Documentation ¶
Overview ¶
+kubebuilder:object:generate=true +groupName=firewall.metal-stack.io
+kubebuilder:webhook:path=/validate-firewall-metal-stack-io-v2-firewall,mutating=false,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalls,verbs=create;update,versions=v2,name=firewall.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/validate-firewall-metal-stack-io-v2-firewallset,mutating=false,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewallsets,verbs=create;update,versions=v2,name=firewallset.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/validate-firewall-metal-stack-io-v2-firewalldeployment,mutating=false,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalldeployments,verbs=create;update,versions=v2,name=firewalldeployment.metal-stack.io,sideEffects=None,admissionReviewVersions=v1
+kubebuilder:webhook:path=/mutate-firewall-metal-stack-io-v2-firewall,mutating=true,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalls,verbs=create,versions=v2,name=firewall.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/mutate-firewall-metal-stack-io-v2-firewallset,mutating=true,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewallsets,verbs=create,versions=v2,name=firewallset.metal-stack.io,sideEffects=None,admissionReviewVersions=v1 +kubebuilder:webhook:path=/mutate-firewall-metal-stack-io-v2-firewalldeployment,mutating=true,failurePolicy=fail,groups=firewall.metal-stack.io,resources=firewalldeployments,verbs=create,versions=v2,name=firewalldeployment.metal-stack.io,sideEffects=None,admissionReviewVersions=v1
Index ¶
- Constants
- Variables
- func FirewallManagedByTag() string
- func FirewallSetTag(setName string) string
- func IsAnnotationTrue(o client.Object, key string) bool
- func SkipRollSetAnnotationRemoval() predicate.Funcs
- func SortFirewallsByImportance(fws []*Firewall)
- type Condition
- type ConditionStatus
- type ConditionType
- type Conditions
- type ControllerConnection
- type ControllerStatus
- type Counter
- type DeviceStat
- type DeviceStatsByDevice
- type EgressRuleSNAT
- type Firewall
- type FirewallDeployment
- type FirewallDeploymentList
- type FirewallDeploymentSpec
- type FirewallDeploymentStatus
- type FirewallDistance
- type FirewallList
- type FirewallMonitor
- type FirewallMonitorList
- type FirewallNetwork
- type FirewallPhase
- type FirewallSet
- type FirewallSetList
- type FirewallSetSpec
- type FirewallSetStatus
- type FirewallSpec
- type FirewallStats
- type FirewallStatus
- type FirewallTemplateSpec
- type FirewallUpdateStrategy
- type IDSStatsByDevice
- type InterfaceStat
- type MachineLastEvent
- type MachineStatus
- type RateLimit
- type RuleStat
- type RuleStats
- type RuleStatsByAction
- type ShootAccess
Constants ¶
const ( // FirewallNoControllerConnectionAnnotation can be used as an annotation to the firewall resource in order // to indicate that the firewall-controller does not connect to the firewall monitor. this way, the replica // set will become healthy without a controller connection. // // this can be useful to silence a problem temporarily and was used in the past for migration of firewall-controller v1. FirewallNoControllerConnectionAnnotation = "firewall.metal-stack.io/no-controller-connection" // FirewallControllerManagedByAnnotation is used as tag for creating a firewall to indicate who is managing the firewall. FirewallControllerManagedByAnnotation = "firewall.metal-stack.io/managed-by" // FirewallWeightAnnotation is considered when deciding which firewall is thrown away on scale down. // Value must be parsable as an integer. Firewalls with higher weight are kept longer. // Defaults to 0 if no annotation is present. Negative values are allowed. FirewallWeightAnnotation = "firewall.metal-stack.io/weight" // FirewallControllerManager is a name of the firewall-controller-manager managing the firewall. FirewallControllerManager = "firewall-controller-manager" )
const ( // FirewallControllerSetAnnotation is a tag added to the firewall entity indicating to which set a firewall belongs to. FirewallControllerSetAnnotation = "firewall.metal.stack.io/set" FirewallShortestDistance = FirewallDistance(0) FirewallRollingUpdateSetDistance = FirewallDistance(3) FirewallLongestDistance = FirewallDistance(8) // FirewallMaxReplicas defines the maximum amount of firewall replicas to be defined. // It does not make sense to allow large values here as it wastes a lot of machines. FirewallMaxReplicas = 4 )
const ( FinalizerName = "firewall.metal-stack.io/firewall-controller-manager" RollSetAnnotation = "firewall.metal-stack.io/roll-set" RevisionAnnotation = "firewall.metal-stack.io/revision" )
const (
// FirewallShootNamespace is the name of the namespace to which the firewall monitor gets deployed and in which the firewall-controller operates
FirewallShootNamespace = "firewall"
)
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "firewall.metal-stack.io", Version: "v2"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func FirewallManagedByTag ¶
func FirewallManagedByTag() string
func FirewallSetTag ¶
func IsAnnotationTrue ¶ added in v0.1.5
IsAnnotationTrue returns true if the given object has an annotation with a given key and the value of this annotation is a true boolean.
func SkipRollSetAnnotationRemoval ¶
SkipReconcileAnnotationRemoval returns a predicate when the firewall controller reconcile annotation was cleaned up.
func SortFirewallsByImportance ¶ added in v0.2.0
func SortFirewallsByImportance(fws []*Firewall)
SortFirewallsByImportance sorts the given firewall slice by importance, e.g. for scale down.
It considers certain criteria which firewalls should be kept longest and which one's can be deleted first. The precedence is:
- Weight annotation (prefer higher weight, defaults to 0 if no annotation is present) - Firewall lifecycle phase (connected > ready > created, prefer shorter distance when equal) - Firewall age (prefer younger firewalls)
The firewalls at the beginning of the slice should be kept as long as possible. The firewalls at the end of the slice should be removed first.
The firewalls can be popped off from the slice in a deletion loop.
Types ¶
type Condition ¶
type Condition struct { // Type of the condition. Type ConditionType `json:"type"` // Status of the condition, one of True, False, Unknown. Status ConditionStatus `json:"status"` // Last time the condition transitioned from one status to another. LastTransitionTime metav1.Time `json:"lastTransitionTime"` // Last time the condition was updated. LastUpdateTime metav1.Time `json:"lastUpdateTime"` // The reason for the condition's last transition. Reason string `json:"reason"` // A human readable message indicating details about the transition. Message string `json:"message"` }
Condition holds the information about the state of a resource.
func NewCondition ¶
func NewCondition(t ConditionType, status ConditionStatus, reason, message string) Condition
NewCondition creates a new condition.
func (*Condition) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Condition.
func (*Condition) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ConditionStatus ¶
type ConditionStatus string
ConditionStatus is the status of a condition.
const ( // ConditionTrue means a resource is in the condition. ConditionTrue ConditionStatus = "True" // ConditionFalse means a resource is not in the condition. ConditionFalse ConditionStatus = "False" // ConditionUnknown means Gardener can't decide if a resource is in the condition or not. ConditionUnknown ConditionStatus = "Unknown" )
type ConditionType ¶
type ConditionType string
ConditionType is a string alias.
const ( // FirewallCreated indicates if the firewall was created at the metal-api FirewallCreated ConditionType = "Created" // FirewallReady indicates that the firewall is running and and according to the metal-api in a healthy, working state FirewallReady ConditionType = "Ready" // FirewallControllerConnected indicates that the firewall-controller running on the firewall is reconciling the firewall resource FirewallControllerConnected ConditionType = "Connected" // FirewallMonitorDeployed indicates that the firewall monitor is deployed into the shoot cluster FirewallMonitorDeployed ConditionType = "MonitorDeployed" // FirewallDistanceConfigured indicates that the firewall-controller has configured the given firewall distance. FirewallDistanceConfigured ConditionType = "Distance" )
const ( // FirewallDeplomentAvailable indicates whether the deployment has reached the desired amount of replicas or not. FirewallDeplomentAvailable ConditionType = "Available" // FirewallDeplomentAvailable indicates whether the deployment has reached the desired amount of replicas or not. FirewallDeplomentProgressing ConditionType = "Progressing" // FirewallDeplomentRBACProvisioned indicates whether the rbac permissions for the firewall-controller to communicate with the api server were provisioned. FirewallDeplomentRBACProvisioned ConditionType = "RBACProvisioned" )
type Conditions ¶
type Conditions []Condition
func (Conditions) DeepCopy ¶
func (in Conditions) DeepCopy() Conditions
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Conditions.
func (Conditions) DeepCopyInto ¶
func (in Conditions) DeepCopyInto(out *Conditions)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (Conditions) Get ¶
func (cs Conditions) Get(t ConditionType) *Condition
GetCondition returns the condition with the provided type.
func (*Conditions) Remove ¶
func (cs *Conditions) Remove(t ConditionType)
RemoveCondition removes the condition with the provided type.
func (*Conditions) Set ¶
func (cs *Conditions) Set(condition Condition)
SetCondition updates the conditions to include the provided condition. If the condition that we are about to add already exists and has the same status, reason and message then we are not going to update.
type ControllerConnection ¶
type ControllerConnection struct { // ActualVersion is the actual version running at the firewall-controller. ActualVersion string `json:"actualVersion,omitempty"` // Updated is a timestamp when the controller has last reconciled the firewall resource. Updated metav1.Time `json:"lastRun,omitempty"` // ActualDistance is the actual distance as reflected by the firewall-controller. ActualDistance FirewallDistance `json:"actualDistance,omitempty"` }
ControllerConnection contains information about the firewall-controller connection.
func (*ControllerConnection) DeepCopy ¶
func (in *ControllerConnection) DeepCopy() *ControllerConnection
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerConnection.
