Documentation ¶
Index ¶
- func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition
- type BGPPeer
- type BGPPeerList
- type BGPPeerMetadata
- type BGPPeerSpec
- type CalicoAPIConfig
- type CalicoAPIConfigMetadata
- type CalicoAPIConfigSpec
- type DatastoreType
- type EndpointPort
- type EntityRule
- type EtcdConfig
- type HostEndpoint
- type HostEndpointList
- type HostEndpointMetadata
- type HostEndpointSpec
- type ICMPFields
- type IPIPConfiguration
- type IPNAT
- type IPPool
- type IPPoolList
- type IPPoolMetadata
- type IPPoolSpec
- type KubeConfig
- type Node
- type NodeBGPSpec
- type NodeList
- type NodeMetadata
- type NodeSpec
- type OrchRef
- type Policy
- type PolicyList
- type PolicyMetadata
- type PolicySpec
- type PolicyType
- type Profile
- type ProfileList
- type ProfileMetadata
- type ProfileSpec
- type Rule
- type Tier
- type TierList
- type TierMetadata
- type TierSpec
- type WorkloadEndpoint
- type WorkloadEndpointList
- type WorkloadEndpointMetadata
- type WorkloadEndpointSpec
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func GetOpenAPIDefinitions ¶
func GetOpenAPIDefinitions(ref common.ReferenceCallback) map[string]common.OpenAPIDefinition
Types ¶
type BGPPeer ¶
type BGPPeer struct { unversioned.TypeMetadata // Metadata for a BGPPeer. Metadata BGPPeerMetadata `json:"metadata,omitempty"` // Specification for a BGPPeer. Spec BGPPeerSpec `json:"spec,omitempty"` }
BGPPeer contains information about a BGP peer resource that is a peer of a Calico compute node.
func NewBGPPeer ¶
func NewBGPPeer() *BGPPeer
NewBGPPeer creates a new (zeroed) BGPPeer struct with the TypeMetadata initialised to the current version.
func (BGPPeer) GetResourceMetadata ¶
func (t BGPPeer) GetResourceMetadata() unversioned.ResourceMetadata
type BGPPeerList ¶
type BGPPeerList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []BGPPeer `json:"items" validate:"dive"` }
BGPPeerList contains a list of BGP Peer resources. List types are returned from List() enumerations in the client interface.
func NewBGPPeerList ¶
func NewBGPPeerList() *BGPPeerList
NewBGPPeerList creates a new (zeroed) BGPPeerList struct with the TypeMetadata initialised to the current version.
type BGPPeerMetadata ¶
type BGPPeerMetadata struct { unversioned.ObjectMetadata // The scope of the peer. This may be global or node. A global peer is a // BGP device that peers with all Calico nodes. A node peer is a BGP device that // peers with the specified Calico node (specified by the node hostname). Scope scope.Scope `json:"scope" validate:"omitempty,scopeglobalornode"` // The node name identifying the Calico node instance that is peering with this peer. // When modifying a BGP peer, the node must be specified when the scope is `node`, and // must be omitted when the scope is `global`. Node string `json:"node,omitempty" validate:"omitempty,name"` // The IP address of the peer. PeerIP net.IP `json:"peerIP" validate:"omitempty"` }
BGPPeerMetadata contains the metadata for a BGPPeer resource.
type BGPPeerSpec ¶
type BGPPeerSpec struct { // The AS Number of the peer. ASNumber numorstring.ASNumber `json:"asNumber"` }
BGPPeerSpec contains the specification for a BGPPeer resource.
type CalicoAPIConfig ¶
type CalicoAPIConfig struct { unversioned.TypeMetadata Metadata CalicoAPIConfigMetadata `json:"metadata,omitempty"` Spec CalicoAPIConfigSpec `json:"spec,omitempty"` }
CalicoAPIConfig contains the connection information for a Calico CalicoAPIConfig resource
func NewCalicoAPIConfig ¶
func NewCalicoAPIConfig() *CalicoAPIConfig
NewCalicoAPIConfig creates a new (zeroed) CalicoAPIConfig struct with the TypeMetadata initialised to the current version.
type CalicoAPIConfigMetadata ¶
type CalicoAPIConfigMetadata struct {
unversioned.ObjectMetadata
}
CalicoAPIConfigMetadata contains the metadata for a Calico CalicoAPIConfig resource.
type CalicoAPIConfigSpec ¶
type CalicoAPIConfigSpec struct { DatastoreType DatastoreType `json:"datastoreType" envconfig:"APIV1_DATASTORE_TYPE" default:"etcdv2"` // Inline the etcd config fields EtcdConfig // Inline the k8s config fields. KubeConfig }
CalicoAPIConfigSpec contains the specification for a Calico CalicoAPIConfig resource.
type DatastoreType ¶
type DatastoreType string
const ( EtcdV2 DatastoreType = "etcdv2" Kubernetes DatastoreType = "kubernetes" )
type EndpointPort ¶
type EndpointPort struct { Name string `json:"name" validate:"name"` Protocol numorstring.Protocol `json:"protocol"` Port uint16 `json:"port" validate:"gt=0"` }
type EntityRule ¶
type EntityRule struct { // Tag is an optional field that restricts the rule to only apply to traffic that // originates from (or terminates at) endpoints that have profiles with the given tag // in them. Tag string `json:"tag,omitempty" validate:"omitempty,tag"` // Net is an optional field that restricts the rule to only apply to traffic that // originates from (or terminates at) IP addresses in the given subnet. // Deprecated: superseded by the Nets field. Net *net.IPNet `json:"net,omitempty" validate:"omitempty"` // Nets is an optional field that restricts the rule to only apply to traffic that // originates from (or terminates at) IP addresses in any of the given subnets. Nets []*net.IPNet `json:"nets,omitempty" validate:"omitempty"` // Selector is an optional field that contains a selector expression (see Policy for // sample syntax). Only traffic that originates from (terminates at) endpoints matching // the selector will be matched. // // Note that: in addition to the negated version of the Selector (see NotSelector below), the // selector expression syntax itself supports negation. The two types of negation are subtly // different. One negates the set of matched endpoints, the other negates the whole match: // // Selector = "!has(my_label)" matches packets that are from other Calico-controlled // endpoints that do not have the label "my_label". // // NotSelector = "has(my_label)" matches packets that are not from Calico-controlled // endpoints that do have the label "my_label". // // The effect is that the latter will accept packets from non-Calico sources whereas the // former is limited to packets from Calico-controlled endpoints. Selector string `json:"selector,omitempty" validate:"omitempty,selector"` // Ports is an optional field that restricts the rule to only apply to traffic that has a // source (destination) port that matches one of these ranges/values. This value is a // list of integers or strings that represent ranges of ports. // // Since only some protocols have ports, if any ports are specified it requires the // Protocol match in the Rule to be set to "tcp" or "udp". Ports []numorstring.Port `json:"ports,omitempty" validate:"omitempty,dive"` // NotTag is the negated version of the Tag field. NotTag string `json:"notTag,omitempty" validate:"omitempty,tag"` // NotNet is an optional field that restricts the rule to only apply to traffic that // does not originate from (or terminate at) an IP address in the given subnet. // Deprecated: superseded by NotNets. NotNet *net.IPNet `json:"notNet,omitempty" validate:"omitempty"` // NotNets is an optional field that restricts the rule to only apply to traffic that // does not originate from (or terminate at) an IP address in any of the given subnets. NotNets []*net.IPNet `json:"notNets,omitempty" validate:"omitempty"` // NotSelector is the negated version of the Selector field. See Selector field for // subtleties with negated selectors. NotSelector string `json:"notSelector,omitempty" validate:"omitempty,selector"` // NotPorts is the negated version of the Ports field. // // Since only some protocols have ports, if any ports are specified it requires the // Protocol match in the Rule to be set to "tcp" or "udp". NotPorts []numorstring.Port `json:"notPorts,omitempty" validate:"omitempty,dive"` }
An EntityRule is a sub-component of a Rule comprising the match criteria specific to a particular entity (that is either the source or destination).
A source EntityRule matches the source endpoint and originating traffic. A destination EntityRule matches the destination endpoint and terminating traffic.
func (EntityRule) GetNets ¶
func (r EntityRule) GetNets() []*net.IPNet
GetNets returns either r.Nets or a slice containing r.Net. It is useful for unifying the two representations.
func (EntityRule) GetNotNets ¶
func (r EntityRule) GetNotNets() []*net.IPNet
GetNets returns either r.NotNets or a slice containing NotNet. It is useful for unifying the two representations.
type EtcdConfig ¶
type EtcdConfig struct { EtcdScheme string `json:"etcdScheme" envconfig:"APIV1_ETCD_SCHEME" default:""` EtcdAuthority string `json:"etcdAuthority" envconfig:"APIV1_ETCD_AUTHORITY" default:""` EtcdEndpoints string `json:"etcdEndpoints" envconfig:"APIV1_ETCD_ENDPOINTS"` EtcdDiscoverySrv string `json:"etcdDiscoverySrv" envconfig:"APIV1_ETCD_DISCOVERY_SRV"` EtcdUsername string `json:"etcdUsername" envconfig:"APIV1_ETCD_USERNAME"` EtcdPassword string `json:"etcdPassword" envconfig:"APIV1_ETCD_PASSWORD"` EtcdKeyFile string `json:"etcdKeyFile" envconfig:"APIV1_ETCD_KEY_FILE"` EtcdCertFile string `json:"etcdCertFile" envconfig:"APIV1_ETCD_CERT_FILE"` EtcdCACertFile string `json:"etcdCACertFile" envconfig:"APIV1_ETCD_CA_CERT_FILE"` }
type HostEndpoint ¶
type HostEndpoint struct { unversioned.TypeMetadata Metadata HostEndpointMetadata `json:"metadata,omitempty"` Spec HostEndpointSpec `json:"spec,omitempty"` }
HostEndpoint contains information about a "bare-metal" interfaces attached to the host that is running Calico's agent, Felix. By default, Calico doesn't apply any policy to such interfaces.
func NewHostEndpoint ¶
func NewHostEndpoint() *HostEndpoint
NewHostEndpoint creates a new (zeroed) HostEndpoint struct with the TypeMetadata initialised to the current version.
func (HostEndpoint) GetResourceMetadata ¶
func (t HostEndpoint) GetResourceMetadata() unversioned.ResourceMetadata
func (HostEndpoint) String ¶
func (t HostEndpoint) String() string
String() returns the human-readable string representation of a HostEndpoint instance which is defined by its Node and Name.
type HostEndpointList ¶
type HostEndpointList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []HostEndpoint `json:"items" validate:"dive"` }
HostEndpointList contains a list of Host Endpoint resources. List types are returned from List() enumerations in the client interface.
func NewHostEndpointList ¶
func NewHostEndpointList() *HostEndpointList
NewHostEndpoint creates a new (zeroed) HostEndpointList struct with the TypeMetadata initialised to the current version.
type HostEndpointMetadata ¶
type HostEndpointMetadata struct { unversioned.ObjectMetadata // The name of the endpoint. Name string `json:"name,omitempty" validate:"omitempty,namespacedName"` // The node name identifying the Calico node instance. Node string `json:"node,omitempty" validate:"omitempty,name"` // The labels applied to the host endpoint. It is expected that many endpoints share // the same labels. For example, they could be used to label all "production" workloads // with "deployment=prod" so that security policy can be applied to production workloads. Labels map[string]string `json:"labels,omitempty" validate:"omitempty,labels"` }
HostEndpointMetadata contains the Metadata for a HostEndpoint resource.
type HostEndpointSpec ¶
type HostEndpointSpec struct { // The name of the linux interface to apply policy to; for example "eth0". // If "InterfaceName" is not present then at least one expected IP must be specified. InterfaceName string `json:"interfaceName,omitempty" validate:"omitempty,interface"` // The expected IP addresses (IPv4 and IPv6) of the endpoint. // If "InterfaceName" is not present, Calico will look for an interface matching any // of the IPs in the list and apply policy to that. // // Note: // When using the selector|tag match criteria in an ingress or egress security Policy // or Profile, Calico converts the selector into a set of IP addresses. For host // endpoints, the ExpectedIPs field is used for that purpose. (If only the interface // name is specified, Calico does not learn the IPs of the interface for use in match // criteria.) ExpectedIPs []net.IP `json:"expectedIPs,omitempty" validate:"omitempty"` // A list of identifiers of security Profile objects that apply to this endpoint. Each // profile is applied in the order that they appear in this list. Profile rules are applied // after the selector-based security policy. Profiles []string `json:"profiles,omitempty" validate:"omitempty,dive,namespacedName"` // Ports contains the endpoint's named ports, which may be referenced in security policy rules. Ports []EndpointPort `json:"ports,omitempty" validate:"omitempty,dive"` }
HostEndpointSpec contains the specification for a HostEndpoint resource.
type ICMPFields ¶
type ICMPFields struct { // Match on a specific ICMP type. For example a value of 8 refers to ICMP Echo Request // (i.e. pings). Type *int `json:"type,omitempty" validate:"omitempty,gte=0,lte=254"` // Match on a specific ICMP code. If specified, the Type value must also be specified. // This is a technical limitation imposed by the kernel's iptables firewall, which // Calico uses to enforce the rule. Code *int `json:"code,omitempty" validate:"omitempty,gte=0,lte=255"` }
ICMPFields defines structure for ICMP and NotICMP sub-struct for ICMP code and type
type IPIPConfiguration ¶
type IPIPConfiguration struct { // When enabled is true, ipip tunneling will be used to deliver packets to // destinations within this pool. Enabled bool `json:"enabled,omitempty"` // The IPIP mode. This can be one of "always" or "cross-subnet". A mode // of "always" will also use IPIP tunneling for routing to destination IP // addresses within this pool. A mode of "cross-subnet" will only use IPIP // tunneling when the destination node is on a different subnet to the // originating node. The default value (if not specified) is "always". Mode encap.Mode `json:"mode,omitempty" validate:"ipIpMode"` }
type IPNAT ¶
type IPNAT struct { // The internal IP address which must be associated with the owning endpoint via the // configured IPNetworks for the endpoint. InternalIP net.IP `json:"internalIP"` // The external IP address. ExternalIP net.IP `json:"externalIP"` }
IPNat contains a single NAT mapping for a WorkloadEndpoint resource.
type IPPool ¶
type IPPool struct { unversioned.TypeMetadata Metadata IPPoolMetadata `json:"metadata,omitempty"` Spec IPPoolSpec `json:"spec,omitempty"` }
IPPool contains the details of a Calico IP pool resource. A pool resource is used by Calico in two ways:
- to provide a set of IP addresses from which Calico IPAM assigns addresses for workloads.
- to provide configuration specific to IP address range, such as configuration for the BGP daemon (e.g. when to use a GRE tunnel to encapsulate packets between compute hosts).
func NewIPPool ¶
func NewIPPool() *IPPool
NewIPPool creates a new (zeroed) Pool struct with the TypeMetadata initialised to the current version.
func (IPPool) GetResourceMetadata ¶
func (t IPPool) GetResourceMetadata() unversioned.ResourceMetadata
type IPPoolList ¶
type IPPoolList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []IPPool `json:"items" validate:"dive"` }
IPPoolList contains a list of IP pool resources. List types are returned from List() enumerations in the client interface.
func NewIPPoolList ¶
func NewIPPoolList() *IPPoolList
NewIPPool creates a new (zeroed) PoolList struct with the TypeMetadata initialised to the current version.
type IPPoolMetadata ¶
type IPPoolMetadata struct { unversioned.ObjectMetadata CIDR net.IPNet `json:"cidr"` }
IPPoolMetadata contains the metadata for an IP pool resource.
type IPPoolSpec ¶
type IPPoolSpec struct { // Contains configuration for ipip tunneling for this pool. If not specified, // then ipip tunneling is disabled for this pool. IPIP *IPIPConfiguration `json:"ipip,omitempty"` // When nat-outgoing is true, packets sent from Calico networked containers in // this pool to destinations outside of this pool will be masqueraded. NATOutgoing bool `json:"nat-outgoing,omitempty"` // When disabled is true, Calico IPAM will not assign addresses from this pool. Disabled bool `json:"disabled,omitempty"` }
IPPoolSpec contains the specification for an IP pool resource.
type KubeConfig ¶
type KubeConfig struct { Kubeconfig string `json:"kubeconfig" envconfig:"APIV1_KUBECONFIG" default:""` K8sAPIEndpoint string `json:"k8sAPIEndpoint" envconfig:"APIV1_K8S_API_ENDPOINT" default:""` K8sKeyFile string `json:"k8sKeyFile" envconfig:"APIV1_K8S_KEY_FILE" default:""` K8sCertFile string `json:"k8sCertFile" envconfig:"APIV1_K8S_CERT_FILE" default:""` K8sCAFile string `json:"k8sCAFile" envconfig:"APIV1_K8S_CA_FILE" default:""` K8sAPIToken string `json:"k8sAPIToken" ignore:"true"` K8sInsecureSkipTLSVerify bool `json:"k8sInsecureSkipTLSVerify" envconfig:"APIV1_K8S_INSECURE_SKIP_TLS_VERIFY" default:""` K8sDisableNodePoll bool `json:"k8sDisableNodePoll" envconfig:"APIV1_K8S_DISABLE_NODE_POLL" default:""` }
type Node ¶
type Node struct { unversioned.TypeMetadata Metadata NodeMetadata `json:"metadata,omitempty"` Spec NodeSpec `json:"spec,omitempty"` }
Node contains the details of a node resource which contains the configuration for a Calico node instance running on a compute host.
In addition to creating a Node resource through calicoctl or the Calico API, the Calico node instance must also be running on the specific host and should be provided the same Name as that configured on the Node resource. Note that, by default, the Calico node instance uses the hostname of the compute host when it is not explicitly specified - in this case, the equivalent Node resource should be created using the same hostname as the Name of the Node resource.
Operations on the Node resources is expected to be required when adding a new host into a Calico network, and when removing a host from a Calico network, and occasionally to modify certain configuration. Care should be taken when operating on Node resources: deleting a Node resource will remove all Node specific data.
func NewNode ¶
func NewNode() *Node
NewNode creates a new (zeroed) NodeList struct with the TypeMetadata initialised to the current version.
func (Node) GetResourceMetadata ¶
func (t Node) GetResourceMetadata() unversioned.ResourceMetadata
type NodeBGPSpec ¶
type NodeBGPSpec struct { // The AS Number of the node. If this is not specified, the global // default value will be used. ASNumber *numorstring.ASNumber `json:"asNumber,omitempty"` // IPv4Address is the IPv4 address and network of this node. At least // one of the IPv4 and IPv6 addresses should be specified. IPv4Address *net.IPNet `json:"ipv4Address,omitempty" validate:"omitempty"` // IPv6Address is the IPv6 address and network of this node. At least // one of the IPv4 and IPv6 addresses should be specified. IPv6Address *net.IPNet `json:"ipv6Address,omitempty" validate:"omitempty"` }
NodeSpec contains the specification for a Calico Node resource.
type NodeList ¶
type NodeList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []Node `json:"items" validate:"dive,omitempty"` }
A NodeList contains a list of Node resources. List types are returned from List() enumerations on the client interface.
func NewNodeList ¶
func NewNodeList() *NodeList
NewNodeList creates a new (zeroed) NodeList struct with the TypeMetadata initialised to the current version.
type NodeMetadata ¶
type NodeMetadata struct { unversioned.ObjectMetadata // The name of the node. Name string `json:"name,omitempty" validate:"omitempty,name"` }
NodeMetadata contains the metadata for a Calico Node resource.
type NodeSpec ¶
type NodeSpec struct { // BGP configuration for this node. If this omitted, the Calico node // will be run in policy-only mode. BGP *NodeBGPSpec `json:"bgp,omitempty" validate:"omitempty"` // OrchRefs for this node. OrchRefs []OrchRef `json:"orchRefs,omitempty" validate:"omitempty"` }
NodeSpec contains the specification for a Calico Node resource.
type OrchRef ¶
type OrchRef struct { // NodeName represents the name for this node according to the orchestrator. NodeName string `json:"nodeName,omitempty" validate:"omitempty"` // Orchestrator represents the orchestrator using this node. Orchestrator string `json:"orchestrator"` }
OrchRef is used to correlate a Calico node to its corresponding representation in a given orchestrator
type Policy ¶
type Policy struct { unversioned.TypeMetadata Metadata PolicyMetadata `json:"metadata,omitempty"` Spec PolicySpec `json:"spec,omitempty"` }
Policy contains information about a tiered security Policy resource. This contains a set of security rules to apply. Security policies allow a selector-based security model which can override the security profiles directly referenced by an endpoint.
Each policy must do one of the following:
- Match the packet and apply a “next-tier” action; this skips the rest of the tier, deferring to the next tier (or the explicit profiles if this is the last tier.
- Match the packet and apply an “allow” action; this immediately accepts the packet, skipping all further tiers and profiles. This is not recommended in general, because it prevents further policy from being executed.
- Match the packet and apply a "deny" action; this drops the packet immediately, skipping all further tiers and profiles.
- Fail to match the packet; in which case the packet proceeds to the next policy in the tier. If there are no more policies in the tier then the packet is dropped.
Note:
If no policies in a tier match an endpoint then the packet skips the tier completely. The “default deny” behavior described above only applies if some of the policies in a tier match the endpoint.
Calico implements the security policy for each endpoint individually and only the policies that have matching selectors are implemented. This ensures that the number of rules that actually need to be inserted into the kernel is proportional to the number of local endpoints rather than the total amount of policy. If no policies in a tier match a given endpoint then that tier is skipped.
func NewPolicy ¶
func NewPolicy() *Policy
NewPolicy creates a new (zeroed) Policy struct with the TypeMetadata initialised to the current version.
func (Policy) GetResourceMetadata ¶
func (t Policy) GetResourceMetadata() unversioned.ResourceMetadata
type PolicyList ¶
type PolicyList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []Policy `json:"items" validate:"dive"` }
PolicyList contains a list of selector-based security Policy resources. List types are returned from List() enumerations on the client interface.
func NewPolicyList ¶
func NewPolicyList() *PolicyList
NewPolicyList creates a new (zeroed) PolicyList struct with the TypeMetadata initialised to the current version.
type PolicyMetadata ¶
type PolicyMetadata struct { unversioned.ObjectMetadata // The name of the selector-based security policy. Name string `json:"name,omitempty" validate:"omitempty,namespacedName"` // The name of the tier that this policy belongs to. If this is omitted, the default // tier (name is "default") is assumed. The specified tier must exist in order to create // security policies within the tier, the "default" tier is created automatically if it // does not exist, this means for deployments requiring only a single Tier, the tier name // may be omitted on all policy management requests. Tier string `json:"tier,omitempty" validate:"omitempty,name"` // Arbitrary key-value information to be used by clients. Annotations map[string]string `json:"annotations,omitempty" validate:"omitempty"` }
PolicyMetadata contains the metadata for a selector-based security Policy resource.
type PolicySpec ¶
type PolicySpec struct { // Order is an optional field that specifies the order in which the policy is applied // within a given tier. Policies with higher "order" are applied after those with lower // order. If the order is omitted, it may be considered to be "infinite" - i.e. the // policy will be applied last. Policies with identical order and within the same Tier // will be applied in alphanumerical order based on the Policy "Name". Order *float64 `json:"order,omitempty"` // The ordered set of ingress rules. Each rule contains a set of packet match criteria and // a corresponding action to apply. IngressRules []Rule `json:"ingress,omitempty" validate:"omitempty,dive"` // The ordered set of egress rules. Each rule contains a set of packet match criteria and // a corresponding action to apply. EgressRules []Rule `json:"egress,omitempty" validate:"omitempty,dive"` // The selector is an expression used to pick out the endpoints that the policy should // be applied to. // // Selector expressions follow this syntax: // // label == "string_literal" -> comparison, e.g. my_label == "foo bar" // label != "string_literal" -> not equal; also matches if label is not present // label in { "a", "b", "c", ... } -> true if the value of label X is one of "a", "b", "c" // label not in { "a", "b", "c", ... } -> true if the value of label X is not one of "a", "b", "c" // has(label_name) -> True if that label is present // ! expr -> negation of expr // expr && expr -> Short-circuit and // expr || expr -> Short-circuit or // ( expr ) -> parens for grouping // all() or the empty selector -> matches all endpoints. // // Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive // but they do not support escape characters. // // Examples (with made-up labels): // // type == "webserver" && deployment == "prod" // type in {"frontend", "backend"} // deployment != "dev" // ! has(label_name) Selector string `json:"selector" validate:"selector"` // DoNotTrack indicates whether packets matched by the rules in this policy should go through // the data plane's connection tracking, such as Linux conntrack. If True, the rules in // this policy are applied before any data plane connection tracking, and packets allowed by // this policy are marked as not to be tracked. DoNotTrack bool `json:"doNotTrack,omitempty"` // PreDNAT indicates to apply the rules in this policy before any DNAT. PreDNAT bool `json:"preDNAT,omitempty"` // Types indicates whether this policy applies to ingress, or to egress, or to both. When // not explicitly specified (and so the value on creation is empty or nil), Calico defaults // Types according to what IngressRules and EgressRules are present in the policy. The // default is: // // - [ PolicyTypeIngress ], if there are no EgressRules (including the case where there are // also no IngressRules) // // - [ PolicyTypeEgress ], if there are EgressRules but no IngressRules // // - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both IngressRules and EgressRules. // // When the policy is read back again, Types will always be one of these values, never empty // or nil. Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"` }
PolicySpec contains the specification for a selector-based security Policy resource.
type PolicyType ¶
type PolicyType string
PolicyType enumerates the possible values of the PolicySpec Types field.
const ( PolicyTypeIngress PolicyType = "ingress" PolicyTypeEgress PolicyType = "egress" )
type Profile ¶
type Profile struct { unversioned.TypeMetadata Metadata ProfileMetadata `json:"metadata,omitempty"` Spec ProfileSpec `json:"spec,omitempty"` }
Profile contains the details a security profile resource. A profile is set of security rules to apply on an endpoint. An endpoint (either a host endpoint or an endpoint on a workload) can reference zero or more profiles. The profile rules are applied directly to the endpoint *after* the selector-based security policy has been applied, and in the order the profiles are declared on the endpoint.
func NewProfile ¶
func NewProfile() *Profile
NewProfile creates a new (zeroed) Profile struct with the TypeMetadata initialised to the current version.
func (Profile) GetResourceMetadata ¶
func (t Profile) GetResourceMetadata() unversioned.ResourceMetadata
type ProfileList ¶
type ProfileList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []Profile `json:"items" validate:"dive,omitempty"` }
A ProfileList contains a list of security Profile resources. List types are returned from List() enumerations on the client interface.
func NewProfileList ¶
func NewProfileList() *ProfileList
NewProfile creates a new (zeroed) Profile struct with the TypeMetadata initialised to the current version.
type ProfileMetadata ¶
type ProfileMetadata struct { unversioned.ObjectMetadata // The name of the endpoint. Name string `json:"name,omitempty" validate:"omitempty,namespacedName"` // A list of tags that are applied to each endpoint that references this profile. Tags []string `json:"tags,omitempty" validate:"omitempty,dive,tag"` // The labels to apply to each endpoint that references this profile. It is expected // that many endpoints share the same labels. For example, they could be used to label all // "production" workloads with "deployment=prod" so that security policy can be applied // to production workloads. Labels map[string]string `json:"labels,omitempty" validate:"omitempty,labels"` }
ProfileMetadata contains the metadata for a security Profile resource.
type ProfileSpec ¶
type ProfileSpec struct { // The ordered set of ingress rules. Each rule contains a set of packet match criteria and // a corresponding action to apply. IngressRules []Rule `json:"ingress,omitempty" validate:"omitempty,dive"` // The ordered set of egress rules. Each rule contains a set of packet match criteria and // a corresponding action to apply. EgressRules []Rule `json:"egress,omitempty" validate:"omitempty,dive"` }
ProfileSpec contains the specification for a security Profile resource.
type Rule ¶
type Rule struct { Action string `json:"action" validate:"action"` // IPVersion is an optional field that restricts the rule to only match a specific IP // version. IPVersion *int `json:"ipVersion,omitempty" validate:"omitempty,ipVersion"` // Protocol is an optional field that restricts the rule to only apply to traffic of // a specific IP protocol. Required if any of the EntityRules contain Ports // (because ports only apply to certain protocols). // // Must be one of these string values: "tcp", "udp", "icmp", "icmpv6", "sctp", "udplite" // or an integer in the range 1-255. Protocol *numorstring.Protocol `json:"protocol,omitempty" validate:"omitempty"` // ICMP is an optional field that restricts the rule to apply to a specific type and // code of ICMP traffic. This should only be specified if the Protocol field is set to // "icmp" or "icmpv6". ICMP *ICMPFields `json:"icmp,omitempty" validate:"omitempty"` // NotProtocol is the negated version of the Protocol field. NotProtocol *numorstring.Protocol `json:"notProtocol,omitempty" validate:"omitempty"` // NotICMP is the negated version of the ICMP field. NotICMP *ICMPFields `json:"notICMP,omitempty" validate:"omitempty"` // Source contains the match criteria that apply to source entity. Source EntityRule `json:"source,omitempty" validate:"omitempty"` // Destination contains the match criteria that apply to destination entity. Destination EntityRule `json:"destination,omitempty" validate:"omitempty"` }
A Rule encapsulates a set of match criteria and an action. Both selector-based security Policy and security Profiles reference rules - separated out as a list of rules for both ingress and egress packet matching.
Each positive match criteria has a negated version, prefixed with "Not". All the match criteria within a rule must be satisfied for a packet to match. A single rule can contain the positive and negative version of a match and both must be satisfied for the rule to match.
type Tier ¶
type Tier struct { unversioned.TypeMetadata Metadata TierMetadata `json:"metadata,omitempty"` Spec TierSpec `json:"spec,omitempty"` }
Tier contains the details of a security policy tier resource. A tier contains a set of policies that are applied to packets. Multiple tiers may be created and each tier is applied in the order specified in the tier specification.
See Policy for more information.
func NewTier ¶
func NewTier() *Tier
NewTier creates a new (zeroed) Tier struct with the TypeMetadata initialised to the current version.
func (Tier) GetResourceMetadata ¶
func (t Tier) GetResourceMetadata() unversioned.ResourceMetadata
type TierList ¶
type TierList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []Tier `json:"items" validate:"dive"` }
A TierList contains a list of tier resources. List types are returned from List() enumerations in the client interface.
func NewTierList ¶
func NewTierList() *TierList
NewTier creates a new (zeroed) Tier struct with the TypeMetadata initialised to the current version.
type TierMetadata ¶
type TierMetadata struct { unversioned.ObjectMetadata Name string `json:"name,omitempty" validate:"omitempty,name"` }
TierMetadata contains the metadata for a security policy Tier.
type TierSpec ¶
type TierSpec struct { // Order is an optional field that specifies the order in which the tier is applied. // Tiers with higher "order" are applied after those with lower order. If the order // is omitted, it may be considered to be "infinite" - i.e. the tier will be applied // last. Tiers with identical order will be applied in alphanumerical order based // on the Tier "Name". Order *float64 `json:"order,omitempty"` }
TierSpec contains the specification for a security policy Tier.
type WorkloadEndpoint ¶
type WorkloadEndpoint struct { unversioned.TypeMetadata Metadata WorkloadEndpointMetadata `json:"metadata,omitempty"` Spec WorkloadEndpointSpec `json:"spec,omitempty"` }
func NewWorkloadEndpoint ¶
func NewWorkloadEndpoint() *WorkloadEndpoint
NewWorkloadEndpoint creates a new (zeroed) WorkloadEndpoint struct with the TypeMetadata initialised to the current version.
