Documentation
¶
Overview ¶
Copyright 2023- IBM Inc. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
Index ¶
- func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error)
- func GetPeerExposedTCPConnections(peer Peer) *common.ConnectionSet
- type NotificationTarget
- type Peer
- type PolicyEngine
- func (pe *PolicyEngine) AddObjectsForExposureAnalysis(objects []parser.K8sObject) error
- func (pe *PolicyEngine) AddPodByNameAndNamespace(name, ns string) (Peer, error)
- func (pe *PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPeer Peer) (*common.ConnectionSet, error)
- func (pe *PolicyEngine) CheckIfAllowed(src, dst, protocol, port string) (bool, error)
- func (pe *PolicyEngine) ClearResources()
- func (pe *PolicyEngine) ConvertPeerNamedPort(namedPort string, peer Peer) (protocol string, portNum int32, err error)
- func (pe *PolicyEngine) DeleteObject(rtObj runtime.Object) error
- func (pe *PolicyEngine) GetPeerLabels(p Peer) (podLabels, nsLabels v1.LabelSelector, err error)
- func (pe *PolicyEngine) GetPeerXgressEntireClusterConn(p Peer, isIngress bool) (*common.ConnectionSet, error)
- func (pe *PolicyEngine) GetPeersList() ([]Peer, error)
- func (pe *PolicyEngine) GetPodsMap() map[string]*k8s.Pod
- func (pe *PolicyEngine) GetRepresentativePeersList() []Peer
- func (pe *PolicyEngine) GetSelectedPeers(selectors labels.Selector, namespace string) ([]Peer, error)
- func (pe *PolicyEngine) HasPodPeers() bool
- func (pe *PolicyEngine) InsertObject(rtObj runtime.Object) error
- func (pe *PolicyEngine) IsPeerProtected(p Peer, isIngress bool) (bool, error)
- func (pe *PolicyEngine) IsRepresentativePeer(peer Peer) bool
- func (pe *PolicyEngine) SetResources(policies []*netv1.NetworkPolicy, pods []*corev1.Pod, ...) errordeprecated
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DisjointPeerIPMap ¶ added in v0.4.0
DisjointPeerIPMap is given two sets of IP type peers, and returns a map from peer-str to its disjoint peers, considering both sets for example, if ip-range A from set1 is split to ranges (A1, S2) in the disjoint-blocks computation, then in the result map there would be entries for (str(A), str(A1), A1) and for (str(A), str(A2), A2)
func GetPeerExposedTCPConnections ¶ added in v0.3.0
func GetPeerExposedTCPConnections(peer Peer) *common.ConnectionSet
GetPeerExposedTCPConnections returns the tcp connection (ports) exposed by a workload/pod peer
Types ¶
type NotificationTarget ¶
type NotificationTarget interface {
// InsertObject inserts (or updates) an object to the policy engine's view of the world
InsertObject(obj runtime.Object) error
// DeleteObject removes an object from the policy engine's view of the world
DeleteObject(obj runtime.Object) error
}
NotificationTarget defines an interface for updating the state needed for network policy decisions
type Peer ¶
type Peer interface {
// Name returns a peer's name in case the peer is a pod/workload, else it returns an empty string
Name() string
// Namespace returns a peer's namespace in case the peer is a pod/workload, else it returns an empty string
Namespace() string
// IP returns an IP address string in case peer is IP address, else it returns an empty string
IP() string
// IsPeerIPType returns true if peer is IP address
IsPeerIPType() bool
// String returns a string representation of the Peer object
String() string
// Kind returns a string of the peer kind in case the peer is a pod/workload, else it returns an empty string
Kind() string
}
Peer can either represent a Pod or an IP address
func MergePeerIPList ¶ added in v0.4.0
MergePeerIPList is given as input a list of peers of type ip-blocks, and returns a new list of peers after merging overlapping/touching ip-blocks
type PolicyEngine ¶
type PolicyEngine struct {
// contains filtered or unexported fields
}
PolicyEngine encapsulates the current "world view" (e.g., workloads, policies) and allows querying it for allowed or denied connections.
func NewPolicyEngine ¶
func NewPolicyEngine() *PolicyEngine
NewPolicyEngine returns a new PolicyEngine with an empty initial state
func NewPolicyEngineWithObjects ¶
func NewPolicyEngineWithObjects(objects []parser.K8sObject) (*PolicyEngine, error)
func NewPolicyEngineWithOptions ¶ added in v1.2.0
func NewPolicyEngineWithOptions(exposureFlag bool) *PolicyEngine
NewPolicyEngineWithOptions returns a new policy engine with an empty state but updating the exposure analysis flag TBD: currently exposure-analysis is the only option supported by policy-engine, so no need for options list param
func (*PolicyEngine) AddObjectsForExposureAnalysis ¶ added in v1.2.0
func (pe *PolicyEngine) AddObjectsForExposureAnalysis(objects []parser.K8sObject) error
AddObjectsForExposureAnalysis adds k8s objects to the policy engine: first adds network-policies and namespaces and then other objects. for exposure analysis we need to insert first policies and namespaces so: 1. policies: so a representative peer for each policy rule is added 2. namespaces: so when inserting workloads, we'll be able to check correctly if a generated representative peer should be removed, i.e. its labels and namespace correspond to a real pod. i.e. when inserting a new real workload/pod, all real namespaces will be already inserted for sure and the real labels will be considered correctly when looping the representative peers. this func is called only for exposure analysis; otherwise does nothing
func (*PolicyEngine) AddPodByNameAndNamespace ¶ added in v0.3.0
func (pe *PolicyEngine) AddPodByNameAndNamespace(name, ns string) (Peer, error)
AddPodByNameAndNamespace adds a new fake pod to the pe.podsMap, used for adding ingress-controller pod
func (*PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers ¶
func (pe *PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPeer Peer) (*common.ConnectionSet, error)
AllAllowedConnectionsBetweenWorkloadPeers returns the allowed connections from srcPeer to dstPeer, expecting that srcPeer and dstPeer are in level of workloads (WorkloadPeer)
func (*PolicyEngine) CheckIfAllowed ¶
func (pe *PolicyEngine) CheckIfAllowed(src, dst, protocol, port string) (bool, error)
CheckIfAllowed returns true if the given input connection is allowed by network policies
func (*PolicyEngine) ClearResources ¶
func (pe *PolicyEngine) ClearResources()
ClearResources: deletes all current k8s resources
func (*PolicyEngine) ConvertPeerNamedPort ¶ added in v0.3.0
func (pe *PolicyEngine) ConvertPeerNamedPort(namedPort string, peer Peer) (protocol string, portNum int32, err error)
ConvertPeerNamedPort returns the peer.pod.containerPort matching the named port of the peer if there is no match for the input named port, return -1
func (*PolicyEngine) DeleteObject ¶
func (pe *PolicyEngine) DeleteObject(rtObj runtime.Object) error
DeleteObject removes an object from the PolicyEngine's view of the world
func (*PolicyEngine) GetPeerLabels ¶ added in v1.2.0
func (pe *PolicyEngine) GetPeerLabels(p Peer) (podLabels, nsLabels v1.LabelSelector, err error)
GetPeerLabels returns the labels defining the given representative peer and its namespace relevant only for WorkloadPeer with kind == RepresentativePeer
func (*PolicyEngine) GetPeerXgressEntireClusterConn ¶ added in v1.2.0
func (pe *PolicyEngine) GetPeerXgressEntireClusterConn(p Peer, isIngress bool) (*common.ConnectionSet, error)
GetPeerXgressEntireClusterConn returns the connection to entire cluster on given ingress/egress direction relevant only for workloadPeer
func (*PolicyEngine) GetPeersList ¶
func (pe *PolicyEngine) GetPeersList() ([]Peer, error)
GetPeersList returns a slice of peers from all PolicyEngine resources get peers in level of workloads (pod owners) of type WorkloadPeer, and ip-blocks
func (*PolicyEngine) GetPodsMap ¶
func (pe *PolicyEngine) GetPodsMap() map[string]*k8s.Pod
GetPodsMap: return map of pods within PolicyEngine
func (*PolicyEngine) GetRepresentativePeersList ¶ added in v1.2.0
func (pe *PolicyEngine) GetRepresentativePeersList() []Peer
GetRepresentativePeersList returns a slice of representative peers
func (*PolicyEngine) GetSelectedPeers ¶ added in v0.3.0
func (pe *PolicyEngine) GetSelectedPeers(selectors labels.Selector, namespace string) ([]Peer, error)
GetSelectedPeers returns list of workload peers in the given namespace which match the given labels selector used only for ingress-analyzer : currently not supported with exposure-analysis
func (*PolicyEngine) HasPodPeers ¶
func (pe *PolicyEngine) HasPodPeers() bool
HasPodPeers returns if there are pods from parsed pod objects in the policy-engine
func (*PolicyEngine) InsertObject ¶ added in v1.2.0
func (pe *PolicyEngine) InsertObject(rtObj runtime.Object) error
InsertObject updates (an existing) or inserts (a new) object in the PolicyEngine's view of the world
func (*PolicyEngine) IsPeerProtected ¶ added in v1.2.0
func (pe *PolicyEngine) IsPeerProtected(p Peer, isIngress bool) (bool, error)
IsPeerProtected returns if the peer is protected by network policies on the given ingress/egress direction relevant only for workloadPeer
func (*PolicyEngine) IsRepresentativePeer ¶ added in v1.2.0
func (pe *PolicyEngine) IsRepresentativePeer(peer Peer) bool
IsRepresentativePeer returns whether the peer is representative peer (inferred from netpol rule) i.e. if the peer is a WorkloadPeer with kind == RepresentativePeer
func (*PolicyEngine) SetResources
deprecated
func (pe *PolicyEngine) SetResources(policies []*netv1.NetworkPolicy, pods []*corev1.Pod, namespaces []*corev1.Namespace) error
SetResources: updates the set of all relevant k8s resources This function *may* be used as convenience to set the initial policy engine state from a set of resources (e.g., retrieved via List from a cluster).
Deprecated: this function simply calls InsertObject on the PolicyEngine. Calling the InsertObject should be preferred in new code.
Source Files
Directories