Documentation
¶
Index ¶
- Variables
- type AnyExternalPeerMatcher
- type AnyInternalPeerMatcher
- type AnyPortMatcher
- type AnyProtocolMatcher
- type AnythingPeerMatcher
- type IPBlockPeerMatcher
- type InternalLabelsPeerMatcher
- type NothingPeerMatcher
- type Peer
- type PeerMatcher
- type Policies
- type Policy
- type PortMatcher
- type ProtocolMatcher
- type ProtocolPortMatcher
- type RangePortMatcher
- type SameNamespacePeerMatcher
- type SpecifiedPortsPortMatcher
- type SpecifiedProtocolMatcher
- type Traffic
Constants ¶
This section is empty.
Variables ¶
View Source
var AllTargetsAllPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnythingPeerMatcher{}, PeerMatcher: &AnythingPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
All/All
View Source
var AllTargetsExternalPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnythingPeerMatcher{}, PeerMatcher: &AnyExternalPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
All/External
View Source
var AllTargetsInternalPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnythingPeerMatcher{}, PeerMatcher: &AnyInternalPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
All/Internal
View Source
var AllTargetsNoPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnythingPeerMatcher{}, PeerMatcher: &NothingPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
All/None
View Source
var AnyProtocolPortMatcher = &ProtocolPortMatcher{ PortMatcher: &AnyPortMatcher{}, ProtocolMatcher: &AnyProtocolMatcher{}, }
View Source
var InternalTargetsAllPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnyInternalPeerMatcher{}, PeerMatcher: &AnythingPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
Internal/All
View Source
var InternalTargetsExternalPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnyInternalPeerMatcher{}, PeerMatcher: &AnyExternalPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
Internal/External
View Source
var InternalTargetsInternalPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnyInternalPeerMatcher{}, PeerMatcher: &AnyInternalPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
Internal/Internal
View Source
var InternalTargetsNoPeers = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnyInternalPeerMatcher{}, PeerMatcher: &NothingPeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
Internal/None
View Source
var PodLabelTargetNamespaceLabelPeer = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &InternalLabelsPeerMatcher{ PodSelector: metav1.LabelSelector{ MatchLabels: map[string]string{ "app": "web", }, }, }, PeerMatcher: &InternalLabelsPeerMatcher{ NamespaceSelector: metav1.LabelSelector{ MatchLabels: map[string]string{ "stage": "dev", }, }, }, PortMatcher: AnyProtocolPortMatcher, }
View Source
var SameNamespaceTargetAndPeer = &Policy{ Type: networkingv1.PolicyTypeIngress, TargetMatcher: &AnyInternalPeerMatcher{}, PeerMatcher: &SameNamespacePeerMatcher{}, PortMatcher: AnyProtocolPortMatcher, }
Functions ¶
This section is empty.
Types ¶
type AnyExternalPeerMatcher ¶
type AnyExternalPeerMatcher struct{}
AnyExternalPeerMatcher matches anything NOT in the same kube cluster
func (*AnyExternalPeerMatcher) IsPeerMatch ¶
func (aepm *AnyExternalPeerMatcher) IsPeerMatch(peer *Peer) bool
type AnyInternalPeerMatcher ¶
type AnyInternalPeerMatcher struct{}
AnyInternalPeerMatcher matches any pod in the same kube clusters
func (*AnyInternalPeerMatcher) IsPeerMatch ¶
func (aipm *AnyInternalPeerMatcher) IsPeerMatch(peer *Peer) bool
type AnyPortMatcher ¶
type AnyPortMatcher struct{}
AnyPortMatcher matches any port
func (*AnyPortMatcher) IsPortMatch ¶
func (apm *AnyPortMatcher) IsPortMatch(port intstr.IntOrString) bool
type AnyProtocolMatcher ¶
type AnyProtocolMatcher struct{}
func (*AnyProtocolMatcher) IsProtocolMatch ¶
func (apm *AnyProtocolMatcher) IsProtocolMatch(protocol v1.Protocol) bool
type AnythingPeerMatcher ¶
type AnythingPeerMatcher struct{}
AnythingPeerMatcher matches anything
func (*AnythingPeerMatcher) IsPeerMatch ¶
func (apm *AnythingPeerMatcher) IsPeerMatch(peer *Peer) bool
type IPBlockPeerMatcher ¶
IPBlockPeerMatcher matches based on the peer IP
func (*IPBlockPeerMatcher) IsPeerMatch ¶
func (ibpm *IPBlockPeerMatcher) IsPeerMatch(peer *Peer) bool
type InternalLabelsPeerMatcher ¶
type InternalLabelsPeerMatcher struct {
Namespace string
NamespaceSelector metav1.LabelSelector
Node string
NodeSelector metav1.LabelSelector
Pod string
PodSelector metav1.LabelSelector
}
InternalLabelsPeerMatcher matches pods based on: - namespace name and labels - node name and labels - pod name and labels It never matches external Peers. Corner cases: - all selectors empty: matches all internal traffic (should use AnyInternalPeerMatcher instead) - must match all selectors -- Namespace, Node, and Pod
- if it matches Namespace but not Node -- no match
- use case: match by Namespace but ignore Nodes and Pods: specify a non-empty Namespace selector, and empty Node and Pod selectors
func (*InternalLabelsPeerMatcher) IsPeerMatch ¶
func (ilpm *InternalLabelsPeerMatcher) IsPeerMatch(peer *Peer) bool
type NothingPeerMatcher ¶
type NothingPeerMatcher struct{}
NothingPeerMatcher matches nothing
func (*NothingPeerMatcher) IsPeerMatch ¶
func (npm *NothingPeerMatcher) IsPeerMatch(peer *Peer) bool
type Peer ¶
type Peer struct {
Internal *struct {
PodLabels map[string]string
Pod string
NamespaceLabels map[string]string
Namespace string
NodeLabels map[string]string
Node string
}
IP string
}
func (*Peer) IsExternal ¶
type PeerMatcher ¶
type Policies ¶
type Policies struct {
Policies []*Policy
}
func (*Policies) Allows ¶
Allows decides whether traffic is allowed based on:
- did any policy match the Traffic target match = same PolicyType and Traffic target matches rule target
- if no policy matches the traffic target => automatic allow
- if >= 1 policy matches the traffic target: if >=1 policy matches the Peer and Port/Protocol => allow if 0 policy matches Peer+Port+Protocol => deny
type Policy ¶
type Policy struct {
Type networkingv1.PolicyType
TargetMatcher PeerMatcher
PeerMatcher PeerMatcher
PortMatcher *ProtocolPortMatcher
}
func (*Policy) Allows ¶
Allows returns: - `false, false` if the policy doesn't match the traffic target - `true, false` if the policy matches the traffic target, but doesn't allow the traffic - `true, true` if the policy matches the traffic target, and *does* allow the traffic In order to allow the traffic, ALL of the following must be matched: - Peer - Port - Protocol
func (*Policy) IsMatchForTarget ¶
type PortMatcher ¶
type PortMatcher interface {
IsPortMatch(intstr.IntOrString) bool
}
type ProtocolMatcher ¶
type ProtocolPortMatcher ¶
type ProtocolPortMatcher struct {
PortMatcher PortMatcher
ProtocolMatcher ProtocolMatcher
}
func (*ProtocolPortMatcher) IsProtocolPortMatch ¶
func (pm *ProtocolPortMatcher) IsProtocolPortMatch(protocol v1.Protocol, port intstr.IntOrString) bool
type RangePortMatcher ¶
RangePortMatcher implements a port range of [Low, High) Thus, the lower bound IS included in the range, and the upper bound is NOT included in the range.
func (*RangePortMatcher) IsPortMatch ¶
func (rpm *RangePortMatcher) IsPortMatch(port intstr.IntOrString) bool
type SameNamespacePeerMatcher ¶
type SameNamespacePeerMatcher struct{}
func (*SameNamespacePeerMatcher) IsPeerMatch ¶
func (snpm *SameNamespacePeerMatcher) IsPeerMatch(peer *Peer) bool
type SpecifiedPortsPortMatcher ¶
func (*SpecifiedPortsPortMatcher) IsPortMatch ¶
func (sppm *SpecifiedPortsPortMatcher) IsPortMatch(port intstr.IntOrString) bool
type SpecifiedProtocolMatcher ¶
func (*SpecifiedProtocolMatcher) IsProtocolMatch ¶
func (spm *SpecifiedProtocolMatcher) IsProtocolMatch(protocol v1.Protocol) bool
Source Files
Click to show internal directories.
Click to hide internal directories.