eval

package
v0.4.3 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 13, 2023 License: Apache-2.0 Imports: 18 Imported by: 0

Documentation

Overview

Copyright 2022

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func DisjointPeerIPMap added in v0.4.0

func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error)

DisjointPeerIPMap is given two sets of IP type peers, and returns a map from peer-str to its disjoint peers, considering both sets for example, if ip-range A from set1 is split to ranges (A1, S2) in the disjoint-blocks computation, then in the result map there would be entries for (str(A), str(A1), A1) and for (str(A), str(A2), A2)

func GetPeerExposedTCPConnections added in v0.3.0

func GetPeerExposedTCPConnections(peer Peer) *common.ConnectionSet

GetPeerExposedTCPConnections returns the tcp connection (ports) exposed by a workload/pod peer

Types

type NotificationTarget

type NotificationTarget interface {
	// UpsertObject inserts (or updates) an object to the policy engine's view of the world
	UpsertObject(obj runtime.Object) error
	// DeleteObject removes an object from the policy engine's view of the world
	DeleteObject(obj runtime.Object) error
}

NotificationTarget defines an interface for updating the state needed for network policy decisions

type Peer

type Peer interface {
	// Name returns a peer's name in case the peer is a pod/workload, else it returns an empty string
	Name() string
	// Namespace returns a peer's namespace in case the peer is a pod/workload, else it returns an empty string
	Namespace() string
	// IP returns an IP address string in case peer is IP address, else it returns an empty string
	IP() string
	// IsPeerIPType returns true if  peer is IP address
	IsPeerIPType() bool
	// String returns a string representation of the Peer object
	String() string
	// Kind returns a string of the peer kind in case the peer is a pod/workload, else it returns an empty string
	Kind() string
}

Peer can either represent a Pod or an IP address

func MergePeerIPList added in v0.4.0

func MergePeerIPList(ipPeers []Peer) ([]Peer, error)

MergePeerIPList is given as input a list of peers of type ip-blocks, and returns a new list of peers after merging overlapping/touching ip-blocks

type PolicyEngine

type PolicyEngine struct {
	// contains filtered or unexported fields
}

PolicyEngine encapsulates the current "world view" (e.g., workloads, policies) and allows querying it for allowed or denied connections.

func NewPolicyEngine

func NewPolicyEngine() *PolicyEngine

NewPolicyEngine returns a new PolicyEngine with an empty initial state

func NewPolicyEngineWithObjects

func NewPolicyEngineWithObjects(objects []scan.K8sObject) (*PolicyEngine, error)

func (*PolicyEngine) AddPodByNameAndNamespace added in v0.3.0

func (pe *PolicyEngine) AddPodByNameAndNamespace(name, ns string) (Peer, error)

AddPodByNameAndNamespace adds a new fake pod to the pe.podsMap, used for adding ingress-controller pod

func (*PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers

func (pe *PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPeer Peer) (common.Connection, error)

AllAllowedConnectionsBetweenWorkloadPeers returns the allowed connections from srcPeer to dstPeer, expecting that srcPeer and dstPeer are in level of workloads (WorkloadPeer)

func (*PolicyEngine) CheckIfAllowed

func (pe *PolicyEngine) CheckIfAllowed(src, dst, protocol, port string) (bool, error)

CheckIfAllowed returns true if the given input connection is allowed by network policies

func (*PolicyEngine) ClearResources

func (pe *PolicyEngine) ClearResources()

ClearResources: deletes all current k8s resources

func (*PolicyEngine) ConvertPeerNamedPort added in v0.3.0

func (pe *PolicyEngine) ConvertPeerNamedPort(namedPort string, peer Peer) (int32, error)

ConvertPeerNamedPort returns the peer.pod.containerPort matching the named port of the peer if there is no match for the input named port, return -1

func (*PolicyEngine) DeleteObject

func (pe *PolicyEngine) DeleteObject(rtobj runtime.Object) error

DeleteObject removes an object from the PolicyEngine's view of the world

func (*PolicyEngine) GetPeersList

func (pe *PolicyEngine) GetPeersList() ([]Peer, error)

GetPeersList returns a slice of peers from all PolicyEngine resources get peers in level of workloads (pod owners) of type WorkloadPeer, and ip-blocks

func (*PolicyEngine) GetPodsMap

func (pe *PolicyEngine) GetPodsMap() map[string]*k8s.Pod

GetPodsMap: return map of pods within PolicyEngine

func (*PolicyEngine) GetSelectedPeers added in v0.3.0

func (pe *PolicyEngine) GetSelectedPeers(selectors labels.Selector, namespace string) []Peer

GetSelectedPeers returns list of workload peers in the given namespace which match the given labels selector

func (*PolicyEngine) HasPodPeers

func (pe *PolicyEngine) HasPodPeers() bool

func (*PolicyEngine) SetResources deprecated

func (pe *PolicyEngine) SetResources(policies []*netv1.NetworkPolicy, pods []*corev1.Pod,
	namespaces []*corev1.Namespace) error

SetResources: updates the set of all relevant k8s resources This function *may* be used as convenience to set the initial policy engine state from a set of resources (e.g., retrieved via List from a cluster).

Deprecated: this function simply calls UpsertObject on the PolicyEngine. Calling the UpsertObject should be preferred in new code.

func (*PolicyEngine) UpsertObject

func (pe *PolicyEngine) UpsertObject(rtobj runtime.Object) error

UpsertObject updates (an existing) or inserts (a new) object in the PolicyEngine's view of the world

Directories

Path Synopsis
internal
k8s

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL