespace   string
	PodSelector metav1.LabelSelector
	Peer        PeerMatcher
	SourceRules []*networkingv1.NetworkPolicy
	// contains filtered or unexported fields
}

Target represents a NetworkPolicySpec.PodSelector, which is in a namespace

func CombineTargetsIgnoringPrimaryKey

func CombineTargetsIgnoringPrimaryKey(namespace string, podSelector metav1.LabelSelector, targets []*Target) *Target

CombineTargetsIgnoringPrimaryKey creates a new target from the given namespace and pod selector, and combines all the edges and source rules from the original targets into the new target.

func (*Target) Combine

func (t *Target) Combine(other *Target) *Target

CombinePeerMatchers creates a new Target combining the egress and ingress rules of the two original targets. Neither input is modified. The Primary Keys of the two targets must match.

func (*Target) GetPrimaryKey

func (t *Target) GetPrimaryKey() string

The primary key is a deterministic combination of PodSelector and namespace

func (*Target) IsMatch

func (t *Target) IsMatch(namespace string, podLabels map[string]string) bool

func (*Target) String

func (t *Target) String() string

type Traffic

type Traffic struct {
	Source      *TrafficPeer
	Destination *TrafficPeer

	PortProtocol *PortProtocol
}

type TrafficPeer

type TrafficPeer struct {
	Internal *InternalPeer
	IP       string
}

func (*TrafficPeer) IsExternal

func (p *TrafficPeer) IsExternal() bool

func (*TrafficPeer) Namespace

func (p *TrafficPeer) Namespace() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL