v2

package
v0.2.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 24, 2023 License: MIT Imports: 12 Imported by: 11

Documentation

Overview

+kubebuilder:object:generate=true +groupName=firewall.metal-stack.io

+kubebuilder:webhook:path=/validate-firewall-metal-stack-io-v2-firewall,mutating=false,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalls,verbs=create;update,versions=v2,name=firewall.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/validate-firewall-metal-stack-io-v2-firewallset,mutating=false,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewallsets,verbs=create;update,versions=v2,name=firewallset.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/validate-firewall-metal-stack-io-v2-firewalldeployment,mutating=false,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalldeployments,verbs=create;update,versions=v2,name=firewalldeployment.metal-stack.io,sideEffects=None,admissionReviewVersions=v1

+kubebuilder:webhook:path=/mutate-firewall-metal-stack-io-v2-firewall,mutating=true,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalls,verbs=create,versions=v2,name=firewall.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/mutate-firewall-metal-stack-io-v2-firewallset,mutating=true,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewallsets,verbs=create,versions=v2,name=firewallset.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/mutate-firewall-metal-stack-io-v2-firewalldeployment,mutating=true,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalldeployments,verbs=create,versions=v2,name=firewalldeployment.metal-stack.io,sideEffects=None,admissionReviewVersions=v1

Index

Constants

View Source
const (
	// FirewallNoControllerConnectionAnnotation can be used as an annotation to the firewall resource in order
	// to indicate that the firewall-controller does not connect to the firewall monitor. this way, the replica
	// set will become healthy without a controller connection.
	//
	// this can be useful to silence a problem temporarily and was used in the past for migration of firewall-controller v1.
	FirewallNoControllerConnectionAnnotation = "firewall.metal-stack.io/no-controller-connection"
	// FirewallControllerManagedByAnnotation is used as tag for creating a firewall to indicate who is managing the firewall.
	FirewallControllerManagedByAnnotation = "firewall.metal-stack.io/managed-by"
	// FirewallWeightAnnotation is considered when deciding which firewall is thrown away on scale down.
	// Value must be parsable as an integer. Firewalls with higher weight are kept longer.
	// Defaults to 0 if no annotation is present. Negative values are allowed.
	FirewallWeightAnnotation = "firewall.metal-stack.io/weight"
	// FirewallControllerManager is a name of the firewall-controller-manager managing the firewall.
	FirewallControllerManager = "firewall-controller-manager"
)
View Source
const (
	// FirewallControllerSetAnnotation is a tag added to the firewall entity indicating to which set a firewall belongs to.
	FirewallControllerSetAnnotation = "firewall.metal.stack.io/set"

	FirewallShortestDistance         = FirewallDistance(0)
	FirewallRollingUpdateSetDistance = FirewallDistance(3)
	FirewallLongestDistance          = FirewallDistance(8)

	// FirewallMaxReplicas defines the maximum amount of firewall replicas to be defined.
	// It does not make sense to allow large values here as it wastes a lot of machines.
	FirewallMaxReplicas = 4
)
View Source
const (
	FinalizerName      = "firewall.metal-stack.io/firewall-controller-manager"
	RollSetAnnotation  = "firewall.metal-stack.io/roll-set"
	RevisionAnnotation = "firewall.metal-stack.io/revision"
)
View Source
const (
	// FirewallShootNamespace is the name of the namespace to which the firewall monitor gets deployed and in which the firewall-controller operates
	FirewallShootNamespace = "firewall"
)

Variables

View Source
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "firewall.metal-stack.io", Version: "v2"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

func FirewallManagedByTag

func FirewallManagedByTag() string

func FirewallSetTag

func FirewallSetTag(setName string) string

func IsAnnotationTrue added in v0.1.5

func IsAnnotationTrue(o client.Object, key string) bool

IsAnnotationTrue returns true if the given object has an annotation with a given key and the value of this annotation is a true boolean.

func SkipRollSetAnnotationRemoval

func SkipRollSetAnnotationRemoval() predicate.Funcs

SkipReconcileAnnotationRemoval returns a predicate when the firewall controller reconcile annotation was cleaned up.

func SortFirewallsByImportance added in v0.2.0

func SortFirewallsByImportance(fws []*Firewall)

SortFirewallsByImportance sorts the given firewall slice by importance, e.g. for scale down.

It considers certain criteria which firewalls should be kept longest and which one's can be deleted first. The precedence is:

- Weight annotation (prefer higher weight, defaults to 0 if no annotation is present) - Firewall lifecycle phase (connected > ready > created, prefer shorter distance when equal) - Firewall age (prefer younger firewalls)

The firewalls at the beginning of the slice should be kept as long as possible. The firewalls at the end of the slice should be removed first.

The firewalls can be popped off from the slice in a deletion loop.