func (*ControllerConnection) DeepCopyInto ¶
func (in *ControllerConnection) DeepCopyInto(out *ControllerConnection)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ControllerStatus ¶
type ControllerStatus struct { Message string `json:"message,omitempty"` FirewallStats *FirewallStats `json:"stats,omitempty"` ControllerVersion string `json:"controllerVersion,omitempty"` NftablesExporterVersion string `json:"nftablesExporterVersion,omitempty"` Updated metav1.Time `json:"lastRun,omitempty"` Distance FirewallDistance `json:"distance,omitempty"` DistanceSupported bool `json:"distanceSupported,omitempty"` }
func (*ControllerStatus) DeepCopy ¶
func (in *ControllerStatus) DeepCopy() *ControllerStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ControllerStatus.
func (*ControllerStatus) DeepCopyInto ¶
func (in *ControllerStatus) DeepCopyInto(out *ControllerStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Counter ¶
Counter holds values of a nftables counter object
func (*Counter) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Counter.
func (*Counter) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DeviceStat ¶
DeviceStat contains statistics of a device
func (*DeviceStat) DeepCopy ¶
func (in *DeviceStat) DeepCopy() *DeviceStat
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceStat.
func (*DeviceStat) DeepCopyInto ¶
func (in *DeviceStat) DeepCopyInto(out *DeviceStat)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DeviceStatsByDevice ¶
type DeviceStatsByDevice map[string]DeviceStat
DeviceStatsByDevice contains DeviceStatistics grouped by device name
func (DeviceStatsByDevice) DeepCopy ¶
func (in DeviceStatsByDevice) DeepCopy() DeviceStatsByDevice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceStatsByDevice.
func (DeviceStatsByDevice) DeepCopyInto ¶
func (in DeviceStatsByDevice) DeepCopyInto(out *DeviceStatsByDevice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EgressRuleSNAT ¶
type EgressRuleSNAT struct { // NetworkID is the network for which the egress rule will be configured. NetworkID string `json:"networkID"` // IPs contains the ips used as source addresses for packets leaving the specified network. IPs []string `json:"ips"` }
EgressRuleSNAT holds a Source-NAT rule
func (*EgressRuleSNAT) DeepCopy ¶
func (in *EgressRuleSNAT) DeepCopy() *EgressRuleSNAT
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRuleSNAT.
func (*EgressRuleSNAT) DeepCopyInto ¶
func (in *EgressRuleSNAT) DeepCopyInto(out *EgressRuleSNAT)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Firewall ¶
type Firewall struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec contains the firewall specification. Spec FirewallSpec `json:"spec"` // Status contains current status information on the firewall. Status FirewallStatus `json:"status,omitempty"` // Distance defines the as-path length of a firewall. // This field is typically orchestrated by the deployment controller. Distance FirewallDistance `json:"distance"` }
Firewall represents a metal-stack firewall in a bare-metal kubernetes cluster. It has a 1:1 relationship to a firewall in the metal-stack api.
+kubebuilder:object:root=true +kubebuilder:resource:shortName=fw +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase" +kubebuilder:printcolumn:name="Machine ID",type="string",JSONPath=".status.machineStatus.machineID" +kubebuilder:printcolumn:name="Last Event",type="string",JSONPath=".status.machineStatus.lastEvent.event" +kubebuilder:printcolumn:name="Distance",type="string",priority=1,JSONPath=".distance" +kubebuilder:printcolumn:name="Version",type="string",JSONPath=".status.controllerStatus.actualVersion" +kubebuilder:printcolumn:name="Spec Version",type="string",priority=1,JSONPath=".spec.controllerVersion" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".status.machineStatus.allocationTimestamp"
func (*Firewall) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Firewall.
func (*Firewall) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Firewall) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FirewallDeployment ¶
type FirewallDeployment struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec contains the firewall deployment specification. Spec FirewallDeploymentSpec `json:"spec,omitempty"` // Status contains current status information on the firewall deployment. Status FirewallDeploymentStatus `json:"status,omitempty"` }
FirewallDeployment contains the spec template of a firewall resource similar to a Kubernetes Deployment and implements update strategies like rolling update for the managed firewalls.
+kubebuilder:object:root=true +kubebuilder:resource:shortName=fwdeploy +kubebuilder:subresource:status +kubebuilder:subresource:scale:specpath=.spec.replicas,statuspath=.status.readyReplicas +kubebuilder:printcolumn:name="Replicas",type=integer,JSONPath=`.spec.replicas` +kubebuilder:printcolumn:name="Ready",type=integer,JSONPath=`.status.readyReplicas` +kubebuilder:printcolumn:name="Progressing",type=integer,JSONPath=`.status.progressingReplicas` +kubebuilder:printcolumn:name="Unhealthy",type=integer,JSONPath=`.status.unhealthyReplicas` +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
func (*FirewallDeployment) DeepCopy ¶
func (in *FirewallDeployment) DeepCopy() *FirewallDeployment
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeployment.
func (*FirewallDeployment) DeepCopyInto ¶
func (in *FirewallDeployment) DeepCopyInto(out *FirewallDeployment)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallDeployment) DeepCopyObject ¶
func (in *FirewallDeployment) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FirewallDeploymentList ¶
type FirewallDeploymentList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` // Items contains the list items. Items []FirewallDeployment `json:"items"` }
FirewallDeploymentList contains a list of firewalls deployments
+kubebuilder:object:root=true
func (*FirewallDeploymentList) DeepCopy ¶
func (in *FirewallDeploymentList) DeepCopy() *FirewallDeploymentList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeploymentList.
func (*FirewallDeploymentList) DeepCopyInto ¶
func (in *FirewallDeploymentList) DeepCopyInto(out *FirewallDeploymentList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallDeploymentList) DeepCopyObject ¶
func (in *FirewallDeploymentList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*FirewallDeploymentList) GetItems ¶
func (f *FirewallDeploymentList) GetItems() []*FirewallDeployment
type FirewallDeploymentSpec ¶
type FirewallDeploymentSpec struct { // Strategy describes the strategy how firewalls are updated in case the update requires a physical recreation of the firewalls. // Defaults to RollingUpdate strategy. Strategy FirewallUpdateStrategy `json:"strategy,omitempty"` // Replicas is the amount of firewall replicas targeted to be running. // Defaults to 1. Replicas int `json:"replicas,omitempty"` // Selector is a label query over firewalls that should match the replicas count. // If selector is empty, it is defaulted to the labels present on the firewall template. // Label keys and values that must match in order to be controlled by this replication // controller, if empty defaulted to labels on firewall template. Selector map[string]string `json:"selector,omitempty"` // Template is the firewall spec used for creating the firewalls. Template FirewallTemplateSpec `json:"template"` }
FirewallDeploymentSpec specifies the firewall deployment.
func (*FirewallDeploymentSpec) DeepCopy ¶
func (in *FirewallDeploymentSpec) DeepCopy() *FirewallDeploymentSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeploymentSpec.
func (*FirewallDeploymentSpec) DeepCopyInto ¶
func (in *FirewallDeploymentSpec) DeepCopyInto(out *FirewallDeploymentSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallDeploymentStatus ¶
type FirewallDeploymentStatus struct { // TargetReplicas is the amount of firewall replicas targeted to be running. TargetReplicas int `json:"targetReplicas"` // ProgressingReplicas is the amount of firewall replicas that are currently progressing in the latest managed firewall set. ProgressingReplicas int `json:"progressingReplicas"` // ProgressingReplicas is the amount of firewall replicas that are currently ready in the latest managed firewall set. ReadyReplicas int `json:"readyReplicas"` // ProgressingReplicas is the amount of firewall replicas that are currently unhealthy in the latest managed firewall set. UnhealthyReplicas int `json:"unhealthyReplicas"` // ObservedRevision is a counter that increases with each firewall set roll that was made. ObservedRevision int `json:"observedRevision"` // Conditions contain the latest available observations of a firewall deployment's current state. Conditions Conditions `json:"conditions"` }
FirewallDeploymentStatus contains current status information on the firewall deployment.
func (*FirewallDeploymentStatus) DeepCopy ¶
func (in *FirewallDeploymentStatus) DeepCopy() *FirewallDeploymentStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallDeploymentStatus.
func (*FirewallDeploymentStatus) DeepCopyInto ¶
func (in *FirewallDeploymentStatus) DeepCopyInto(out *FirewallDeploymentStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallDistance ¶ added in v0.2.0
type FirewallDistance uint8
FirewallDistance defines the as-path length of firewalls, influencing how strong they attract network traffic for routing traffic in and out of the cluster. This is of particular interest during rolling firewall updates, i.e. when there is more than a single firewall running in front of the cluster. During a rolling update, new firewalls start with a longer distance such that traffic is only attracted by the existing firewalls ("firewall staging"). When the new firewall has connected successfully to the firewall monitor, the deployment controller throws away the old firewalls and the new firewall takes over the routing. The deployment controller will then shorten the distance of the new firewall. This approach reduces service interruption of the external user traffic of the cluster (for firewall-controller versions that support this feature).
func (FirewallDistance) Pointer ¶ added in v0.2.0
func (f FirewallDistance) Pointer() *FirewallDistance
type FirewallList ¶
type FirewallList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` // Items contains the list items. Items []Firewall `json:"items"` }
FirewallList contains a list of firewalls
+kubebuilder:object:root=true
func (*FirewallList) DeepCopy ¶
func (in *FirewallList) DeepCopy() *FirewallList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallList.
func (*FirewallList) DeepCopyInto ¶
func (in *FirewallList) DeepCopyInto(out *FirewallList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallList) DeepCopyObject ¶
func (in *FirewallList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*FirewallList) GetItems ¶
func (f *FirewallList) GetItems() []*Firewall
type FirewallMonitor ¶
type FirewallMonitor struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Size is the machine size of the firewall. Size string `json:"size"` // Image is the os image of the firewall. Image string `json:"image"` // Partition is the partition in which the firewall resides. Partition string `json:"partition"` // Project is the project in which the firewall resides. Project string `json:"project"` // Networks are the networks to which this firewall is connected. Networks []string `json:"networks"` // RateLimits allows configuration of rate limit rules for interfaces. RateLimits []RateLimit `json:"rateLimits,omitempty"` // EgressRules contains egress rules configured for this firewall. EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"` // LogAcceptedConnections if set to true, also log accepted connections in the droptailer log. LogAcceptedConnections bool `json:"logAcceptedConnections,omitempty"` // MachineStatus holds the status of the firewall machine MachineStatus *MachineStatus `json:"machineStatus,omitempty"` // ControllerStatus holds the status of the firewall-controller reconciling this firewall ControllerStatus *ControllerStatus `json:"controllerStatus,omitempty"` // Conditions contain the latest available observations of a firewall's current state. Conditions Conditions `json:"conditions"` }
+kubebuilder:object:root=true +kubebuilder:resource:shortName=fwmon +kubebuilder:printcolumn:name="Machine ID",type="string",JSONPath=".machineStatus.machineID" +kubebuilder:printcolumn:name="Image",type="string",JSONPath=".image" +kubebuilder:printcolumn:name="Size",type="string",JSONPath=".size" +kubebuilder:printcolumn:name="Last Event",type="string",JSONPath=".machineStatus.lastEvent.event" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".machineStatus.allocationTimestamp"
FirewallMonitor is typically deployed into the shoot cluster in comparison to the other resources of this controller which are deployed into the seed cluster's shoot namespace.
func (*FirewallMonitor) DeepCopy ¶
func (in *FirewallMonitor) DeepCopy() *FirewallMonitor
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallMonitor.
func (*FirewallMonitor) DeepCopyInto ¶
func (in *FirewallMonitor) DeepCopyInto(out *FirewallMonitor)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallMonitor) DeepCopyObject ¶
func (in *FirewallMonitor) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FirewallMonitorList ¶
type FirewallMonitorList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []FirewallMonitor `json:"items"` }
+kubebuilder:object:root=true
func (*FirewallMonitorList) DeepCopy ¶
func (in *FirewallMonitorList) DeepCopy() *FirewallMonitorList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallMonitorList.
func (*FirewallMonitorList) DeepCopyInto ¶
func (in *FirewallMonitorList) DeepCopyInto(out *FirewallMonitorList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallMonitorList) DeepCopyObject ¶
func (in *FirewallMonitorList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*FirewallMonitorList) GetItems ¶
func (f *FirewallMonitorList) GetItems() []*FirewallMonitor
type FirewallNetwork ¶
type FirewallNetwork struct { // Asn is the autonomous system number of this network. ASN *int64 `json:"asn"` // DestinationPrefixes are the destination prefixes of this network. DestinationPrefixes []string `json:"destinationPrefixes"` // IPs are the ip addresses used in this network. IPs []string `json:"ips"` // Nat specifies whether the outgoing traffic is natted or not. Nat *bool `json:"nat"` // NetworkID is the id of this network. NetworkID *string `json:"networkID"` // NetworkType is the type of this network. NetworkType *string `json:"networkType"` // Prefixes are the network prefixes of this network. Prefixes []string `json:"prefixes"` // Vrf is vrf id of this network. Vrf *int64 `json:"vrf"` }
FirewallNetwork holds refined information about a network that the firewall is connected to. The information is used by the firewall-controller in order to reconcile the firewall.
func (*FirewallNetwork) DeepCopy ¶
func (in *FirewallNetwork) DeepCopy() *FirewallNetwork
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallNetwork.
func (*FirewallNetwork) DeepCopyInto ¶
func (in *FirewallNetwork) DeepCopyInto(out *FirewallNetwork)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallPhase ¶
type FirewallPhase string
FirewallPhase describes the firewall phase at the current time.
const ( // FirewallPhaseCreating means the firewall is currently being created. FirewallPhaseCreating FirewallPhase = "Creating" // FirewallPhaseRunning means the firewall is currently running. FirewallPhaseRunning FirewallPhase = "Running" // FirewallPhaseCrashing means the firewall is currently in a provisioning crashloop. FirewallPhaseCrashing FirewallPhase = "Crashing" )
type FirewallSet ¶
type FirewallSet struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec contains the firewall set specification. Spec FirewallSetSpec `json:"spec,omitempty"` // Status contains current status information on the firewall set. Status FirewallSetStatus `json:"status,omitempty"` }
FirewallSet contains the spec template of a firewall resource similar to a Kubernetes ReplicaSet and takes care that the desired amount of firewall replicas is running.
+kubebuilder:object:root=true +kubebuilder:resource:shortName=fwset +kubebuilder:subresource:status +kubebuilder:subresource:scale:specpath=.spec.replicas,statuspath=.status.readyReplicas +kubebuilder:printcolumn:name="Replicas",type=integer,JSONPath=`.spec.replicas` +kubebuilder:printcolumn:name="Ready",type=integer,JSONPath=`.status.readyReplicas` +kubebuilder:printcolumn:name="Progressing",type=integer,JSONPath=`.status.progressingReplicas` +kubebuilder:printcolumn:name="Unhealthy",type=integer,JSONPath=`.status.unhealthyReplicas` +kubebuilder:printcolumn:name="Distance",type="string",priority=1,JSONPath=".spec.distance" +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
func (*FirewallSet) DeepCopy ¶
func (in *FirewallSet) DeepCopy() *FirewallSet
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSet.
func (*FirewallSet) DeepCopyInto ¶
func (in *FirewallSet) DeepCopyInto(out *FirewallSet)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallSet) DeepCopyObject ¶
func (in *FirewallSet) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FirewallSetList ¶
type FirewallSetList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` // Items contains the list items. Items []FirewallSet `json:"items"` }
FirewallSetList contains a list of firewalls sets
+kubebuilder:object:root=true
func (*FirewallSetList) DeepCopy ¶
func (in *FirewallSetList) DeepCopy() *FirewallSetList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSetList.
func (*FirewallSetList) DeepCopyInto ¶
func (in *FirewallSetList) DeepCopyInto(out *FirewallSetList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallSetList) DeepCopyObject ¶
func (in *FirewallSetList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*FirewallSetList) GetItems ¶
func (f *FirewallSetList) GetItems() []*FirewallSet
type FirewallSetSpec ¶
type FirewallSetSpec struct { // Replicas is the amount of firewall replicas targeted to be running. Replicas int `json:"replicas"` // Selector is a label query over firewalls that should match the replicas count. // If selector is empty, it is defaulted to the labels present on the firewall template. // Label keys and values that must match in order to be controlled by this replication // controller, if empty defaulted to labels on firewall template. Selector map[string]string `json:"selector,omitempty"` // Template is the firewall spec used for creating the firewalls. Template FirewallTemplateSpec `json:"template"` // Distance defines the as-path length of the firewalls. // This field is typically orchestrated by the deployment controller. Distance FirewallDistance `json:"distance"` }
FirewallSetSpec specifies the firewall set.
func (*FirewallSetSpec) DeepCopy ¶
func (in *FirewallSetSpec) DeepCopy() *FirewallSetSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSetSpec.
func (*FirewallSetSpec) DeepCopyInto ¶
func (in *FirewallSetSpec) DeepCopyInto(out *FirewallSetSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallSetStatus ¶
type FirewallSetStatus struct { // TargetReplicas is the amount of firewall replicas targeted to be running. TargetReplicas int `json:"targetReplicas"` // ProgressingReplicas is the amount of firewall replicas that are currently progressing in the latest managed firewall set. ProgressingReplicas int `json:"progressingReplicas"` // ProgressingReplicas is the amount of firewall replicas that are currently ready in the latest managed firewall set. ReadyReplicas int `json:"readyReplicas"` // ProgressingReplicas is the amount of firewall replicas that are currently unhealthy in the latest managed firewall set. UnhealthyReplicas int `json:"unhealthyReplicas"` // ObservedRevision is a counter that increases with each firewall set roll that was made. ObservedRevision int `json:"observedRevision"` }
func (*FirewallSetStatus) DeepCopy ¶
func (in *FirewallSetStatus) DeepCopy() *FirewallSetStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSetStatus.
func (*FirewallSetStatus) DeepCopyInto ¶
func (in *FirewallSetStatus) DeepCopyInto(out *FirewallSetStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallSpec ¶
type FirewallSpec struct { // Size is the machine size of the firewall. // An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster. Size string `json:"size"` // Image is the os image of the firewall. // An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster. Image string `json:"image"` // Partition is the partition in which the firewall resides. Partition string `json:"partition"` // Project is the project in which the firewall resides. Project string `json:"project"` // Networks are the networks to which this firewall is connected. // An update on this field requires the recreation of the physical firewall and can therefore lead to traffic interruption for the cluster. // Detailed information about the networks are fetched continuously during runtime and stored in the status.firewallNetworks. Networks []string `json:"networks"` // Userdata contains the userdata used for the creation of the firewall. // It gets defaulted to a userdata matching for the firewall-controller with connection to Gardener shoot and seed. Userdata string `json:"userdata,omitempty"` // SSHPublicKeys are public keys which are added to the firewall's authorized keys file on creation. // It gets defaulted to the public key of ssh secret as provided by the controller flags. SSHPublicKeys []string `json:"sshPublicKeys,omitempty"` // RateLimits allows configuration of rate limit rules for interfaces. RateLimits []RateLimit `json:"rateLimits,omitempty"` // InternalPrefixes specify prefixes which are considered local to the partition or all regions. This is used for the traffic counters. // Traffic to/from these prefixes is counted as internal traffic. InternalPrefixes []string `json:"internalPrefixes,omitempty"` // EgressRules contains egress rules configured for this firewall. EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"` // Interval on which rule reconciliation by the firewall-controller should happen. Interval string `json:"interval,omitempty"` // DryRun if set to true, firewall rules are not applied. For devel-purposes only. DryRun bool `json:"dryRun,omitempty"` // Ipv4RuleFile defines where to store the generated ipv4 firewall rules on disk. Ipv4RuleFile string `json:"ipv4RuleFile,omitempty"` // ControllerVersion holds the firewall-controller version to reconcile. ControllerVersion string `json:"controllerVersion,omitempty"` // ControllerURL points to the downloadable binary artifact of the firewall controller. ControllerURL string `json:"controllerURL,omitempty"` // NftablesExporterVersion holds the nftables exporter version to reconcile. NftablesExporterVersion string `json:"nftablesExporterVersion,omitempty"` // NftablesExporterURL points to the downloadable binary artifact of the nftables exporter. NftablesExporterURL string `json:"nftablesExporterURL,omitempty"` // LogAcceptedConnections if set to true, also log accepted connections in the droptailer log. LogAcceptedConnections bool `json:"logAcceptedConnections,omitempty"` // DNSServerAddress specifies DNS server address used by DNS proxy DNSServerAddress string `json:"dnsServerAddress,omitempty"` // DNSPort specifies port to which DNS proxy should be bound DNSPort *uint `json:"dnsPort,omitempty"` }
FirewallSpec defines parameters for the firewall creation along with configuration for the firewall-controller.
func (*FirewallSpec) DeepCopy ¶
func (in *FirewallSpec) DeepCopy() *FirewallSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSpec.
func (*FirewallSpec) DeepCopyInto ¶
func (in *FirewallSpec) DeepCopyInto(out *FirewallSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallStats ¶
type FirewallStats struct { RuleStats RuleStatsByAction `json:"rules"` DeviceStats DeviceStatsByDevice `json:"devices"` IDSStats IDSStatsByDevice `json:"idsStats"` }
FirewallStats contains firewall statistics
func (*FirewallStats) DeepCopy ¶
func (in *FirewallStats) DeepCopy() *FirewallStats
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallStats.
func (*FirewallStats) DeepCopyInto ¶
func (in *FirewallStats) DeepCopyInto(out *FirewallStats)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallStatus ¶
type FirewallStatus struct { // MachineStatus holds the status of the firewall machine containing information from the metal-stack api. MachineStatus *MachineStatus `json:"machineStatus,omitempty"` // ControllerStatus holds the a brief version of the firewall-controller reconciling this firewall. // The firewall-controller itself has only read-access to resources in the seed, including the firewall status // inside the firewall resource. This will be updated by the firewall monitor controller. ControllerStatus *ControllerConnection `json:"controllerStatus,omitempty"` // FirewallNetworks holds refined information about the networks that this firewall is connected to. // The information is used by the firewall-controller in order to reconcile this firewall. // See .spec.networks. FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"` // Conditions contain the latest available observations of a firewall's current state. Conditions Conditions `json:"conditions"` // Phase describes the firewall phase at the current time. Phase FirewallPhase `json:"phase"` // ShootAccess contains references to construct shoot clients. ShootAccess *ShootAccess `json:"shootAccess,omitempty"` }
FirewallStatus contains current status information on the firewall.
func (*FirewallStatus) DeepCopy ¶
func (in *FirewallStatus) DeepCopy() *FirewallStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallStatus.
func (*FirewallStatus) DeepCopyInto ¶
func (in *FirewallStatus) DeepCopyInto(out *FirewallStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallTemplateSpec ¶
type FirewallTemplateSpec struct { // Metadata of the firewalls created from this template. metav1.ObjectMeta `json:"metadata,omitempty"` // Spec contains the firewall specification. Spec FirewallSpec `json:"spec,omitempty"` }
FirewallTemplateSpec describes the data a firewall should have when created from a template
func (*FirewallTemplateSpec) DeepCopy ¶
func (in *FirewallTemplateSpec) DeepCopy() *FirewallTemplateSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallTemplateSpec.
func (*FirewallTemplateSpec) DeepCopyInto ¶
func (in *FirewallTemplateSpec) DeepCopyInto(out *FirewallTemplateSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallUpdateStrategy ¶
type FirewallUpdateStrategy string
FirewallUpdateStrategy describes the strategy how firewalls are updated in case the update requires a physical recreation of the firewalls.
const ( // StrategyRollingUpdate first creates a new firewall set, wait's until it is ready and then removes the old one StrategyRollingUpdate FirewallUpdateStrategy = "RollingUpdate" // StrategyRecreate removes the old firewall set and then creates a new one StrategyRecreate FirewallUpdateStrategy = "Recreate" )
type IDSStatsByDevice ¶
type IDSStatsByDevice map[string]InterfaceStat
func (IDSStatsByDevice) DeepCopy ¶
func (in IDSStatsByDevice) DeepCopy() IDSStatsByDevice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDSStatsByDevice.
func (IDSStatsByDevice) DeepCopyInto ¶
func (in IDSStatsByDevice) DeepCopyInto(out *IDSStatsByDevice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type InterfaceStat ¶
type InterfaceStat struct { Drop int `json:"drop"` InvalidChecksums int `json:"invalidChecksums"` Packets int `json:"packets"` }
func (*InterfaceStat) DeepCopy ¶
func (in *InterfaceStat) DeepCopy() *InterfaceStat
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InterfaceStat.
func (*InterfaceStat) DeepCopyInto ¶
func (in *InterfaceStat) DeepCopyInto(out *InterfaceStat)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MachineLastEvent ¶
type MachineLastEvent struct { // Event is the provisioning event. Event string `json:"event"` // Timestamp is the point in time when the provisioning event was received. Timestamp metav1.Time `json:"timestamp"` // Message contains a message further describing the event. Message string `json:"message"` }
MachineLastEvent contains the last provisioning event of the machine.
func (*MachineLastEvent) DeepCopy ¶
func (in *MachineLastEvent) DeepCopy() *MachineLastEvent
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineLastEvent.
func (*MachineLastEvent) DeepCopyInto ¶
func (in *MachineLastEvent) DeepCopyInto(out *MachineLastEvent)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type MachineStatus ¶
type MachineStatus struct { // MachineID is the id of the firewall in the metal-stack api. MachineID string `json:"machineID"` // AllocationTimestamp is the timestamp when the machine was allocated. AllocationTimestamp metav1.Time `json:"allocationTimestamp"` // Liveliness expresses the liveliness of the firewall and can be used to determine the general health state of the machine. Liveliness string `json:"liveliness"` // CrashLoop can occur during provisioning of the firewall causing the firewall not to get ready. CrashLoop bool `json:"crashLoop,omitempty"` // LastEvent contains the last provisioning event of the machine. LastEvent *MachineLastEvent `json:"lastEvent,omitempty"` }
MachineStatus holds the status of the firewall machine containing information from the metal-stack api.
func (*MachineStatus) DeepCopy ¶
func (in *MachineStatus) DeepCopy() *MachineStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new MachineStatus.
func (*MachineStatus) DeepCopyInto ¶
func (in *MachineStatus) DeepCopyInto(out *MachineStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RateLimit ¶
type RateLimit struct { // NetworkID specifies the network which should be rate limited. NetworkID string `json:"networkID"` // Rate is the input rate in MiB/s. Rate uint32 `json:"rate"` }
RateLimit contains the rate limit rule for a network.
func (*RateLimit) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimit.
func (*RateLimit) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleStat ¶
type RuleStat struct {
Counter Counter `json:"counter"`
}
RuleStat contains the statistics for a single nftables rule
func (*RuleStat) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStat.
func (*RuleStat) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleStats ¶
RuleStats contains firewall rule statistics of all rules of an action
func (RuleStats) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStats.
func (RuleStats) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleStatsByAction ¶
RuleStatsByAction contains firewall rule statistics groups by action: e.g. accept, drop, policy, masquerade
func (RuleStatsByAction) DeepCopy ¶
func (in RuleStatsByAction) DeepCopy() RuleStatsByAction
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatsByAction.
func (RuleStatsByAction) DeepCopyInto ¶
func (in RuleStatsByAction) DeepCopyInto(out *RuleStatsByAction)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ShootAccess ¶
type ShootAccess struct { // GenericKubeconfigSecretName is the secret name of the generic kubeconfig secret deployed by Gardener // to be used as a template for constructing a shoot client. GenericKubeconfigSecretName string `json:"genericKubeconfigSecretName"` // TokenSecretName is the secret name for the access token for shoot access. TokenSecretName string `json:"tokenSecretName"` // Namespace is the namespace in the seed where the secrets reside. Namespace string `json:"namespace"` // APIServerURL is the URL of the shoot's API server. APIServerURL string `json:"apiServerURL"` }
ShootAccess contains secret references to construct a shoot client in the firewall-controller to update its firewall monitor.
The controller has to be aware that Gardener will rotate these secrets on regular basis so it has to exchange the client when the access expires.
func (*ShootAccess) DeepCopy ¶
func (in *ShootAccess) DeepCopy() *ShootAccess
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ShootAccess.
func (*ShootAccess) DeepCopyInto ¶
func (in *ShootAccess) DeepCopyInto(out *ShootAccess)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.