Documentation ¶
Overview ¶
Copyright 2022
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2022 ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error)
- func GetPeerExposedTCPConnections(peer Peer) *common.ConnectionSet
- type NotificationTarget
- type Peer
- type PolicyEngine
- func (pe *PolicyEngine) AddPodByNameAndNamespace(name, ns string) (Peer, error)
- func (pe *PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPeer Peer) (common.Connection, error)
- func (pe *PolicyEngine) CheckIfAllowed(src, dst, protocol, port string) (bool, error)
- func (pe *PolicyEngine) ClearResources()
- func (pe *PolicyEngine) ConvertPeerNamedPort(namedPort string, peer Peer) (int32, error)
- func (pe *PolicyEngine) DeleteObject(rtobj runtime.Object) error
- func (pe *PolicyEngine) GetPeersList() ([]Peer, error)
- func (pe *PolicyEngine) GetPodsMap() map[string]*k8s.Pod
- func (pe *PolicyEngine) GetSelectedPeers(selectors labels.Selector, namespace string) []Peer
- func (pe *PolicyEngine) HasPodPeers() bool
- func (pe *PolicyEngine) SetResources(policies []*netv1.NetworkPolicy, pods []*corev1.Pod, ...) errordeprecated
- func (pe *PolicyEngine) UpsertObject(rtobj runtime.Object) error
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DisjointPeerIPMap ¶ added in v0.4.0
DisjointPeerIPMap is given two sets of IP type peers, and returns a map from peer-str to its disjoint peers, considering both sets for example, if ip-range A from set1 is split to ranges (A1, S2) in the disjoint-blocks computation, then in the result map there would be entries for (str(A), str(A1), A1) and for (str(A), str(A2), A2)
func GetPeerExposedTCPConnections ¶ added in v0.3.0
func GetPeerExposedTCPConnections(peer Peer) *common.ConnectionSet
GetPeerExposedTCPConnections returns the tcp connection (ports) exposed by a workload/pod peer
Types ¶
type NotificationTarget ¶
type NotificationTarget interface { // UpsertObject inserts (or updates) an object to the policy engine's view of the world UpsertObject(obj runtime.Object) error // DeleteObject removes an object from the policy engine's view of the world DeleteObject(obj runtime.Object) error }
NotificationTarget defines an interface for updating the state needed for network policy decisions
type Peer ¶
type Peer interface { // Name returns a peer's name in case the peer is a pod/workload, else it returns an empty string Name() string // Namespace returns a peer's namespace in case the peer is a pod/workload, else it returns an empty string Namespace() string // IP returns an IP address string in case peer is IP address, else it returns an empty string IP() string // IsPeerIPType returns true if peer is IP address IsPeerIPType() bool // String returns a string representation of the Peer object String() string // Kind returns a string of the peer kind in case the peer is a pod/workload, else it returns an empty string Kind() string }
Peer can either represent a Pod or an IP address
func MergePeerIPList ¶ added in v0.4.0
MergePeerIPList is given as input a list of peers of type ip-blocks, and returns a new list of peers after merging overlapping/touching ip-blocks
type PolicyEngine ¶
type PolicyEngine struct {
// contains filtered or unexported fields
}
PolicyEngine encapsulates the current "world view" (e.g., workloads, policies) and allows querying it for allowed or denied connections.
func NewPolicyEngine ¶
func NewPolicyEngine() *PolicyEngine
NewPolicyEngine returns a new PolicyEngine with an empty initial state
func NewPolicyEngineWithObjects ¶
func NewPolicyEngineWithObjects(objects []scan.K8sObject) (*PolicyEngine, error)
func (*PolicyEngine) AddPodByNameAndNamespace ¶ added in v0.3.0
func (pe *PolicyEngine) AddPodByNameAndNamespace(name, ns string) (Peer, error)
AddPodByNameAndNamespace adds a new fake pod to the pe.podsMap, used for adding ingress-controller pod
func (*PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers ¶
func (pe *PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPeer Peer) (common.Connection, error)
AllAllowedConnectionsBetweenWorkloadPeers returns the allowed connections from srcPeer to dstPeer, expecting that srcPeer and dstPeer are in level of workloads (WorkloadPeer)
func (*PolicyEngine) CheckIfAllowed ¶
func (pe *PolicyEngine) CheckIfAllowed(src, dst, protocol, port string) (bool, error)
CheckIfAllowed returns true if the given input connection is allowed by network policies
func (*PolicyEngine) ClearResources ¶
func (pe *PolicyEngine) ClearResources()
ClearResources: deletes all current k8s resources
func (*PolicyEngine) ConvertPeerNamedPort ¶ added in v0.3.0
func (pe *PolicyEngine) ConvertPeerNamedPort(namedPort string, peer Peer) (int32, error)
ConvertPeerNamedPort returns the peer.pod.containerPort matching the named port of the peer if there is no match for the input named port, return -1
func (*PolicyEngine) DeleteObject ¶
func (pe *PolicyEngine) DeleteObject(rtobj runtime.Object) error
DeleteObject removes an object from the PolicyEngine's view of the world
func (*PolicyEngine) GetPeersList ¶
func (pe *PolicyEngine) GetPeersList() ([]Peer, error)
GetPeersList returns a slice of peers from all PolicyEngine resources get peers in level of workloads (pod owners) of type WorkloadPeer, and ip-blocks
func (*PolicyEngine) GetPodsMap ¶
func (pe *PolicyEngine) GetPodsMap() map[string]*k8s.Pod
GetPodsMap: return map of pods within PolicyEngine
func (*PolicyEngine) GetSelectedPeers ¶ added in v0.3.0
func (pe *PolicyEngine) GetSelectedPeers(selectors labels.Selector, namespace string) []Peer
GetSelectedPeers returns list of workload peers in the given namespace which match the given labels selector
func (*PolicyEngine) HasPodPeers ¶
func (pe *PolicyEngine) HasPodPeers() bool
func (*PolicyEngine) SetResources
deprecated
func (pe *PolicyEngine) SetResources(policies []*netv1.NetworkPolicy, pods []*corev1.Pod, namespaces []*corev1.Namespace) error
SetResources: updates the set of all relevant k8s resources This function *may* be used as convenience to set the initial policy engine state from a set of resources (e.g., retrieved via List from a cluster).
Deprecated: this function simply calls UpsertObject on the PolicyEngine. Calling the UpsertObject should be preferred in new code.
func (*PolicyEngine) UpsertObject ¶
func (pe *PolicyEngine) UpsertObject(rtobj runtime.Object) error
UpsertObject updates (an existing) or inserts (a new) object in the PolicyEngine's view of the world