Types

type Condition

type Condition struct {
	// Type of the condition.
	Type ConditionType `json:"type"`
	// Status of the condition, one of True, False, Unknown.
	Status ConditionStatus `json:"status"`
	// Last time the condition transitioned from one status to another.
	LastTransitionTime metav1.Time `json:"lastTransitionTime"`
	// Last time the condition was updated.
	LastUpdateTime metav1.Time `json:"lastUpdateTime"`
	// The reason for the condition's last transition.
	Reason string `json:"reason"`
	// A human readable message indicating details about the transition.
	Message string `json:"message"`
}

Condition holds the information about the state of a resource.

func NewCondition

func NewCondition(t ConditionType, status ConditionStatus, reason, message string) Condition

NewCondition creates a new condition.

func (*Condition) DeepCopy

func (in *Condition) DeepCopy() *Condition

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.

func (*Condition) DeepCopyInto

func (in *Condition) DeepCopyInto(out *Condition)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ConditionStatus

type ConditionStatus string

ConditionStatus is the status of a condition.

const (
	// ConditionTrue means a resource is in the condition.
	ConditionTrue ConditionStatus = "True"
	// ConditionFalse means a resource is not in the condition.
	ConditionFalse ConditionStatus = "False"
	// ConditionUnknown means Gardener can't decide if a resource is in the condition or not.
	ConditionUnknown ConditionStatus = "Unknown"
)

type ConditionType

type ConditionType string

ConditionType is a string alias.

const (
	// FirewallCreated indicates if the firewall was created at the metal-api
	FirewallCreated ConditionType = "Created"
	// FirewallReady indicates that the firewall is running and and according to the metal-api in a healthy, working state
	FirewallReady ConditionType = "Ready"
	// FirewallControllerConnected indicates that the firewall-controller running on the firewall is reconciling the firewall resource
	FirewallControllerConnected ConditionType = "Connected"
	// FirewallMonitorDeployed indicates that the firewall monitor is deployed into the shoot cluster
	FirewallMonitorDeployed ConditionType = "MonitorDeployed"
	// FirewallDistanceConfigured indicates that the firewall-controller has configured the given firewall distance.
	FirewallDistanceConfigured ConditionType = "Distance"
)
const (
	// FirewallDeplomentAvailable indicates whether the deployment has reached the desired amount of replicas or not.
	FirewallDeplomentAvailable ConditionType = "Available"
	// FirewallDeplomentAvailable indicates whether the deployment has reached the desired amount of replicas or not.
	FirewallDeplomentProgressing ConditionType = "Progressing"
	// FirewallDeplomentRBACProvisioned indicates whether the rbac permissions for the firewall-controller to communicate with the api server were provisioned.
	FirewallDeplomentRBACProvisioned ConditionType = "RBACProvisioned"
)

type Conditions

type Conditions []Condition

func (Conditions) DeepCopy

func (in Conditions) DeepCopy() Conditions

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Conditions.

func (Conditions) DeepCopyInto

func (in Conditions) DeepCopyInto(out *Conditions)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (Conditions) Get

func (cs Conditions) Get(t ConditionType) *Condition

GetCondition returns the condition with the provided type.

func (*Conditions) Remove

func (cs *Conditions) Remove(t ConditionType)

RemoveCondition removes the condition with the provided type.

func (*Conditions) Set

func (cs *Conditions) Set(condition Condition)

SetCondition updates the conditions to include the provided condition. If the condition that we are about to add already exists and has the same status, reason and message then we are not going to update.

type ControllerConnection

type ControllerConnection struct {
	// ActualVersion is the actual version running at the firewall-controller.
	ActualVersion string `json:"actualVersion,omitempty"`
	// Updated is a timestamp when the controller has last reconciled the firewall resource.
	Updated metav1.Time `json:"lastRun,omitempty"`
	// ActualDistance is the actual distance as reflected by the firewall-controller.
	ActualDistance FirewallDistance `json:"actualDistance,omitempty"`
}

ControllerConnection contains information about the firewall-controller connection.

func (*ControllerConnection) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerConnection.

func (*ControllerConnection) DeepCopyInto

func (in *ControllerConnection) DeepCopyInto(out *ControllerConnection)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ControllerStatus

type ControllerStatus struct {
	Message                 string           `json:"message,omitempty"`
	FirewallStats           *FirewallStats   `json:"stats,omitempty"`
	ControllerVersion       string           `json:"controllerVersion,omitempty"`
	NftablesExporterVersion string           `json:"nftablesExporterVersion,omitempty"`
	Updated                 metav1.Time      `json:"lastRun,omitempty"`
	Distance                FirewallDistance `json:"distance,omitempty"`
	DistanceSupported       bool             `json:"distanceSupported,omitempty"`
}

func (*ControllerStatus) DeepCopy

func (in *ControllerStatus) DeepCopy() *ControllerStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerStatus.

func (*ControllerStatus) DeepCopyInto

func (in *ControllerStatus) DeepCopyInto(out *ControllerStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Counter

type Counter struct {
	Bytes   uint64 `json:"bytes"`
	Packets uint64 `json:"packets"`
}

