GO-2024-2801: Calico privilege escalation vulnerability in github.com/projectcalico/calico

policysets

package

v0.0.0-...-240c89f Latest Latest Go to latest Published: Nov 26, 2024 License: Apache-2.0, Apache-2.0 Imports: 11 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/projectcalico/calico

Documentation ¶

Index ¶

Constants
Variables
func SplitIPList(ipAddrs []string, chunkSize int) (splits [][]string)
func SplitPortList(ports []*proto.PortRange, chunkSize int) (splits [][]*proto.PortRange)
type FileReader
- func (f FileReader) ReadData() ([]byte, error)
type HNSAPI
type IPSetCache
type PolicySetMetadata
type PolicySetType
- func (t PolicySetType) SetType() string
type PolicySets
- func NewPolicySets(hns HNSAPI, ipsets []IPSetCache, reader StaticRulesReader) *PolicySets
type PolicySetsDataplane
type StaticRulesReader

Constants ¶

View Source

const (

	// Priority used for rule that allows host to endpoint traffic.
	HostToEndpointRulePriority uint16 = 900
	// Start of range of priorities used for policy set rules.
	PolicyRuleBasePriority uint16 = 1000
	// Max policy priority value.
	PolicyRuleMaxPriority uint16 = 65000
	// prefix to use for all policy names
	PolicyNamePrefix string = "policy-"
	// prefix to use for all profile names
	ProfileNamePrefix string = "profile-"
)

View Source

const (
	ActionPass hns.ActionType = "pass"
)

View Source

const (
	// static rule file name
	StaticFileName = "static-rules.json"
)

Variables ¶

View Source

var (
	ErrNotSupported = errors.New("rule contained unsupported feature")
	ErrRuleIsNoOp   = errors.New("rule is a no-op")
	ErrMissingIPSet = errors.New("rule referenced a missing IP set")
)

View Source

var (
	ErrNoRuleSpecified = errors.New("no rule specified")
)

Functions ¶

func SplitIPList ¶

func SplitIPList(ipAddrs []string, chunkSize int) (splits [][]string)

This function will create chunks of IP addresses/Cidr with chunksize

func SplitPortList ¶

func SplitPortList(ports []*proto.PortRange, chunkSize int) (splits [][]*proto.PortRange)

This function will create chunks of ports/ports range with chunksize

Types ¶

type FileReader ¶

type FileReader string

func (FileReader) ReadData ¶

func (f FileReader) ReadData() ([]byte, error)

type HNSAPI ¶

type HNSAPI interface {
	GetHNSSupportedFeatures() hns.HNSSupportedFeatures
}

HNSAPI in an interface containing only the parts of the HNS API that we use here.

type IPSetCache ¶

type IPSetCache interface {
	GetIPSetMembers(ipsetID string) []string
}

IPSetCache is our interface to the IP sets tracker.

type PolicySetMetadata ¶

type PolicySetMetadata struct {
	SetId string
	Type  PolicySetType
}

PolicySetMetadata contains the metadata for a particular Policy set, such as its name and type.

type PolicySetType ¶

type PolicySetType string

PolicySetType constants for the different kinds of Policy set.

const (
	PolicySetTypePolicy  PolicySetType = "policy"
	PolicySetTypeProfile PolicySetType = "profile"
)

func (PolicySetType) SetType ¶

func (t PolicySetType) SetType() string

type PolicySets ¶

type PolicySets struct {
	IpSets []IPSetCache
	// contains filtered or unexported fields
}

PolicySets manages a whole plane of policies/profiles

func NewPolicySets ¶

func NewPolicySets(hns HNSAPI, ipsets []IPSetCache, reader StaticRulesReader) *PolicySets

func (*PolicySets) AddOrReplacePolicySet ¶

func (s *PolicySets) AddOrReplacePolicySet(setId string, policy interface{})

AddOrReplacePolicySet is responsible for the creation (or replacement) of a Policy set and it is capable of processing either Profiles or Policies from the datastore.

func (*PolicySets) GetPolicySetRules ¶

func (s *PolicySets) GetPolicySetRules(setIds []string, isInbound, endOfTierDrop bool) (rules []*hns.ACLPolicy)

GetPolicySetRules receives a list of Policy set ids and it computes the complete set of resultant HNS rules that are needed to enforce all of the Policy sets for the specified direction.

func (*PolicySets) NewHostRule ¶

func (s *PolicySets) NewHostRule(isInbound bool) *hns.ACLPolicy

NewHostRule returns a new hns rule object scoped to the host.

func (*PolicySets) NewRule ¶

func (s *PolicySets) NewRule(isInbound bool, priority uint16) *hns.ACLPolicy

NewRule returns a new HNS switch rule object instantiated with default values.

func (*PolicySets) ProcessIpSetUpdate ¶

func (s *PolicySets) ProcessIpSetUpdate(ipSetId string) []string

ProcessIpSetUpdate locates any Policy set(s) which reference the provided IP set, and causes those Policy sets to be recomputed (to ensure any rule address conditions are using the latest address values from the IP set). A list of the Policy sets which were found and recomputed are is returned to the caller.

func (*PolicySets) RemovePolicySet ¶

func (s *PolicySets) RemovePolicySet(setId string)

RemovePolicySet is responsible for the removal of a Policy set

type PolicySetsDataplane ¶

type PolicySetsDataplane interface {
	AddOrReplacePolicySet(setId string, policy interface{})
	RemovePolicySet(setId string)
	NewRule(isInbound bool, priority uint16) *hns.ACLPolicy
	GetPolicySetRules(setIds []string, isInbound, endOfTierDrop bool) (rules []*hns.ACLPolicy)
	ProcessIpSetUpdate(ipSetId string) []string
	NewHostRule(bool) *hns.ACLPolicy
}

PolicySetsDataplane is a interface for managing a plane of policySet objects

type StaticRulesReader ¶

type StaticRulesReader interface {
	ReadData() ([]byte, error)
}

staticRulesReader is a wrapper to read a file. So we can have a mock reader for UT.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL