v1

package
v2.3.8 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 15, 2025 License: MIT Imports: 12 Imported by: 3

Documentation

Overview

Package v1 contains API Schema definitions for the firewall v1 API group +kubebuilder:object:generate=true +groupName=metal-stack.io

Index

Constants

View Source 
const (
	// PolicyDeploymentStateDeployed the CWNP was deployed to a native nftable rule
	PolicyDeploymentStateDeployed = PolicyDeploymentState("deployed")
	// PolicyDeploymentStateIgnored the CWNP was not deployed to a native nftable rule because it is outside of allowed networks
	PolicyDeploymentStateIgnored = PolicyDeploymentState("ignored")
)

Variables

View Source 
var (
	// GroupVersion is group version used to register these objects
	GroupVersion = schema.GroupVersion{Group: "metal-stack.io", Version: "v1"}

	// SchemeBuilder is used to add go types to the GroupVersionKind scheme
	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}

	// AddToScheme adds the types in this group-version to the given scheme.
	AddToScheme = SchemeBuilder.AddToScheme
)

Functions

This section is empty.

Types

type ClusterwideNetworkPolicy 

type ClusterwideNetworkPolicy struct {
	metav1.TypeMeta   `json:",inline"`
	metav1.ObjectMeta `json:"metadata,omitempty"`

	Spec   PolicySpec   `json:"spec,omitempty"`
	Status PolicyStatus `json:"status,omitempty"`
}

ClusterwideNetworkPolicy contains the desired state for a cluster wide network policy to be applied. +kubebuilder:object:root=true +kubebuilder:resource:shortName=cwnp +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Status",type="string",JSONPath=".status.state" +kubebuilder:printcolumn:name="Message",type="string",JSONPath=".status.message"

func (*ClusterwideNetworkPolicy) DeepCopy 

func (in *ClusterwideNetworkPolicy) DeepCopy() *ClusterwideNetworkPolicy

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterwideNetworkPolicy.

func (*ClusterwideNetworkPolicy) DeepCopyInto 

func (in *ClusterwideNetworkPolicy) DeepCopyInto(out *ClusterwideNetworkPolicy)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterwideNetworkPolicy) DeepCopyObject 

func (in *ClusterwideNetworkPolicy) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

type ClusterwideNetworkPolicyList 

type ClusterwideNetworkPolicyList struct {
	metav1.TypeMeta `json:",inline"`
	metav1.ListMeta `json:"metadata,omitempty"`
	Items           []ClusterwideNetworkPolicy `json:"items"`
}

ClusterwideNetworkPolicyList contains a list of ClusterwideNetworkPolicy +kubebuilder:object:root=true

func (*ClusterwideNetworkPolicyList) DeepCopy 

func (in *ClusterwideNetworkPolicyList) DeepCopy() *ClusterwideNetworkPolicyList

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterwideNetworkPolicyList.

func (*ClusterwideNetworkPolicyList) DeepCopyInto 

func (in *ClusterwideNetworkPolicyList) DeepCopyInto(out *ClusterwideNetworkPolicyList)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*ClusterwideNetworkPolicyList) DeepCopyObject 

func (in *ClusterwideNetworkPolicyList) DeepCopyObject() runtime.Object

DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.

func (*ClusterwideNetworkPolicyList) GetFQDNs 

func (l *ClusterwideNetworkPolicyList) GetFQDNs() []FQDNSelector

type EgressRule 

type EgressRule struct {
	// List of destination ports for outgoing traffic.
	// Each item in this list is combined using a logical OR. If this field is
	// empty or missing, this rule matches all ports (traffic not restricted by port).
	// If this field is present and contains at least one item, then this rule allows
	// traffic only if the traffic matches at least one port in the list.
	// +optional
	Ports []networking.NetworkPolicyPort `json:"ports,omitempty"`

	// List of destinations for outgoing traffic of a cluster for this rule.
	// Items in this list are combined using a logical OR operation. If this field is
	// empty or missing, this rule matches all destinations (traffic not restricted by
	// destination). If this field is present and contains at least one item, this rule
	// allows traffic only if the traffic matches at least one item in the to list.
	// To rules can't contain ToFQDNs rules.
	// +optional
	To []networking.IPBlock `json:"to,omitempty"`

	// List of FQDNs (fully qualified domain names) for outgoing traffic of a cluster for this rule.
	// Items in this list are combined using a logical OR operation. This field is used as
	// whitelist for DNS names. If none specified, no rule will be applied.
	// ToFQDNs rules can't contain To rules.
	// +optional
	ToFQDNs []FQDNSelector `json:"toFQDNs,omitempty"`
}

EgressRule describes a particular set of traffic that is allowed out of the cluster The traffic must match both ports and to.

func (*EgressRule) DeepCopy 

func (in *EgressRule) DeepCopy() *EgressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRule.

func (*EgressRule) DeepCopyInto 

func (in *EgressRule) DeepCopyInto(out *EgressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type FQDNSelector 

type FQDNSelector struct {
	// MatchName matches FQDN.
	// +kubebuilder:validation:Pattern=`^([-a-zA-Z0-9_]+[.]?)+$`
	MatchName string `json:"matchName,omitempty"`

	// MatchPattern allows using "*" to match DNS names.
	// "*" matches 0 or more valid characters.
	// +kubebuilder:validation:Pattern=`^([-a-zA-Z0-9_*]+[.]?)+$`
	MatchPattern string `json:"matchPattern,omitempty"`
}

FQDNSelector describes rules for matching DNS names.

func (*FQDNSelector) DeepCopy 

func (in *FQDNSelector) DeepCopy() *FQDNSelector

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNSelector.

func (*FQDNSelector) DeepCopyInto 

func (in *FQDNSelector) DeepCopyInto(out *FQDNSelector)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*FQDNSelector) GetMatchName 

func (s *FQDNSelector) GetMatchName() string

func (*FQDNSelector) GetName 

func (s *FQDNSelector) GetName() string

func (*FQDNSelector) GetRegex 

func (s *FQDNSelector) GetRegex() string

GetRegex converts a MatchPattern into a regexp string

type FQDNState 

type FQDNState map[string][]IPSet

func (FQDNState) DeepCopy 

func (in FQDNState) DeepCopy() FQDNState

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNState.

func (FQDNState) DeepCopyInto 

func (in FQDNState) DeepCopyInto(out *FQDNState)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IPSet 

type IPSet struct {
	FQDN           string      `json:"fqdn,omitempty"`
	SetName        string      `json:"setName,omitempty"`
	IPs            []string    `json:"ips,omitempty"`
	ExpirationTime metav1.Time `json:"expirationTime,omitempty"`
	Version        IPVersion   `json:"version,omitempty"`
}

IPSet stores set name association to IP addresses

func (*IPSet) DeepCopy 

func (in *IPSet) DeepCopy() *IPSet

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IPSet.

func (*IPSet) DeepCopyInto 

func (in *IPSet) DeepCopyInto(out *IPSet)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type IPVersion 

type IPVersion string
const (
	// ClusterwideNetworkPolicyNamespace defines the namespace CNWPs are expected.
	ClusterwideNetworkPolicyNamespace = "firewall"

	IPv4 IPVersion = "ip"
	IPv6 IPVersion = "ip6"
)

type IngressRule 

type IngressRule struct {
	// List of ports which should be made accessible on the cluster for this
	// rule. Each item in this list is combined using a logical OR. If this field is
	// empty or missing, this rule matches all ports (traffic not restricted by port).
	// If this field is present and contains at least one item, then this rule allows
	// traffic only if the traffic matches at least one port in the list.
	// +optional
	Ports []networking.NetworkPolicyPort `json:"ports,omitempty"`

	// List of sources which should be able to access the cluster for this rule.
	// Items in this list are combined using a logical OR operation. If this field is
	// empty or missing, this rule matches all sources (traffic not restricted by
	// source). If this field is present and contains at least one item, this rule
	// allows traffic only if the traffic matches at least one item in the from list.
	// +optional
	From []networking.IPBlock `json:"from,omitempty"`
}

IngressRule describes a particular set of traffic that is allowed to the cluster. The traffic must match both ports and from.

func (*IngressRule) DeepCopy 

func (in *IngressRule) DeepCopy() *IngressRule

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRule.

func (*IngressRule) DeepCopyInto 

func (in *IngressRule) DeepCopyInto(out *IngressRule)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

type PolicyDeploymentState added in v2.3.0 

type PolicyDeploymentState string

PolicyDeploymentState describes the state of a CWNP deployment

type PolicySpec 

type PolicySpec struct {
	// Description is a free form string, it can be used by the creator of
	// the rule to store human-readable explanation of the purpose of this
	// rule. Rules cannot be identified by comment.
	//
	// +optional
	Description string `json:"description,omitempty"`

	// List of ingress rules to be applied. Traffic is allowed to
	// a cluster if there is a ClusterwideNetworkPolicy that allows it, OR there is a service
	// exposed with type Loadbalancer. Clusters are isolated by default.
	// +optional
	Ingress []IngressRule `json:"ingress,omitempty"`

	// List of egress rules to be applied. Outgoing traffic is
	// allowed if there is a ClusterwideNetworkPolicy that allows it.
	// Clusters are isolated by default.
	// +optional
	Egress []EgressRule `json:"egress,omitempty"`
}

PolicySpec defines the rules to create for ingress and egress

func (*PolicySpec) DeepCopy 

func (in *PolicySpec) DeepCopy() *PolicySpec

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.

func (*PolicySpec) DeepCopyInto 

func (in *PolicySpec) DeepCopyInto(out *PolicySpec)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

func (*PolicySpec) Validate 

func (p *PolicySpec) Validate() error

Validate validates the spec of a ClusterwideNetworkPolicy

type PolicyStatus 

type PolicyStatus struct {
	// FQDNState stores mapping from FQDN rules to nftables sets used for a firewall rule.
	// Key is either MatchName or MatchPattern
	// +optional
	FQDNState FQDNState `json:"fqdn_state,omitempty"`
	// State of the CWNP, can be either deployed or ignored
	State PolicyDeploymentState `json:"state,omitempty"`
	// Message describes why the state changed
	Message string `json:"message,omitempty"`
}

PolicyStatus defines the observed state for CWNP resource

func (*PolicyStatus) DeepCopy 

func (in *PolicyStatus) DeepCopy() *PolicyStatus

DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicyStatus.

func (*PolicyStatus) DeepCopyInto 

func (in *PolicyStatus) DeepCopyInto(out *PolicyStatus)

DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.