Counter holds values of a nftables counter object

func (*Counter) DeepCopy

func (in *Counter) DeepCopy() *Counter

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Counter.

func (*Counter) DeepCopyInto

func (in *Counter) DeepCopyInto(out *Counter)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type DeviceStat

type DeviceStat struct {
	InBytes  uint64 `json:"in"`
	OutBytes uint64 `json:"out"`
}

DeviceStat contains statistics of a device

func (*DeviceStat) DeepCopy

func (in *DeviceStat) DeepCopy() *DeviceStat

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceStat.

func (*DeviceStat) DeepCopyInto

func (in *DeviceStat) DeepCopyInto(out *DeviceStat)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type DeviceStatsByDevice

type DeviceStatsByDevice map[string]DeviceStat

DeviceStatsByDevice contains DeviceStatistics grouped by device name

func (DeviceStatsByDevice) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceStatsByDevice.

func (DeviceStatsByDevice) DeepCopyInto

func (in DeviceStatsByDevice) DeepCopyInto(out *DeviceStatsByDevice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type EgressRuleSNAT

type EgressRuleSNAT struct {
	// NetworkID is the network for which the egress rule will be configured.
	NetworkID string `json:"networkID"`
	// IPs contains the ips used as source addresses for packets leaving the specified network.
	IPs []string `json:"ips"`
}

EgressRuleSNAT holds a Source-NAT rule

func (*EgressRuleSNAT) DeepCopy

func (in *EgressRuleSNAT) DeepCopy() *EgressRuleSNAT

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRuleSNAT.

func (*EgressRuleSNAT) DeepCopyInto

func (in *EgressRuleSNAT) DeepCopyInto(out *EgressRuleSNAT)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type Firewall

type Firewall struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec contains the firewall specification.
	Spec FirewallSpec `json:"spec"`
	// Status contains current status information on the firewall.
	Status FirewallStatus `json:"status,omitempty"`

	// Distance defines the as-path length of a firewall.
	// This field is typically orchestrated by the deployment controller.
	Distance FirewallDistance `json:"distance"`
}

Firewall represents a metal-stack firewall in a bare-metal kubernetes cluster. It has a 1:1 relationship to a firewall in the metal-stack api.

+kubebuilder:object:root=true +kubebuilder:resource:shortName=fw +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase" +kubebuilder:printcolumn:name="Machine ID",type="string",JSONPath=".status.machineStatus.machineID" +kubebuilder:printcolumn:name="Last Event",type="string",JSONPath=".status.machineStatus.lastEvent.event" +kubebuilder:printcolumn:name="Distance",type="string",priority=1,JSONPath=".distance" +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".status.controllerStatus.actualVersion" +kubebuilder:printcolumn:name="Spec Version",type="string",priority=1,JSONPath=".spec.controllerVersion" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".status.machineStatus.allocationTimestamp"

func (*Firewall) DeepCopy

func (in *Firewall) DeepCopy() *Firewall

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Firewall.

func (*Firewall) DeepCopyInto

func (in *Firewall) DeepCopyInto(out *Firewall)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*Firewall) DeepCopyObject

func (in *Firewall) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type FirewallDeployment

type FirewallDeployment struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec contains the firewall deployment specification.
	Spec FirewallDeploymentSpec `json:"spec,omitempty"`
	// Status contains current status information on the firewall deployment.
	Status FirewallDeploymentStatus `json:"status,omitempty"`
}

FirewallDeployment contains the spec template of a firewall resource similar to a Kubernetes Deployment and implements update strategies like rolling update for the managed firewalls.

+kubebuilder:object:root=true +kubebuilder:resource:shortName=fwdeploy +kubebuilder:subresource:status +kubebuilder:subresource:scale:specpath=.spec.replicas,statuspath=.status.readyReplicas +kubebuilder:printcolumn:name="Replicas",type=integer,JSONPath=`.spec.replicas` +kubebuilder:printcolumn:name="Ready",type=integer,JSONPath=`.status.readyReplicas` +kubebuilder:printcolumn:name="Progressing",type=integer,JSONPath=`.status.progressingReplicas` +kubebuilder:printcolumn:name="Unhealthy",type=integer,JSONPath=`.status.unhealthyReplicas` +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"

func (*FirewallDeployment) DeepCopy

func (in *FirewallDeployment) DeepCopy() *FirewallDeployment

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeployment.

func (*FirewallDeployment) DeepCopyInto

func (in *FirewallDeployment) DeepCopyInto(out *FirewallDeployment)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FirewallDeployment) DeepCopyObject

func (in *FirewallDeployment) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type FirewallDeploymentList

type FirewallDeploymentList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	// Items contains the list items.
	Items []FirewallDeployment `json:"items"`
}

FirewallDeploymentList contains a list of firewalls deployments

+kubebuilder:object:root=true

func (*FirewallDeploymentList) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeploymentList.

func (*FirewallDeploymentList) DeepCopyInto

func (in *FirewallDeploymentList) DeepCopyInto(out *FirewallDeploymentList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FirewallDeploymentList) DeepCopyObject

func (in *FirewallDeploymentList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*FirewallDeploymentList) GetItems

func (f *FirewallDeploymentList) GetItems() []*FirewallDeployment

type FirewallDeploymentSpec

type FirewallDeploymentSpec struct {
	// Strategy describes the strategy how firewalls are updated in case the update requires a physical recreation of the firewalls.
	// Defaults to RollingUpdate strategy.
	Strategy FirewallUpdateStrategy `json:"strategy,omitempty"`
	// Replicas is the amount of firewall replicas targeted to be running.
	// Defaults to 1.
	Replicas int `json:"replicas,omitempty"`
	// Selector is a label query over firewalls that should match the replicas count.
	// If selector is empty, it is defaulted to the labels present on the firewall template.
	// Label keys and values that must match in order to be controlled by this replication
	// controller, if empty defaulted to labels on firewall template.
	Selector map[string]string `json:"selector,omitempty"`
	// Template is the firewall spec used for creating the firewalls.
	Template FirewallTemplateSpec `json:"template"`
}

FirewallDeploymentSpec specifies the firewall deployment.

func (*FirewallDeploymentSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeploymentSpec.

func (*FirewallDeploymentSpec) DeepCopyInto

func (in *FirewallDeploymentSpec) DeepCopyInto(out *FirewallDeploymentSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallDeploymentStatus

type FirewallDeploymentStatus struct {
	// TargetReplicas is the amount of firewall replicas targeted to be running.
	TargetReplicas int `json:"targetReplicas"`
	// ProgressingReplicas is the amount of firewall replicas that are currently progressing in the latest managed firewall set.
	ProgressingReplicas int `json:"progressingReplicas"`
	// ProgressingReplicas is the amount of firewall replicas that are currently ready in the latest managed firewall set.
	ReadyReplicas int `json:"readyReplicas"`
	// ProgressingReplicas is the amount of firewall replicas that are currently unhealthy in the latest managed firewall set.
	UnhealthyReplicas int `json:"unhealthyReplicas"`
	// ObservedRevision is a counter that increases with each firewall set roll that was made.
	ObservedRevision int `json:"observedRevision"`
	// Conditions contain the latest available observations of a firewall deployment's current state.
	Conditions Conditions `json:"conditions"`
}

FirewallDeploymentStatus contains current status information on the firewall deployment.

func (*FirewallDeploymentStatus) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeploymentStatus.

func (*FirewallDeploymentStatus) DeepCopyInto

func (in *FirewallDeploymentStatus) DeepCopyInto(out *FirewallDeploymentStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallDistance added in v0.2.0

type FirewallDistance uint8

FirewallDistance defines the as-path length of firewalls, influencing how strong they attract network traffic for routing traffic in and out of the cluster. This is of particular interest during rolling firewall updates, i.e. when there is more than a single firewall running in front of the cluster. During a rolling update, new firewalls start with a longer distance such that traffic is only attracted by the existing firewalls ("firewall staging"). When the new firewall has connected successfully to the firewall monitor, the deployment controller throws away the old firewalls and the new firewall takes over the routing. The deployment controller will then shorten the distance of the new firewall. This approach reduces service interruption of the external user traffic of the cluster (for firewall-controller versions that support this feature).

func (FirewallDistance) Pointer added in v0.2.0

func (f FirewallDistance) Pointer() *FirewallDistance

type FirewallList

type FirewallList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	// Items contains the list items.
	Items []Firewall `json:"items"`
}

FirewallList contains a list of firewalls

+kubebuilder:object:root=true

func (*FirewallList) DeepCopy

func (in *FirewallList) DeepCopy() *FirewallList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallList.

func (*FirewallList) DeepCopyInto

func (in *FirewallList) DeepCopyInto(out *FirewallList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FirewallList) DeepCopyObject

func (in *FirewallList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*FirewallList) GetItems

func (f *FirewallList) GetItems() []*Firewall

type FirewallMonitor

type FirewallMonitor struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Size is the machine size of the firewall.
	Size string `json:"size"`
	// Image is the os image of the firewall.
	Image string `json:"image"`
	// Partition is the partition in which the firewall resides.
	Partition string `json:"partition"`
	// Project is the project in which the firewall resides.
	Project string `json:"project"`
	// Networks are the networks to which this firewall is connected.
	Networks []string `json:"networks"`

	// RateLimits allows configuration of rate limit rules for interfaces.
	RateLimits []RateLimit `json:"rateLimits,omitempty"`
	// EgressRules contains egress rules configured for this firewall.
	EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`
	// LogAcceptedConnections if set to true, also log accepted connections in the droptailer log.
	LogAcceptedConnections bool `json:"logAcceptedConnections,omitempty"`

	// MachineStatus holds the status of the firewall machine
	MachineStatus *MachineStatus `json:"machineStatus,omitempty"`
	// ControllerStatus holds the status of the firewall-controller reconciling this firewall
	ControllerStatus *ControllerStatus `json:"controllerStatus,omitempty"`
	// Conditions contain the latest available observations of a firewall's current state.
	Conditions Conditions `json:"conditions"`
}

+kubebuilder:object:root=true +kubebuilder:resource:shortName=fwmon +kubebuilder:printcolumn:name="Machine ID",type="string",JSONPath=".machineStatus.machineID" +kubebuilder:printcolumn:name="Image",type="string",JSONPath=".image" +kubebuilder:printcolumn:name="Size",type="string",JSONPath=".size" +kubebuilder:printcolumn:name="Last Event",type="string",JSONPath=".machineStatus.lastEvent.event" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".machineStatus.allocationTimestamp"

FirewallMonitor is typically deployed into the shoot cluster in comparison to the other resources of this controller which are deployed into the seed cluster's shoot namespace.

func (*FirewallMonitor) DeepCopy

func (in *FirewallMonitor) DeepCopy() *FirewallMonitor

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallMonitor.

func (*FirewallMonitor) DeepCopyInto

func (in *FirewallMonitor) DeepCopyInto(out *FirewallMonitor)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FirewallMonitor) DeepCopyObject

func (in *FirewallMonitor) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type FirewallMonitorList

type FirewallMonitorList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	Items []FirewallMonitor `json:"items"`
}

+kubebuilder:object:root=true

func (*FirewallMonitorList) DeepCopy

func (in *FirewallMonitorList) DeepCopy() *FirewallMonitorList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallMonitorList.

func (*FirewallMonitorList) DeepCopyInto

func (in *FirewallMonitorList) DeepCopyInto(out *FirewallMonitorList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FirewallMonitorList) DeepCopyObject

func (in *FirewallMonitorList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*FirewallMonitorList) GetItems

func (f *FirewallMonitorList) GetItems() []*FirewallMonitor

type FirewallNetwork

type FirewallNetwork struct {
	// Asn is the autonomous system number of this network.
	ASN *int64 `json:"asn"`
	// DestinationPrefixes are the destination prefixes of this network.
	DestinationPrefixes []string `json:"destinationPrefixes"`
	// IPs are the ip addresses used in this network.
	IPs []string `json:"ips"`
	// Nat specifies whether the outgoing traffic is natted or not.
	Nat *bool `json:"nat"`
	// NetworkID is the id of this network.
	NetworkID *string `json:"networkID"`
	// NetworkType is the type of this network.
	NetworkType *string `json:"networkType"`
	// Prefixes are the network prefixes of this network.
	Prefixes []string `json:"prefixes"`
	// Vrf is vrf id of this network.
	Vrf *int64 `json:"vrf"`
}

FirewallNetwork holds refined information about a network that the firewall is connected to. The information is used by the firewall-controller in order to reconcile the firewall.

func (*FirewallNetwork) DeepCopy

func (in *FirewallNetwork) DeepCopy() *FirewallNetwork

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallNetwork.

func (*FirewallNetwork) DeepCopyInto

func (in *FirewallNetwork) DeepCopyInto(out *FirewallNetwork)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallPhase

type FirewallPhase string

FirewallPhase describes the firewall phase at the current time.

const (
	// FirewallPhaseCreating means the firewall is currently being created.
	FirewallPhaseCreating FirewallPhase = "Creating"
	// FirewallPhaseRunning means the firewall is currently running.
	FirewallPhaseRunning FirewallPhase = "Running"
	// FirewallPhaseCrashing means the firewall is currently in a provisioning crashloop.
	FirewallPhaseCrashing FirewallPhase = "Crashing"
)

type FirewallSet

type FirewallSet struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec contains the firewall set specification.
	Spec FirewallSetSpec `json:"spec,omitempty"`
	// Status contains current status information on the firewall set.
	Status FirewallSetStatus `json:"status,omitempty"`
}

FirewallSet contains the spec template of a firewall resource similar to a Kubernetes ReplicaSet and takes care that the desired amount of firewall replicas is running.

+kubebuilder:object:root=true +kubebuilder:resource:shortName=fwset +kubebuilder:subresource:status +kubebuilder:subresource:scale:specpath=.spec.replicas,statuspath=.status.readyReplicas +kubebuilder:printcolumn:name="Replicas",type=integer,JSONPath=`.spec.replicas` +kubebuilder:printcolumn:name="Ready",type=integer,JSONPath=`.status.readyReplicas` +kubebuilder:printcolumn:name="Progressing",type=integer,JSONPath=`.status.progressingReplicas` +kubebuilder:printcolumn:name="Unhealthy",type=integer,JSONPath=`.status.unhealthyReplicas` +kubebuilder:printcolumn:name="Distance",type="string",priority=1,JSONPath=".spec.distance" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"

func (*FirewallSet) DeepCopy

func (in *FirewallSet) DeepCopy() *FirewallSet

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSet.

func (*FirewallSet) DeepCopyInto

func (in *FirewallSet) DeepCopyInto(out *FirewallSet)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FirewallSet) DeepCopyObject

func (in *FirewallSet) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type FirewallSetList

type FirewallSetList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`

	// Items contains the list items.
	Items []FirewallSet `json:"items"`
}

FirewallSetList contains a list of firewalls sets

+kubebuilder:object:root=true

func (*FirewallSetList) DeepCopy

func (in *FirewallSetList) DeepCopy() *FirewallSetList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSetList.

func (*FirewallSetList) DeepCopyInto

func (in *FirewallSetList) DeepCopyInto(out *FirewallSetList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FirewallSetList) DeepCopyObject

func (in *FirewallSetList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*FirewallSetList) GetItems

func (f *FirewallSetList) GetItems() []*FirewallSet

type FirewallSetSpec

type FirewallSetSpec struct {
	// Replicas is the amount of firewall replicas targeted to be running.
	Replicas int `json:"replicas"`
	// Selector is a label query over firewalls that should match the replicas count.
	// If selector is empty, it is defaulted to the labels present on the firewall template.
	// Label keys and values that must match in order to be controlled by this replication
	// controller, if empty defaulted to labels on firewall template.
	Selector map[string]string `json:"selector,omitempty"`
	// Template is the firewall spec used for creating the firewalls.
	Template FirewallTemplateSpec `json:"template"`
	// Distance defines the as-path length of the firewalls.
	// This field is typically orchestrated by the deployment controller.
	Distance FirewallDistance `json:"distance"`
}

FirewallSetSpec specifies the firewall set.

func (*FirewallSetSpec) DeepCopy

func (in *FirewallSetSpec) DeepCopy() *FirewallSetSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSetSpec.

func (*FirewallSetSpec) DeepCopyInto

func (in *FirewallSetSpec) DeepCopyInto(out *FirewallSetSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallSetStatus

type FirewallSetStatus struct {
	// TargetReplicas is the amount of firewall replicas targeted to be running.
	TargetReplicas int `json:"targetReplicas"`
	// ProgressingReplicas is the amount of firewall replicas that are currently progressing in the latest managed firewall set.
	ProgressingReplicas int `json:"progressingReplicas"`
	// ProgressingReplicas is the amount of firewall replicas that are currently ready in the latest managed firewall set.
	ReadyReplicas int `json:"readyReplicas"`
	// ProgressingReplicas is the amount of firewall replicas that are currently unhealthy in the latest managed firewall set.
	UnhealthyReplicas int `json:"unhealthyReplicas"`
	// ObservedRevision is a counter that increases with each firewall set roll that was made.
	ObservedRevision int `json:"observedRevision"`
}

func (*FirewallSetStatus) DeepCopy

func (in *FirewallSetStatus) DeepCopy() *FirewallSetStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSetStatus.

func (*FirewallSetStatus) DeepCopyInto

func (in *FirewallSetStatus) DeepCopyInto(out *FirewallSetStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallSpec

type FirewallSpec struct {
	// Size is the machine size of the firewall.
	// An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
	Size string `json:"size"`
	// Image is the os image of the firewall.
	// An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
	Image string `json:"image"`
	// Partition is the partition in which the firewall resides.
	Partition string `json:"partition"`
	// Project is the project in which the firewall resides.
	Project string `json:"project"`
	// Networks are the networks to which this firewall is connected.
	// An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster.
	// Detailed information about the networks are fetched continuously during runtime and stored in the status.firewallNetworks.
	Networks []string `json:"networks"`

	// Userdata contains the userdata used for the creation of the firewall.
	// It gets defaulted to a userdata matching for the firewall-controller with connection to Gardener shoot and seed.
	Userdata string `json:"userdata,omitempty"`
	// SSHPublicKeys are public keys which are added to the firewall's authorized keys file on creation.
	// It gets defaulted to the public key of ssh secret as provided by the controller flags.
	SSHPublicKeys []string `json:"sshPublicKeys,omitempty"`

	// RateLimits allows configuration of rate limit rules for interfaces.
	RateLimits []RateLimit `json:"rateLimits,omitempty"`
	// InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters.
	// Traffic to/from these prefixes is counted as internal traffic.
	InternalPrefixes []string `json:"internalPrefixes,omitempty"`
	// EgressRules contains egress rules configured for this firewall.
	EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"`

	// Interval on which rule reconciliation by the firewall-controller should happen.
	Interval string `json:"interval,omitempty"`
	// DryRun if set to true, firewall rules are not applied. For devel-purposes only.
	DryRun bool `json:"dryRun,omitempty"`
	// Ipv4RuleFile defines where to store the generated ipv4 firewall rules on disk.
	Ipv4RuleFile string `json:"ipv4RuleFile,omitempty"`

	// ControllerVersion holds the firewall-controller version to reconcile.
	ControllerVersion string `json:"controllerVersion,omitempty"`
	// ControllerURL points to the downloadable binary artifact of the firewall controller.
	ControllerURL string `json:"controllerURL,omitempty"`

	// NftablesExporterVersion holds the nftables exporter version to reconcile.
	NftablesExporterVersion string `json:"nftablesExporterVersion,omitempty"`
	// NftablesExporterURL points to the downloadable binary artifact of the nftables exporter.
	NftablesExporterURL string `json:"nftablesExporterURL,omitempty"`

	// LogAcceptedConnections if set to true, also log accepted connections in the droptailer log.
	LogAcceptedConnections bool `json:"logAcceptedConnections,omitempty"`

	// DNSServerAddress specifies DNS server address used by DNS proxy
	DNSServerAddress string `json:"dnsServerAddress,omitempty"`
	// DNSPort specifies port to which DNS proxy should be bound
	DNSPort *uint `json:"dnsPort,omitempty"`
}

FirewallSpec defines parameters for the firewall creation along with configuration for the firewall-controller.

func (*FirewallSpec) DeepCopy

func (in *FirewallSpec) DeepCopy() *FirewallSpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSpec.

func (*FirewallSpec) DeepCopyInto

func (in *FirewallSpec) DeepCopyInto(out *FirewallSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallStats

type FirewallStats struct {
	RuleStats   RuleStatsByAction   `json:"rules"`
	DeviceStats DeviceStatsByDevice `json:"devices"`
	IDSStats    IDSStatsByDevice    `json:"idsStats"`
}

FirewallStats contains firewall statistics

func (*FirewallStats) DeepCopy

func (in *FirewallStats) DeepCopy() *FirewallStats

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallStats.

func (*FirewallStats) DeepCopyInto

func (in *FirewallStats) DeepCopyInto(out *FirewallStats)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallStatus

type FirewallStatus struct {
	// MachineStatus holds the status of the firewall machine containing information from the metal-stack api.
	MachineStatus *MachineStatus `json:"machineStatus,omitempty"`
	// ControllerStatus holds the a brief version of the firewall-controller reconciling this firewall.
	// The firewall-controller itself has only read-access to resources in the seed, including the firewall status
	// inside the firewall resource. This will be updated by the firewall monitor controller.
	ControllerStatus *ControllerConnection `json:"controllerStatus,omitempty"`
	// FirewallNetworks holds refined information about the networks that this firewall is connected to.
	// The information is used by the firewall-controller in order to reconcile this firewall.
	// See .spec.networks.
	FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"`
	// Conditions contain the latest available observations of a firewall's current state.
	Conditions Conditions `json:"conditions"`
	// Phase describes the firewall phase at the current time.
	Phase FirewallPhase `json:"phase"`
	// ShootAccess contains references to construct shoot clients.
	ShootAccess *ShootAccess `json:"shootAccess,omitempty"`
}

FirewallStatus contains current status information on the firewall.

func (*FirewallStatus) DeepCopy

func (in *FirewallStatus) DeepCopy() *FirewallStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallStatus.

func (*FirewallStatus) DeepCopyInto

func (in *FirewallStatus) DeepCopyInto(out *FirewallStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallTemplateSpec

type FirewallTemplateSpec struct {
	// Metadata of the firewalls created from this template.
	metav1.ObjectMeta `json:"metadata,omitempty"`

	// Spec contains the firewall specification.
	Spec FirewallSpec `json:"spec,omitempty"`
}

FirewallTemplateSpec describes the data a firewall should have when created from a template

func (*FirewallTemplateSpec) DeepCopy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallTemplateSpec.

func (*FirewallTemplateSpec) DeepCopyInto

func (in *FirewallTemplateSpec) DeepCopyInto(out *FirewallTemplateSpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FirewallUpdateStrategy

type FirewallUpdateStrategy string

FirewallUpdateStrategy describes the strategy how firewalls are updated in case the update requires a physical recreation of the firewalls.

const (
	// StrategyRollingUpdate first creates a new firewall set, wait's until it is ready and then removes the old one
	StrategyRollingUpdate FirewallUpdateStrategy = "RollingUpdate"
	// StrategyRecreate removes the old firewall set and then creates a new one
	StrategyRecreate FirewallUpdateStrategy = "Recreate"
)

type IDSStatsByDevice

type IDSStatsByDevice map[string]InterfaceStat

func (IDSStatsByDevice) DeepCopy

func (in IDSStatsByDevice) DeepCopy() IDSStatsByDevice

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDSStatsByDevice.

