Documentation ¶
Overview ¶
Package v1 contains API Schema definitions for the firewall v1 API group +kubebuilder:object:generate=true +groupName=metal-stack.io
Index ¶
- Constants
- Variables
- type ClusterwideNetworkPolicy
- type ClusterwideNetworkPolicyList
- type Counter
- type Data
- type DeviceStat
- type DeviceStatsByDevice
- type EgressRule
- type EgressRuleSNAT
- type Firewall
- type FirewallList
- type FirewallNetwork
- type FirewallSpec
- type FirewallStats
- type FirewallStatus
- type IDSStatsByDevice
- type IngressRule
- type InterfaceStat
- type PolicySpec
- type RateLimit
- type RuleStat
- type RuleStats
- type RuleStatsByAction
Constants ¶
const (
// ClusterwideNetworkPolicyNamespace defines the namespace CNWPs are expected.
ClusterwideNetworkPolicyNamespace = "firewall"
)
Variables ¶
var ( // GroupVersion is group version used to register these objects GroupVersion = schema.GroupVersion{Group: "metal-stack.io", Version: "v1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
This section is empty.
Types ¶
type ClusterwideNetworkPolicy ¶
type ClusterwideNetworkPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec PolicySpec `json:"spec,omitempty"` }
ClusterwideNetworkPolicy contains the desired state for a cluster wide network policy to be applied. +kubebuilder:object:root=true +kubebuilder:resource:shortName=cwnp +kubebuilder:subresource:status
func (*ClusterwideNetworkPolicy) DeepCopy ¶
func (in *ClusterwideNetworkPolicy) DeepCopy() *ClusterwideNetworkPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterwideNetworkPolicy.
func (*ClusterwideNetworkPolicy) DeepCopyInto ¶
func (in *ClusterwideNetworkPolicy) DeepCopyInto(out *ClusterwideNetworkPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterwideNetworkPolicy) DeepCopyObject ¶
func (in *ClusterwideNetworkPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type ClusterwideNetworkPolicyList ¶
type ClusterwideNetworkPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []ClusterwideNetworkPolicy `json:"items"` }
ClusterwideNetworkPolicyList contains a list of ClusterwideNetworkPolicy +kubebuilder:object:root=true
func (*ClusterwideNetworkPolicyList) DeepCopy ¶
func (in *ClusterwideNetworkPolicyList) DeepCopy() *ClusterwideNetworkPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ClusterwideNetworkPolicyList.
func (*ClusterwideNetworkPolicyList) DeepCopyInto ¶
func (in *ClusterwideNetworkPolicyList) DeepCopyInto(out *ClusterwideNetworkPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ClusterwideNetworkPolicyList) DeepCopyObject ¶
func (in *ClusterwideNetworkPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type Counter ¶
Counter holds values of a nftables counter object
func (*Counter) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Counter.
func (*Counter) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Data ¶ added in v0.2.0
type Data struct { // Interval on which rule reconciliation should happen Interval string `json:"interval,omitempty"` // DryRun if set to true, firewall rules are not applied DryRun bool `json:"dryrun,omitempty"` // TrafficControl defines where to store the generated ipv4 firewall rules on disk Ipv4RuleFile string `json:"ipv4rulefile,omitempty"` // RateLimits allows configuration of rate limit rules for interfaces. RateLimits []RateLimit `json:"rateLimits,omitempty"` // InternalPrefixes specify prefixes which are considered local to the partition or all regions. // Traffic to/from these prefixes is accounted as internal traffic // TODO: align to camel-case - rename to internalPrefixes InternalPrefixes []string `json:"internalprefixes,omitempty"` // EgressRules EgressRules []EgressRuleSNAT `json:"egressRules,omitempty"` // FirewallNetworks holds the networks known at the metal-api for this firewall machine FirewallNetworks []FirewallNetwork `json:"firewallNetworks,omitempty"` }
Data contains the fields over which the signature is calculated.
func (*Data) DeepCopy ¶ added in v0.2.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Data.
func (*Data) DeepCopyInto ¶ added in v0.2.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DeviceStat ¶
type DeviceStat struct { InBytes uint64 `json:"in"` OutBytes uint64 `json:"out"` // Deprecated: TotalBytes is kept for backwards compatibility TotalBytes uint64 `json:"total"` }
DeviceStat contains statistics of a device
func (*DeviceStat) DeepCopy ¶
func (in *DeviceStat) DeepCopy() *DeviceStat
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceStat.
func (*DeviceStat) DeepCopyInto ¶
func (in *DeviceStat) DeepCopyInto(out *DeviceStat)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DeviceStatsByDevice ¶
type DeviceStatsByDevice map[string]DeviceStat
DeviceStatsByDevice contains DeviceStatistics grouped by device name
func (DeviceStatsByDevice) DeepCopy ¶
func (in DeviceStatsByDevice) DeepCopy() DeviceStatsByDevice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new DeviceStatsByDevice.
func (DeviceStatsByDevice) DeepCopyInto ¶
func (in DeviceStatsByDevice) DeepCopyInto(out *DeviceStatsByDevice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EgressRule ¶
type EgressRule struct { // List of destination ports for outgoing traffic. // Each item in this list is combined using a logical OR. If this field is // empty or missing, this rule matches all ports (traffic not restricted by port). // If this field is present and contains at least one item, then this rule allows // traffic only if the traffic matches at least one port in the list. // +optional Ports []networking.NetworkPolicyPort `json:"ports,omitempty"` // List of destinations for outgoing traffic of a cluster for this rule. // Items in this list are combined using a logical OR operation. If this field is // empty or missing, this rule matches all destinations (traffic not restricted by // destination). If this field is present and contains at least one item, this rule // allows traffic only if the traffic matches at least one item in the to list. // +optional To []networking.IPBlock `json:"to,omitempty"` }
EgressRule describes a particular set of traffic that is allowed out of the cluster The traffic must match both ports and to.
func (*EgressRule) DeepCopy ¶
func (in *EgressRule) DeepCopy() *EgressRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRule.
func (*EgressRule) DeepCopyInto ¶
func (in *EgressRule) DeepCopyInto(out *EgressRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EgressRuleSNAT ¶ added in v0.2.0
type EgressRuleSNAT struct { NetworkID string `json:"networkid" yaml:"networkid"` IPs []string `json:"ips" yaml:"ips"` }
EgressRuleSNAT holds a Source-NAT rule
func (*EgressRuleSNAT) DeepCopy ¶ added in v0.2.0
func (in *EgressRuleSNAT) DeepCopy() *EgressRuleSNAT
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRuleSNAT.
func (*EgressRuleSNAT) DeepCopyInto ¶ added in v0.2.0
func (in *EgressRuleSNAT) DeepCopyInto(out *EgressRuleSNAT)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Firewall ¶
type Firewall struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` Spec FirewallSpec `json:"spec,omitempty"` Status FirewallStatus `json:"status,omitempty"` }
Firewall is the Schema for the firewalls API +kubebuilder:object:root=true +kubebuilder:resource:shortName=fw +kubebuilder:subresource:status +kubebuilder:printcolumn:name="Interval",type=string,JSONPath=`.spec.interval` +kubebuilder:printcolumn:name="InternalPrefixes",type=string,JSONPath=`.spec.internalprefixes`
func (*Firewall) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Firewall.
func (*Firewall) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Firewall) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FirewallList ¶
type FirewallList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []Firewall `json:"items"` }
FirewallList contains a list of Firewall +kubebuilder:object:root=true
func (*FirewallList) DeepCopy ¶
func (in *FirewallList) DeepCopy() *FirewallList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallList.
func (*FirewallList) DeepCopyInto ¶
func (in *FirewallList) DeepCopyInto(out *FirewallList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FirewallList) DeepCopyObject ¶
func (in *FirewallList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type FirewallNetwork ¶ added in v0.2.0
type FirewallNetwork struct { Asn *int64 `json:"asn"` Destinationprefixes []string `json:"destinationprefixes"` Ips []string `json:"ips"` Nat *bool `json:"nat"` Networkid *string `json:"networkid"` Networktype *string `json:"networktype"` Prefixes []string `json:"prefixes"` Vrf *int64 `json:"vrf"` }
func (*FirewallNetwork) DeepCopy ¶ added in v0.2.0
func (in *FirewallNetwork) DeepCopy() *FirewallNetwork
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallNetwork.
func (*FirewallNetwork) DeepCopyInto ¶ added in v0.2.0
func (in *FirewallNetwork) DeepCopyInto(out *FirewallNetwork)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallSpec ¶
type FirewallSpec struct { // Data contains the data over which the signature is calculated. Data `json:",inline"` // Signature of firewall attributes generated by GEPM. Signature string `json:"signature"` // ControllerVersion holds the firewall-controller version to reconcile. ControllerVersion string `json:"controllerVersion,omitempty"` // ControllerURL points to the downloadable binary artifact of the firewall controller ControllerURL string `json:"controllerURL,omitempty"` }
FirewallSpec defines the desired state of Firewall
func (*FirewallSpec) DeepCopy ¶
func (in *FirewallSpec) DeepCopy() *FirewallSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallSpec.
func (*FirewallSpec) DeepCopyInto ¶
func (in *FirewallSpec) DeepCopyInto(out *FirewallSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallStats ¶
type FirewallStats struct { RuleStats RuleStatsByAction `json:"rules"` DeviceStats DeviceStatsByDevice `json:"devices"` IDSStats IDSStatsByDevice `json:"idsstats"` }
FirewallStats contains firewall statistics
func (*FirewallStats) DeepCopy ¶
func (in *FirewallStats) DeepCopy() *FirewallStats
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallStats.
func (*FirewallStats) DeepCopyInto ¶
func (in *FirewallStats) DeepCopyInto(out *FirewallStats)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type FirewallStatus ¶
type FirewallStatus struct { Message string `json:"message,omitempty"` FirewallStats FirewallStats `json:"stats"` ControllerVersion string `json:"controllerVersion,omitempty"` Updated metav1.Time `json:"lastRun,omitempty"` }
FirewallStatus defines the observed state of Firewall
func (*FirewallStatus) DeepCopy ¶
func (in *FirewallStatus) DeepCopy() *FirewallStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FirewallStatus.
func (*FirewallStatus) DeepCopyInto ¶
func (in *FirewallStatus) DeepCopyInto(out *FirewallStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IDSStatsByDevice ¶
type IDSStatsByDevice map[string]InterfaceStat
func (IDSStatsByDevice) DeepCopy ¶
func (in IDSStatsByDevice) DeepCopy() IDSStatsByDevice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IDSStatsByDevice.
func (IDSStatsByDevice) DeepCopyInto ¶
func (in IDSStatsByDevice) DeepCopyInto(out *IDSStatsByDevice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type IngressRule ¶
type IngressRule struct { // List of ports which should be made accessible on the cluster for this // rule. Each item in this list is combined using a logical OR. If this field is // empty or missing, this rule matches all ports (traffic not restricted by port). // If this field is present and contains at least one item, then this rule allows // traffic only if the traffic matches at least one port in the list. // +optional Ports []networking.NetworkPolicyPort `json:"ports,omitempty"` // List of sources which should be able to access the cluster for this rule. // Items in this list are combined using a logical OR operation. If this field is // empty or missing, this rule matches all sources (traffic not restricted by // source). If this field is present and contains at least one item, this rule // allows traffic only if the traffic matches at least one item in the from list. // +optional From []networking.IPBlock `json:"from,omitempty"` }
IngressRule describes a particular set of traffic that is allowed to the cluster. The traffic must match both ports and from.
func (*IngressRule) DeepCopy ¶
func (in *IngressRule) DeepCopy() *IngressRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRule.
func (*IngressRule) DeepCopyInto ¶
func (in *IngressRule) DeepCopyInto(out *IngressRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type InterfaceStat ¶
type InterfaceStat struct { Drop int `json:"drop"` InvalidChecksums int `json:"invalidchecksums"` Packets int `json:"packets"` }
func (*InterfaceStat) DeepCopy ¶
func (in *InterfaceStat) DeepCopy() *InterfaceStat
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new InterfaceStat.
func (*InterfaceStat) DeepCopyInto ¶
func (in *InterfaceStat) DeepCopyInto(out *InterfaceStat)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PolicySpec ¶
type PolicySpec struct { // Description is a free form string, it can be used by the creator of // the rule to store human readable explanation of the purpose of this // rule. Rules cannot be identified by comment. // // +optional Description string `json:"description,omitempty"` // List of ingress rules to be applied. Traffic is allowed to // a cluster if there is a ClusterwideNetworkPolicy that allows it, OR there is a service // exposed with type Loadbalancer. Clusters are isolated by default. // +optional Ingress []IngressRule `json:"ingress,omitempty"` // List of egress rules to be applied. Outgoing traffic is // allowed if there is a ClusterwideNetworkPolicy that allows it. // Clusters are isolated by default. // +optional Egress []EgressRule `json:"egress,omitempty"` }
PolicySpec defines the rules to create for ingress and egress
func (*PolicySpec) DeepCopy ¶
func (in *PolicySpec) DeepCopy() *PolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PolicySpec.
func (*PolicySpec) DeepCopyInto ¶
func (in *PolicySpec) DeepCopyInto(out *PolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PolicySpec) Validate ¶ added in v1.0.1
func (p *PolicySpec) Validate() error
Validate validates the spec of a ClusterwideNetworkPolicy
type RateLimit ¶
type RateLimit struct { // NetworkID specifies the network which should be rate limited NetworkID string `json:"networkid" yaml:"networkid"` // Rate is the input rate in MiB/s Rate uint32 `json:"rate" yaml:"rate"` }
RateLimit contains the rate limit rule for a network.
func (*RateLimit) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RateLimit.
func (*RateLimit) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleStat ¶
type RuleStat struct {
Counter Counter `json:"counter"`
}
RuleStat contains the statistics for a single nftables rule
func (*RuleStat) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStat.
func (*RuleStat) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleStats ¶
RuleStats contains firewall rule statistics of all rules of an action
func (RuleStats) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStats.
func (RuleStats) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type RuleStatsByAction ¶
RuleStatsByAction contains firewall rule statistics groups by action: e.g. accept, drop, policy, masquerade
func (RuleStatsByAction) DeepCopy ¶
func (in RuleStatsByAction) DeepCopy() RuleStatsByAction
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new RuleStatsByAction.
func (RuleStatsByAction) DeepCopyInto ¶
func (in RuleStatsByAction) DeepCopyInto(out *RuleStatsByAction)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.