Documentation ¶
Index ¶
- Variables
- func AccidentalAnd(namespace string, ...) *networkingv1.NetworkPolicy
- func AccidentalOr(namespace string, ...) *networkingv1.NetworkPolicy
- func AllowAllEgressNetworkingPolicy(namespace string) *networkingv1.NetworkPolicy
- func AllowAllIngressNetworkingPolicy(namespace string) *networkingv1.NetworkPolicy
- func AllowAllTo(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowAllTo_Version2(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowAllTo_Version3(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowAllTo_Version4(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowAllWithinNamespace(namespace string) *networkingv1.NetworkPolicy
- func AllowEgressOnPort(namespace string, targetLabels map[string]string, port int) *networkingv1.NetworkPolicy
- func AllowEgressToAllNamespacesOnPort(namespace string, targetLabels map[string]string, port int) *networkingv1.NetworkPolicy
- func AllowFromAnywhere(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowFromDifferentNamespaceWithLabelsTo(namespace string, fromLabels, namespaceLabels, toLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowFromMultipleTo(namespace string, fromLabels []map[string]string, ...) *networkingv1.NetworkPolicy
- func AllowFromNamespaceTo(namespace string, namespaceLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func AllowFromTo(namespace string, fromLabels map[string]string, toLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowFromToNsLabels(namespace string, selector metav1.LabelSelector, nsLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowNoEgressFromLabels(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowNoEgressFromNamespace(namespace string) *networkingv1.NetworkPolicy
- func AllowNoIngressNorEgress(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowNothingFrom(namespace string, selector metav1.LabelSelector) *networkingv1.NetworkPolicy
- func AllowNothingTo(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowNothingToAnything(namespace string) *networkingv1.NetworkPolicy
- func AllowNothingToEmptyIngress(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
- func AllowSpecificPortTo(namespace string, fromLabels, targetLabels map[string]string, targetPort int) *networkingv1.NetworkPolicy
- func ExampleComplicatedNetworkPolicy() *networkingv1.NetworkPolicy
- func LabelString(labels map[string]string) string
- type IPBlock
- type LabelSelector
- type LabelSelectorOperator
- type LabelSelectorRequirement
- type NetworkPolicyEgressRule
- type NetworkPolicyIngressRule
- type NetworkPolicyPeer
- type NetworkPolicyPort
- type NetworkPolicySpec
- type PolicyType
- type Protocol
Constants ¶
This section is empty.
Variables ¶
var ( SCTP = v1.ProtocolSCTP TCP = v1.ProtocolTCP UDP = v1.ProtocolUDP Port53 = intstr.FromInt(53) Port80 = intstr.FromInt(80) Port443 = intstr.FromInt(443) Port988 = intstr.FromInt(988) Port9001Ref = intstr.FromInt(9001) PortHello = intstr.FromString("hello") )
var ( LabelsAB = map[string]string{"a": "b"} LabelsCD = map[string]string{"b": "d"} LabelsEF = map[string]string{"e": "f"} LabelsGH = map[string]string{"g": "g"} SelectorAB = &metav1.LabelSelector{ MatchLabels: LabelsAB, } SelectorCD = &metav1.LabelSelector{ MatchLabels: LabelsCD, } SelectorEF = &metav1.LabelSelector{ MatchLabels: LabelsEF, } SelectorGH = &metav1.LabelSelector{ MatchLabels: LabelsGH, } SelectorEmpty = &metav1.LabelSelector{} Namespace = "pathological-namespace" IPBlock_10_0_0_1_24 = &networkingv1.IPBlock{CIDR: "10.0.0.1/24", Except: []string{ "10.0.0.2/30", }, } IPBlock_192_168_242_213_24 = &networkingv1.IPBlock{CIDR: "192.168.242.213/24"} )
var AllExamples = []*networkingv1.NetworkPolicy{ AllowNothingTo("default", map[string]string{"app": "web"}), AllowNothingToEmptyIngress("default", label("all", "web")), AllowFromTo("default", map[string]string{"app": "bookstore"}, map[string]string{"app": "bookstore", "role": "api"}), AllowAllTo("default", map[string]string{"app": "web"}), AllowNothingToAnything("default"), AllowAllWithinNamespace("default"), AccidentalAnd("default", label("a", "b"), label("user", "alice"), label("role", "client")), AccidentalOr("default", label("a", "b"), label("user", "alice"), label("role", "client")), AllowAllTo_Version2("default", label("app", "web")), AllowAllTo_Version3("default", label("app", "web")), AllowAllTo_Version4("default", label("app", "web")), AllowFromNamespaceTo("default", label("purpose", "production"), label("app", "web")), AllowFromDifferentNamespaceWithLabelsTo("default", label("type", "monitoring"), label("team", "operations"), label("app", "web")), AllowFromAnywhere("default", label("app", "web")), AllowSpecificPortTo("default", label("role", "monitoring"), label("app", "apiserver"), 5000), AllowFromMultipleTo( "default", []map[string]string{ {"app": "bookstore", "role": "search"}, {"app": "bookstore", "role": "api"}, {"app": "inventory", "role": "web"}, }, map[string]string{"app": "bookstore", "role": "db"}), AllowNoEgressFromLabels("default", label("app", "foo")), AllowEgressOnPort("default", label("app", "foo"), 53), AllowNoEgressFromNamespace("default"), AllowEgressToAllNamespacesOnPort("default", label("app", "foo"), 53), AllowNoIngressNorEgress("default", label("app", "foo")), }
var AllowAllEgress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-all-egress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, Egress: []networkingv1.NetworkPolicyEgressRule{ {}, }, }, }
var AllowAllIngress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-all-ingress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, Ingress: []networkingv1.NetworkPolicyIngressRule{ {}, }, }, }
var AllowAllIngressAllowAllEgress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-all-ingress-allow-all-egress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}, Egress: []networkingv1.NetworkPolicyEgressRule{ {}, }, Ingress: []networkingv1.NetworkPolicyIngressRule{ {}, }, }, }
var AllowAllPodsInAllNamespacesPeer = networkingv1.NetworkPolicyPeer{ PodSelector: nil, NamespaceSelector: &metav1.LabelSelector{}, }
var AllowAllPodsInAllNamespacesPeer_EmptyPodSelector = networkingv1.NetworkPolicyPeer{ PodSelector: &metav1.LabelSelector{}, NamespaceSelector: &metav1.LabelSelector{}, }
var AllowAllPodsInMatchingNamespacesPeer = networkingv1.NetworkPolicyPeer{ PodSelector: nil, NamespaceSelector: SelectorAB, }
var AllowAllPodsInMatchingNamespacesPeer_EmptyPodSelector = networkingv1.NetworkPolicyPeer{ PodSelector: &metav1.LabelSelector{}, NamespaceSelector: SelectorAB, }
var AllowAllPodsInPolicyNamespacePeer = networkingv1.NetworkPolicyPeer{ PodSelector: nil, NamespaceSelector: nil, }
var AllowAllPodsInPolicyNamespacePeer_EmptyPodSelector = networkingv1.NetworkPolicyPeer{ PodSelector: &metav1.LabelSelector{}, NamespaceSelector: nil, }
var AllowAllPortsOnProtocol = networkingv1.NetworkPolicyPort{ Protocol: &SCTP, Port: nil, }
var AllowIPBlockPeer = networkingv1.NetworkPolicyPeer{ IPBlock: IPBlock_10_0_0_1_24, }
var AllowMatchingPodsInAllNamespacesPeer = networkingv1.NetworkPolicyPeer{ PodSelector: SelectorEF, NamespaceSelector: &metav1.LabelSelector{}, }
var AllowMatchingPodsInMatchingNamespacesPeer = networkingv1.NetworkPolicyPeer{ PodSelector: SelectorGH, NamespaceSelector: SelectorAB, }
var AllowMatchingPodsInPolicyNamespacePeer = networkingv1.NetworkPolicyPeer{ PodSelector: SelectorCD, NamespaceSelector: nil, }
var AllowNamedPortOnProtocol = networkingv1.NetworkPolicyPort{ Protocol: &UDP, Port: &PortHello, }
var AllowNoEgress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-no-egress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, }, }
var AllowNoEgress_EmptyEgress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-no-egress-empty-egress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, Egress: []networkingv1.NetworkPolicyEgressRule{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress}, }, }
var AllowNoIngress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-no-ingress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, }, }
var AllowNoIngressAllowNoEgress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-no-ingress-allow-no-egress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}, }, }
var AllowNoIngressAllowNoEgress_EmptyEgressEmptyIngress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-no-ingress-allow-no-egress-empty-egress-empty-ingress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, Ingress: []networkingv1.NetworkPolicyIngressRule{}, Egress: []networkingv1.NetworkPolicyEgressRule{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeEgress, networkingv1.PolicyTypeIngress}, }, }
var AllowNoIngress_EmptyIngress = &networkingv1.NetworkPolicy{ ObjectMeta: metav1.ObjectMeta{ Name: "allow-no-ingress-empty-ingress", Namespace: Namespace, }, Spec: networkingv1.NetworkPolicySpec{ PodSelector: metav1.LabelSelector{}, Ingress: []networkingv1.NetworkPolicyIngressRule{}, PolicyTypes: []networkingv1.PolicyType{networkingv1.PolicyTypeIngress}, }, }
var AllowNumberedPortOnProtocol = networkingv1.NetworkPolicyPort{ Protocol: &TCP, Port: &Port9001Ref, }
Functions ¶
func AccidentalAnd ¶ added in v0.0.8
func AccidentalAnd(namespace string, targetLabels, ingressNamespaceLabels, ingressPodLabels map[string]string) *networkingv1.NetworkPolicy
ingress: - from: - namespaceSelector: matchLabels: user: alice podSelector: matchLabels: role: client
func AccidentalOr ¶ added in v0.0.8
func AccidentalOr(namespace string, targetLabels, ingressNamespaceLabels, ingressPodLabels map[string]string) *networkingv1.NetworkPolicy
ingress: - from: - namespaceSelector: matchLabels: user: alice - podSelector: matchLabels: role: client
func AllowAllEgressNetworkingPolicy ¶ added in v0.0.8
func AllowAllEgressNetworkingPolicy(namespace string) *networkingv1.NetworkPolicy
func AllowAllIngressNetworkingPolicy ¶ added in v0.0.8
func AllowAllIngressNetworkingPolicy(namespace string) *networkingv1.NetworkPolicy
func AllowAllTo ¶ added in v0.0.8
func AllowAllTo(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: web-allow-all Namespace: default
spec:
podSelector: matchLabels: app: web ingress: - {}
func AllowAllTo_Version2 ¶ added in v0.0.8
func AllowAllTo_Version2(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
Namespace: secondary name: web-allow-all-namespaces
spec:
podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: {}
func AllowAllTo_Version3 ¶ added in v0.0.8
func AllowAllTo_Version3(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
Namespace: secondary name: web-allow-all-namespaces
spec:
podSelector: matchLabels: app: web ingress: - from:
func AllowAllTo_Version4 ¶ added in v0.0.8
func AllowAllTo_Version4(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy
func AllowAllWithinNamespace ¶ added in v0.0.8
func AllowAllWithinNamespace(namespace string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
Namespace: secondary name: deny-from-other-namespaces
spec:
podSelector: matchLabels: ingress: - from: - podSelector: {}
func AllowEgressOnPort ¶ added in v0.0.8
func AllowEgressOnPort(namespace string, targetLabels map[string]string, port int) *networkingv1.NetworkPolicy
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:
name: foo-deny-egress
spec:
podSelector: matchLabels: app: foo policyTypes: - Egress egress: # allow DNS resolution - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP
func AllowEgressToAllNamespacesOnPort ¶ added in v0.0.8
func AllowEgressToAllNamespacesOnPort(namespace string, targetLabels map[string]string, port int) *networkingv1.NetworkPolicy
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:
name: foo-deny-external-egress
spec:
podSelector: matchLabels: app: foo policyTypes: - Egress egress: - ports: - port: 53 protocol: UDP - port: 53 protocol: TCP to: - namespaceSelector: {}
func AllowFromAnywhere ¶ added in v0.0.8
func AllowFromAnywhere(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
https://github.com/ahmetb/kubernetes-network-policy-recipes/blob/master/08-allow-external-traffic.md
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: web-allow-external
spec:
podSelector: matchLabels: app: web ingress: - from: []
func AllowFromDifferentNamespaceWithLabelsTo ¶ added in v0.0.8
func AllowFromDifferentNamespaceWithLabelsTo(namespace string, fromLabels, namespaceLabels, toLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: web-allow-all-ns-monitoring Namespace: default
spec:
podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: # chooses all pods in namespaces labelled with team=operations matchLabels: team: operations podSelector: # chooses pods with type=monitoring matchLabels: type: monitoring
func AllowFromMultipleTo ¶ added in v0.0.8
func AllowFromMultipleTo(namespace string, fromLabels []map[string]string, targetLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: redis-allow-services
spec:
podSelector: matchLabels: app: bookstore role: db ingress: - from: - podSelector: matchLabels: app: bookstore role: search - podSelector: matchLabels: app: bookstore role: api - podSelector: matchLabels: app: inventory role: web
func AllowFromNamespaceTo ¶ added in v0.0.8
func AllowFromNamespaceTo(namespace string, namespaceLabels map[string]string, toLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: web-allow-prod
spec:
podSelector: matchLabels: app: web ingress: - from: - namespaceSelector: matchLabels: purpose: production
func AllowFromTo ¶ added in v0.0.8
func AllowFromTo(namespace string, fromLabels map[string]string, toLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: api-allow
spec:
podSelector: matchLabels: app: bookstore role: api ingress: - from: - podSelector: matchLabels: app: bookstore
func AllowFromToNsLabels ¶ added in v0.0.8
func AllowFromToNsLabels(namespace string, selector metav1.LabelSelector, nsLabels map[string]string) *networkingv1.NetworkPolicy
func AllowNoEgressFromLabels ¶ added in v0.0.8
func AllowNoEgressFromLabels(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:
name: foo-deny-egress
spec:
podSelector: matchLabels: app: foo policyTypes: - Egress egress: []
func AllowNoEgressFromNamespace ¶ added in v0.0.8
func AllowNoEgressFromNamespace(namespace string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: default-deny-all-egress Namespace: default
spec:
policyTypes: - Egress podSelector: {} egress: []
func AllowNoIngressNorEgress ¶ added in v0.0.8
func AllowNoIngressNorEgress(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata:
name: allow-nothing
spec:
podSelector: matchLabels: app: foo policyTypes: - Egress - Ingress
func AllowNothingFrom ¶ added in v0.0.8
func AllowNothingFrom(namespace string, selector metav1.LabelSelector) *networkingv1.NetworkPolicy
func AllowNothingTo ¶ added in v0.0.8
func AllowNothingTo(namespace string, toLabels map[string]string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: web-deny-all
spec:
podSelector: matchLabels: app: web ingress: []
func AllowNothingToAnything ¶ added in v0.0.8
func AllowNothingToAnything(namespace string) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: default-deny-all Namespace: default
spec:
podSelector: {} ingress: []
func AllowNothingToEmptyIngress ¶ added in v0.0.8
func AllowNothingToEmptyIngress(namespace string, targetLabels map[string]string) *networkingv1.NetworkPolicy
Same as above, but with empty slice instead of nil slice
func AllowSpecificPortTo ¶ added in v0.0.8
func AllowSpecificPortTo(namespace string, fromLabels, targetLabels map[string]string, targetPort int) *networkingv1.NetworkPolicy
kind: NetworkPolicy apiVersion: networking.k8s.io/v1 metadata:
name: api-allow-5000
spec:
podSelector: matchLabels: app: apiserver ingress: - ports: - port: 5000 from: - podSelector: matchLabels: role: monitoring
func ExampleComplicatedNetworkPolicy ¶ added in v0.0.8
func ExampleComplicatedNetworkPolicy() *networkingv1.NetworkPolicy
func LabelString ¶ added in v0.0.8
Types ¶
type LabelSelector ¶
type LabelSelector struct { MatchLabels map[string]string MatchExpressions []LabelSelectorRequirement // metav1.LabelSelectorRequirement }
type LabelSelectorOperator ¶
type LabelSelectorOperator string
const ( LabelSelectorOpIn LabelSelectorOperator = "In" LabelSelectorOpNotIn LabelSelectorOperator = "NotIn" LabelSelectorOpExists LabelSelectorOperator = "Exists" LabelSelectorOpDoesNotExist LabelSelectorOperator = "DoesNotExist" )
type LabelSelectorRequirement ¶
type LabelSelectorRequirement struct { Key string Operator LabelSelectorOperator // metav1.LabelSelectorOperator Values []string }
type NetworkPolicyEgressRule ¶
type NetworkPolicyEgressRule struct { Ports []NetworkPolicyPort To []NetworkPolicyPeer }
type NetworkPolicyIngressRule ¶
type NetworkPolicyIngressRule struct { Ports []NetworkPolicyPort // networkingv1.NetworkPolicyPort From []NetworkPolicyPeer // networkingv1.NetworkPolicyPeer }
type NetworkPolicyPeer ¶
type NetworkPolicyPeer struct { PodSelector *LabelSelector // metav1.LabelSelector NamespaceSelector *LabelSelector // metav1.LabelSelector IPBlock *IPBlock // networkingv1.IPBlock }
type NetworkPolicyPort ¶
type NetworkPolicyPort struct { Protocol *Protocol // v1.Protocol Port *intstr.IntOrString }
type NetworkPolicySpec ¶
type NetworkPolicySpec struct { PodSelector LabelSelector // metav1.LabelSelector Ingress []NetworkPolicyIngressRule // networkingv1.NetworkPolicyIngressRule Egress []NetworkPolicyEgressRule // networkingv1.NetworkPolicyEgressRule PolicyTypes []PolicyType // networkingv1.PolicyType }
type PolicyType ¶
type PolicyType string
const ( PolicyTypeIngress PolicyType = "Ingress" PolicyTypeEgress PolicyType = "Egress" )