func (IDSStatsByDevice) DeepCopyInto

func (in IDSStatsByDevice) DeepCopyInto(out *IDSStatsByDevice)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type InterfaceStat

type InterfaceStat struct {
	Drop             int `json:"drop"`
	InvalidChecksums int `json:"invalidChecksums"`
	Packets          int `json:"packets"`
}

func (*InterfaceStat) DeepCopy

func (in *InterfaceStat) DeepCopy() *InterfaceStat

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InterfaceStat.

func (*InterfaceStat) DeepCopyInto

func (in *InterfaceStat) DeepCopyInto(out *InterfaceStat)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MachineLastEvent

type MachineLastEvent struct {
	// Event is the provisioning event.
	Event string `json:"event"`
	// Timestamp is the point in time when the provisioning event was received.
	Timestamp metav1.Time `json:"timestamp"`
	// Message contains a message further describing the event.
	Message string `json:"message"`
}

MachineLastEvent contains the last provisioning event of the machine.

func (*MachineLastEvent) DeepCopy

func (in *MachineLastEvent) DeepCopy() *MachineLastEvent

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineLastEvent.

func (*MachineLastEvent) DeepCopyInto

func (in *MachineLastEvent) DeepCopyInto(out *MachineLastEvent)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type MachineStatus

type MachineStatus struct {
	// MachineID is the id of the firewall in the metal-stack api.
	MachineID string `json:"machineID"`
	// AllocationTimestamp is the timestamp when the machine was allocated.
	AllocationTimestamp metav1.Time `json:"allocationTimestamp"`
	// Liveliness expresses the liveliness of the firewall and can be used to determine the general health state of the machine.
	Liveliness string `json:"liveliness"`
	// CrashLoop can occur during provisioning of the firewall causing the firewall not to get ready.
	CrashLoop bool `json:"crashLoop,omitempty"`
	// LastEvent contains the last provisioning event of the machine.
	LastEvent *MachineLastEvent `json:"lastEvent,omitempty"`
}

MachineStatus holds the status of the firewall machine containing information from the metal-stack api.

func (*MachineStatus) DeepCopy

func (in *MachineStatus) DeepCopy() *MachineStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineStatus.

func (*MachineStatus) DeepCopyInto

func (in *MachineStatus) DeepCopyInto(out *MachineStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RateLimit

type RateLimit struct {
	// NetworkID specifies the network which should be rate limited.
	NetworkID string `json:"networkID"`
	// Rate is the input rate in MiB/s.
	Rate uint32 `json:"rate"`
}

RateLimit contains the rate limit rule for a network.

func (*RateLimit) DeepCopy

func (in *RateLimit) DeepCopy() *RateLimit

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimit.

func (*RateLimit) DeepCopyInto

func (in *RateLimit) DeepCopyInto(out *RateLimit)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RuleStat

type RuleStat struct {
	Counter Counter `json:"counter"`
}

RuleStat contains the statistics for a single nftables rule

func (*RuleStat) DeepCopy

func (in *RuleStat) DeepCopy() *RuleStat

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStat.

func (*RuleStat) DeepCopyInto

func (in *RuleStat) DeepCopyInto(out *RuleStat)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RuleStats

type RuleStats map[string]RuleStat

RuleStats contains firewall rule statistics of all rules of an action

func (RuleStats) DeepCopy

func (in RuleStats) DeepCopy() RuleStats

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStats.

func (RuleStats) DeepCopyInto

func (in RuleStats) DeepCopyInto(out *RuleStats)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type RuleStatsByAction

type RuleStatsByAction map[string]RuleStats

RuleStatsByAction contains firewall rule statistics groups by action: e.g. accept, drop, policy, masquerade

func (RuleStatsByAction) DeepCopy

func (in RuleStatsByAction) DeepCopy() RuleStatsByAction

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatsByAction.

func (RuleStatsByAction) DeepCopyInto

func (in RuleStatsByAction) DeepCopyInto(out *RuleStatsByAction)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type ShootAccess

type ShootAccess struct {
	// GenericKubeconfigSecretName is the secret name of the generic kubeconfig secret deployed by Gardener
	// to be used as a template for constructing a shoot client.
	GenericKubeconfigSecretName string `json:"genericKubeconfigSecretName"`
	// TokenSecretName is the secret name for the access token for shoot access.
	TokenSecretName string `json:"tokenSecretName"`
	// Namespace is the namespace in the seed where the secrets reside.
	Namespace string `json:"namespace"`
	// APIServerURL is the URL of the shoot's API server.
	APIServerURL string `json:"apiServerURL"`
}

ShootAccess contains secret references to construct a shoot client in the firewall-controller to update its firewall monitor.

The controller has to be aware that Gardener will rotate these secrets on regular basis so it has to exchange the client when the access expires.

func (*ShootAccess) DeepCopy

func (in *ShootAccess) DeepCopy() *ShootAccess

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShootAccess.

func (*ShootAccess) DeepCopyInto

func (in *ShootAccess) DeepCopyInto(out *ShootAccess)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL