generator

package
v0.2.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 12, 2021 License: MIT Imports: 8 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	ActionFeatureCreatePolicy       = "action: create policy"
	ActionFeatureDeletePolicy       = "action: delete policy"
	ActionFeatureReadPolicies       = "action: read policies"
	ActionFeatureSetPodLabels       = "action: set pod labels"
	ActionFeatureSetNamespaceLabels = "action: set namespace labels"
	ActionFeatureUpdatePolicy       = "action: update policy"
)
View Source 
const (
	RuleFeatureSliceEmpty     = "0 rules"
	RuleFeatureSliceSize1     = "1 rule"
	RuleFeatureSliceSize2Plus = "2+ rules"

	PeerFeaturePortSliceEmpty     = "0 port/protocols"
	PeerFeaturePortSliceSize1     = "1 port/protocol"
	PeerFeaturePortSliceSize2Plus = "2+ port/protocols"
	PeerFeatureNumberedPort       = "numbered port"
	PeerFeatureNamedPort          = "named port"
	PeerFeatureNilPort            = "nil port"
	PeerFeatureNilProtocol        = "nil protocol"
	PeerFeatureTCPProtocol        = "TCP"
	PeerFeatureUDPProtocol        = "UDP"
	PeerFeatureSCTPProtocol       = "SCTP"

	PeerFeaturePeerSliceEmpty                    = "0 peers"
	PeerFeaturePeerSliceSize1                    = "1 peer"
	PeerFeaturePeerSliceSize2Plus                = "2+ peers"
	PeerFeatureIPBlockEmptyExcept                = "IPBlock (no except)"
	PeerFeatureIPBlockNonemptyExcept             = "IPBlock with except"
	PeerFeaturePodSelectorNil                    = "peer pod selector nil"
	PeerFeaturePodSelectorEmpty                  = "peer pod selector empty"
	PeerFeaturePodSelectorMatchLabels            = "peer pod selector match labels"
	PeerFeaturePodSelectorMatchExpressions       = "peer pod selector match expression"
	PeerFeatureNamespaceSelectorNil              = "peer namespace selector nil"
	PeerFeatureNamespaceSelectorEmpty            = "peer namespace selector empty"
	PeerFeatureNamespaceSelectorMatchLabels      = "peer namespace selector match labels"
	PeerFeatureNamespaceSelectorMatchExpressions = "peer namespace selector match expression"
)
View Source 
const (
	TargetFeatureNamespaceEmpty              = "target: empty namespace"
	TargetFeaturePodSelectorEmpty            = "target: empty pod selector"
	TargetFeaturePodSelectorMatchLabels      = "target: pod selector match labels"
	TargetFeaturePodSelectorMatchExpressions = "target: pod selector match expression"
)
View Source 
const (
	PolicyFeatureIngress          = "policy with ingress"
	PolicyFeatureEgress           = "policy with egress"
	PolicyFeatureIngressAndEgress = "policy with both ingress and egress"
)

Variables

View Source 
var (
	ExplicitAllowAll = &NetpolPeers{
		Rules: []*Rule{
			{},
		},
	}
	DenyAll = &NetpolPeers{
		Rules: nil,
	}
	// DenyAll2 should be identical to DenyAll -- but just in case :)
	DenyAll2 = &NetpolPeers{
		Rules: []*Rule{},
	}

	AllowAllPodsRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{
			{
				NamespaceSelector: &metav1.LabelSelector{},
			},
		},
	}

	AllowAllByPod = &NetpolPeers{
		Rules: []*Rule{AllowAllPodsRule},
	}

	AllowAllByIPRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{
			{
				IPBlock: &networkingv1.IPBlock{
					CIDR: "0.0.0.0/0",
				},
			},
		},
	}

	AllowAllByIP = &NetpolPeers{
		Rules: []*Rule{AllowAllByIPRule},
	}

	DenyAllByIPRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{
			{
				IPBlock: &networkingv1.IPBlock{
					CIDR: "0.0.0.0/31",
				},
			},
		},
	}

	DenyAllByIP = &NetpolPeers{
		Rules: []*Rule{DenyAllByIPRule},
	}

	DenyAllByPodRule = &Rule{
		Peers: []networkingv1.NetworkPolicyPeer{
			{
				PodSelector: nil,
				NamespaceSelector: &metav1.LabelSelector{
					MatchLabels: map[string]string{"this-will-never-happen": "qrs123"},
				},
			},
		},
	}

	DenyAllByPod = &NetpolPeers{
		Rules: []*Rule{DenyAllByPodRule},
	}
)
View Source 
var (
	AllowDNSRule = &Rule{
		Ports: []NetworkPolicyPort{
			{
				Protocol: &udp,
				Port:     &port53,
			},
		},
	}

	AllowDNSPeers = &NetpolPeers{
		Rules: []*Rule{AllowDNSRule},
	}
)
View Source 
var (
	TypicalNamespace = "x"
	TypicalTarget    = metav1.LabelSelector{
		MatchLabels:      map[string]string{"pod": "a"},
		MatchExpressions: nil,
	}
	TypicalPorts = []NetworkPolicyPort{{Protocol: &tcp, Port: &port80}}
	TypicalPeers = []NetworkPolicyPeer{
		{
			PodSelector: &metav1.LabelSelector{
				MatchLabels: map[string]string{"pod": "b"},
			},
			NamespaceSelector: &metav1.LabelSelector{
				MatchLabels: map[string]string{"ns": "y"},
			},
		},
	}
)

Functions

func DefaultIPBlockPeers 

func DefaultIPBlockPeers(podIP string) []NetworkPolicyPeer

func DefaultNamespaces 

func DefaultNamespaces() []string

func DefaultPeers added in v0.2.1 

func DefaultPeers(podIP string) []NetworkPolicyPeer

func DefaultPodPeers 

func DefaultPodPeers() []NetworkPolicyPeer

func DefaultPorts 

func DefaultPorts() []NetworkPolicyPort

func DefaultTargets 

func DefaultTargets() []metav1.LabelSelector

func RunDiscreteGeneratorTests added in v0.2.1 

func RunDiscreteGeneratorTests()

Types

type Action added in v0.1.0 

type Action struct {
	CreatePolicy        *CreatePolicyAction
	UpdatePolicy        *UpdatePolicyAction
	DeletePolicy        *DeletePolicyAction
	SetNamespaceLabels  *SetNamespaceLabelsAction
	SetPodLabels        *SetPodLabelsAction
	ReadNetworkPolicies *ReadNetworkPoliciesAction
}

Action: exactly one field must be non-null. This models a discriminated union (sum type).

func CreatePolicy added in v0.1.0 

func CreatePolicy(policy *networkingv1.NetworkPolicy) *Action

func DeletePolicy added in v0.1.0 

func DeletePolicy(ns string, name string) *Action

func ReadNetworkPolicies added in v0.1.0 

func ReadNetworkPolicies(namespaces []string) *Action

func SetNamespaceLabels added in v0.1.0 

func SetNamespaceLabels(ns string, labels map[string]string) *Action

func SetPodLabels added in v0.1.0 

func SetPodLabels(namespace string, pod string, labels map[string]string) *Action

func UpdatePolicy added in v0.1.0 

func UpdatePolicy(policy *networkingv1.NetworkPolicy) *Action

type ConflictGenerator added in v0.0.10 

type ConflictGenerator struct {
	AllowDNS    bool
	Source      *NetpolTarget
	Destination *NetpolTarget
}

func (*ConflictGenerator) GenerateTestCases added in v0.1.0 

func (c *ConflictGenerator) GenerateTestCases() []*TestCase

func (*ConflictGenerator) NetworkPolicies added in v0.0.10 

func (c *ConflictGenerator) NetworkPolicies(source *NetpolTarget, dest *NetpolTarget) []*TestCase

type CreatePolicyAction added in v0.1.0 

type CreatePolicyAction struct {
	Policy *networkingv1.NetworkPolicy
}

type DeletePolicyAction added in v0.1.0 

type DeletePolicyAction struct {
	Namespace string
	Name      string
}

type DiscreteGenerator added in v0.2.1 

type DiscreteGenerator struct {
	AllowDNS bool

	Ports      []NetworkPolicyPort
	PodPeers   []NetworkPolicyPeer
	Targets    []metav1.LabelSelector
	Namespaces []string

	TypicalIngressPorts     []NetworkPolicyPort
	TypicalIngressPeers     []NetworkPolicyPeer
	TypicalIngressTarget    []metav1.LabelSelector
	TypicalIngressNamespace []string

	TypicalEgressPorts     []NetworkPolicyPort
	TypicalEgressPeers     []NetworkPolicyPeer
	TypicalEgressTarget    []metav1.LabelSelector
	TypicalEgressNamespace []string
}

we want a background "typical" policy that will always pass on a CNI with an expected connectivity table, 

but also will allow some traffic but deny others.  Then the perturbations to that base policy should
affect other pods.

func NewDefaultDiscreteGenerator added in v0.2.1 

func NewDefaultDiscreteGenerator(allowDNS bool, podIP string) *DiscreteGenerator

func (*DiscreteGenerator) GenerateTestCases added in v0.2.1 

func (g *DiscreteGenerator) GenerateTestCases() []*TestCase

func (*DiscreteGenerator) PeerSlices added in v0.2.1 

func (g *DiscreteGenerator) PeerSlices() [][]NetworkPolicyPeer

func (*DiscreteGenerator) PortSlices added in v0.2.1 

func (g *DiscreteGenerator) PortSlices() [][]NetworkPolicyPort

func (*DiscreteGenerator) RuleSlices added in v0.2.1 

func (g *DiscreteGenerator) RuleSlices() [][]*Rule

func (*DiscreteGenerator) Rules added in v0.2.1 

func (g *DiscreteGenerator) Rules() []*Rule

type ExampleGenerator added in v0.2.0 

type ExampleGenerator struct{}

func (*ExampleGenerator) GenerateTestCases added in v0.2.0 

func (e *ExampleGenerator) GenerateTestCases() []*TestCase

type ExperimentalGenerator added in v0.2.1 

type ExperimentalGenerator struct {
	PodIP    string
	AllowDNS bool
}

func NewExperimentalGenerator added in v0.2.1 

func NewExperimentalGenerator(allowDNS bool, podIP string) *ExperimentalGenerator

func (*ExperimentalGenerator) GenerateTestCases added in v0.2.1 

func (e *ExperimentalGenerator) GenerateTestCases() []*TestCase

func (*ExperimentalGenerator) Policies added in v0.2.1 

func (e *ExperimentalGenerator) Policies() []*FeaturePolicy

type FeaturePolicy added in v0.2.1 

type FeaturePolicy struct {
	Features *Features
	Policy   *Netpol
}

func BuildPolicy added in v0.2.1 

func BuildPolicy(pieces ...Piece) *FeaturePolicy

type Features added in v0.2.1 

type Features struct {
	General map[string]bool
	Ingress map[string]bool
	Egress  map[string]bool
}

func GetFeaturesForPolicy added in v0.2.1 

func GetFeaturesForPolicy(policy *networkingv1.NetworkPolicy) *Features

func (*Features) Combine added in v0.2.1 

func (f *Features) Combine(other *Features) *Features

func (*Features) Strings added in v0.2.1 

func (f *Features) Strings() []string

type FragmentGenerator 

type FragmentGenerator struct {
	AllowDNS bool
	// multidimensional generation
	Ports      []NetworkPolicyPort
	PodPeers   []NetworkPolicyPeer
	Targets    []metav1.LabelSelector
	Namespaces []string
	// unidimensional typicals
	TypicalPorts     []NetworkPolicyPort
	TypicalPeers     []NetworkPolicyPeer
	TypicalTarget    metav1.LabelSelector
	TypicalNamespace string
}

func NewDefaultFragmentGenerator added in v0.0.9 

func NewDefaultFragmentGenerator(allowDNS bool, namespaces []string, podIP string) *FragmentGenerator

func (*FragmentGenerator) EgressPolicies 

func (g *FragmentGenerator) EgressPolicies() []*NetworkPolicy

func (*FragmentGenerator) FragmentEgressPolicies added in v0.0.9 

func (g *FragmentGenerator) FragmentEgressPolicies() []*NetworkPolicy

func (*FragmentGenerator) FragmentIngressPolicies added in v0.0.9 

func (g *FragmentGenerator) FragmentIngressPolicies() []*NetworkPolicy

func (*FragmentGenerator) FragmentPolicies added in v0.0.9 

func (g *FragmentGenerator) FragmentPolicies() []*NetworkPolicy

func (*FragmentGenerator) GenerateTestCases added in v0.1.0 

func (g *FragmentGenerator) GenerateTestCases() []*TestCase

func (*FragmentGenerator) IngressEgressPolicies 

func (g *FragmentGenerator) IngressEgressPolicies(allowDNS bool) []*NetworkPolicy

func (*FragmentGenerator) IngressPolicies 

func (g *FragmentGenerator) IngressPolicies() []*NetworkPolicy

func (*FragmentGenerator) PeerSlices 

func (g *FragmentGenerator) PeerSlices() [][]NetworkPolicyPeer

func (*FragmentGenerator) PortSlices 

func (g *FragmentGenerator) PortSlices() [][]NetworkPolicyPort

func (*FragmentGenerator) RuleSlices 

func (g *FragmentGenerator) RuleSlices() [][]*Rule

func (*FragmentGenerator) Rules 

func (g *FragmentGenerator) Rules() []*Rule

type Netpol 

type Netpol struct {
	Name        string
	Description string
	Target      *NetpolTarget
	Ingress     *NetpolPeers
	Egress      *NetpolPeers
}

Netpol helps us to avoid the To/From Ingress/Egress dance. By splitting a NetworkPolicy into Target and Peers, it makes them easier to manipulate.

func AllowAllEgressDenyAllIngress added in v0.0.10 

func AllowAllEgressDenyAllIngress(source *NetpolTarget, dest *NetpolTarget) []*Netpol

func AllowAllIngressDenyAllEgress added in v0.0.10 

func AllowAllIngressDenyAllEgress(source *NetpolTarget, dest *NetpolTarget) []*Netpol

func AllowDNSPolicy added in v0.1.0 

func AllowDNSPolicy(source *NetpolTarget) *Netpol

func DenyAllEgressAllowAllEgress added in v0.0.10 

func DenyAllEgressAllowAllEgress(source *NetpolTarget) []*Netpol

func DenyAllEgressAllowAllEgressByIP added in v0.0.10 

func DenyAllEgressAllowAllEgressByIP(source *NetpolTarget) []*Netpol

func DenyAllEgressAllowAllEgressByPod added in v0.0.10 

func DenyAllEgressAllowAllEgressByPod(source *NetpolTarget) []*Netpol

func DenyAllEgressByIP added in v0.0.10 

func DenyAllEgressByIP(source *NetpolTarget) []*Netpol

func DenyAllEgressByIPAllowAllEgressByPod added in v0.0.10 

func DenyAllEgressByIPAllowAllEgressByPod(source *NetpolTarget) []*Netpol

func DenyAllEgressByPod added in v0.0.10 

func DenyAllEgressByPod(source *NetpolTarget) []*Netpol

func DenyAllEgressByPodAllowAllEgressByIP added in v0.0.10 

func DenyAllEgressByPodAllowAllEgressByIP(source *NetpolTarget) []*Netpol

func DenyAllIngressAllowAllIngress added in v0.0.10 

func DenyAllIngressAllowAllIngress(dest *NetpolTarget) []*Netpol

func DenyAllIngressAllowAllIngressByIP added in v0.0.10 

func DenyAllIngressAllowAllIngressByIP(source *NetpolTarget) []*Netpol

func DenyAllIngressAllowAllIngressByPod added in v0.0.10 

func DenyAllIngressAllowAllIngressByPod(source *NetpolTarget) []*Netpol

func DenyAllIngressByIP added in v0.0.10 

func DenyAllIngressByIP(source *NetpolTarget) []*Netpol

func DenyAllIngressByIPAllowAllIngressByPod added in v0.0.10 

func DenyAllIngressByIPAllowAllIngressByPod(source *NetpolTarget) []*Netpol

func DenyAllIngressByPod added in v0.0.10 

func DenyAllIngressByPod(source *NetpolTarget) []*Netpol

func DenyAllIngressByPodAllowAllIngressByIP added in v0.0.10 

func DenyAllIngressByPodAllowAllIngressByIP(source *NetpolTarget) []*Netpol

func (*Netpol) NetworkPolicy 

func (n *Netpol) NetworkPolicy() *NetworkPolicy

func (*Netpol) NetworkPolicySpec added in v0.0.10 

func (n *Netpol) NetworkPolicySpec() *NetworkPolicySpec

type NetpolPeers added in v0.0.10 

type NetpolPeers struct {
	Rules []*Rule
}

type NetpolTarget added in v0.0.10 

type NetpolTarget struct {
	Namespace   string
	PodSelector metav1.LabelSelector
}

func NewNetpolTarget added in v0.1.0 

func NewNetpolTarget(namespace string, matchLabels map[string]string, matchExpressions []metav1.LabelSelectorRequirement) *NetpolTarget

type Piece added in v0.2.1 

type Piece func(policy *Netpol) *Features

func SetNamespace added in v0.2.1 

func SetNamespace(ns string) Piece

func SetPeers added in v0.2.1 

func SetPeers(isIngress bool, peers []NetworkPolicyPeer) Piece

func SetPodSelector added in v0.2.1 

func SetPodSelector(sel metav1.LabelSelector) Piece

func SetPorts added in v0.2.1 

func SetPorts(isIngress bool, ports []NetworkPolicyPort) Piece

func SetRules added in v0.2.1 

func SetRules(isIngress bool, rules []*Rule) Piece

type PortProtocol added in v0.2.0 

type PortProtocol struct {
	Protocol v1.Protocol
	Port     intstr.IntOrString
}

type ProbeConfig added in v0.2.0 

type ProbeConfig struct {
	AllAvailable bool
	PortProtocol *PortProtocol
}

ProbeConfig: exactly one field must be non-null (or, in AllAvailable's case, non-false). This 

models a discriminated union (sum type).

type ReadNetworkPoliciesAction added in v0.1.0 

type ReadNetworkPoliciesAction struct {
	Namespaces []string
}

type Rule 

type Rule struct {
	Ports []NetworkPolicyPort
	Peers []NetworkPolicyPeer
}

func (*Rule) Egress 

func (r *Rule) Egress() NetworkPolicyEgressRule

func (*Rule) Ingress 

func (r *Rule) Ingress() NetworkPolicyIngressRule

type SetNamespaceLabelsAction added in v0.1.0 

type SetNamespaceLabelsAction struct {
	Namespace string
	Labels    map[string]string
}

type SetPodLabelsAction added in v0.1.0 

type SetPodLabelsAction struct {
	Namespace string
	Pod       string
	Labels    map[string]string
}

type TestCase added in v0.1.0 

type TestCase struct {
	Description string
	Features    *Features
	Steps       []*TestStep
}

func NewSingleStepTestCase added in v0.1.0 

func NewSingleStepTestCase(description string, pp *ProbeConfig, actions ...*Action) *TestCase

func NewTestCase added in v0.1.0 

func NewTestCase(description string, steps ...*TestStep) *TestCase

func (*TestCase) DerivedFeatures added in v0.2.1 

func (t *TestCase) DerivedFeatures(includePolicyFeatures bool) *Features

func (*TestCase) GetFeatures added in v0.2.1 

func (t *TestCase) GetFeatures() *Features

type TestCaseGenerator added in v0.1.0 

type TestCaseGenerator interface {
	GenerateTestCases() []*TestCase
}

type TestStep added in v0.1.0 

type TestStep struct {
	Probe   *ProbeConfig
	Actions []*Action
}

func NewTestStep added in v0.1.0 

func NewTestStep(pp *ProbeConfig, actions ...*Action) *TestStep

type UpdatePolicyAction added in v0.1.0 

type UpdatePolicyAction struct {
	Policy *networkingv1.NetworkPolicy
}

type UpstreamE2EGenerator added in v0.1.0 

type UpstreamE2EGenerator struct{}

func (*UpstreamE2EGenerator) GenerateTestCases added in v0.1.0 

func (u *UpstreamE2EGenerator) GenerateTestCases() []*TestCase

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.