func (WorkloadEndpoint) GetResourceMetadata ¶
func (t WorkloadEndpoint) GetResourceMetadata() unversioned.ResourceMetadata
func (WorkloadEndpoint) String ¶
func (t WorkloadEndpoint) String() string
String() returns the human-readable string representation of a WorkloadEndpoint which is defined by its Node, Orchestrator, Workload, Name, and Active Instance ID (if it exists).
type WorkloadEndpointList ¶
type WorkloadEndpointList struct { unversioned.TypeMetadata Metadata unversioned.ListMetadata `json:"metadata,omitempty"` Items []WorkloadEndpoint `json:"items" validate:"dive"` }
WorkloadEndpointList contains a list of Workload Endpoint resources. List types are returned from List() enumerations in the client interface.
func NewWorkloadEndpointList ¶
func NewWorkloadEndpointList() *WorkloadEndpointList
NewWorkloadEndpointList creates a new (zeroed) NodeList struct with the TypeMetadata initialised to the current version.
type WorkloadEndpointMetadata ¶
type WorkloadEndpointMetadata struct { unversioned.ObjectMetadata // The name of the endpoint. This may be omitted on a create, in which case an endpoint // ID will be automatically created, and the endpoint ID will be included in the response. Name string `json:"name,omitempty" validate:"omitempty,namespacedName"` // The name of the workload. Workload string `json:"workload,omitempty" validate:"omitempty,namespacedName"` // The name of the orchestrator. Orchestrator string `json:"orchestrator,omitempty" validate:"omitempty,namespacedName"` // The node name identifying the Calico node instance. Node string `json:"node,omitempty" validate:"omitempty,name"` // ActiveInstanceID is an optional field that orchestrators may use to store additional // information about the endpoint. The primary use case is to store a unique identifier // for the active instance of a container. For example, with Calico CNI, a re-spawned // container may use the same endpoint indexing (Node, Orchestrator, Workload, Endpoint) // for the new container as for the old - the ActiveInstanceID is used to store an additional // unique ID which the CNI plugin uses to determine whether the DEL operation needs to // delete the Calico WorkloadEndpoint. // This field is not an index field of the WorkloadEndpoint resource. ActiveInstanceID string `json:"activeInstanceID,omitempty" validate:"omitempty,name"` // The labels applied to the workload endpoint. It is expected that many endpoints share // the same labels. For example, they could be used to label all "production" workloads // with "deployment=prod" so that security policy can be applied to production workloads. Labels map[string]string `json:"labels,omitempty" validate:"omitempty,labels"` }
WorkloadEndpointMetadata contains the Metadata for a WorkloadEndpoint resource.
type WorkloadEndpointSpec ¶
type WorkloadEndpointSpec struct { // IPNetworks is a list of subnets allocated to this endpoint. IP packets will only be // allowed to leave this interface if they come from an address in one of these subnets. // // Currently only /32 for IPv4 and /128 for IPv6 networks are supported. IPNetworks []net.IPNet `json:"ipNetworks,omitempty" validate:"omitempty"` // IPNATs is a list of 1:1 NAT mappings to apply to the endpoint. Inbound connections // to the external IP will be forwarded to the internal IP. Connections initiated from the // internal IP will not have their source address changed, except when an endpoint attempts // to connect one of its own external IPs. Each internal IP must be associated with the same // endpoint via the configured IPNetworks. IPNATs []IPNAT `json:"ipNATs,omitempty" validate:"omitempty,dive"` // IPv4Gateway is the gateway IPv4 address for traffic from the workload. IPv4Gateway *net.IP `json:"ipv4Gateway,omitempty" validate:"omitempty"` // IPv6Gateway is the gateway IPv6 address for traffic from the workload. IPv6Gateway *net.IP `json:"ipv6Gateway,omitempty" validate:"omitempty"` // A list of security Profile resources that apply to this endpoint. Each profile is // applied in the order that they appear in this list. Profile rules are applied // after the selector-based security policy. Profiles []string `json:"profiles,omitempty" validate:"omitempty,dive,namespacedName"` // InterfaceName the name of the Linux interface on the host: for example, tap80. InterfaceName string `json:"interfaceName,omitempty" validate:"interface"` // MAC is the MAC address of the endpoint interface. MAC *net.MAC `json:"mac,omitempty" validate:"omitempty,mac"` // Ports contains the endpoint's named ports, which may be referenced in security policy rules. Ports []EndpointPort `json:"ports,omitempty" validate:"omitempty,dive"` // AllowSpoofedSourcePrefixes is a list of CIDRs this workload endpoint is allowed to send traffic from, // i.e. this allows the workload endpoint to spoof its IP address using addresses in these prefixes AllowSpoofedSourcePrefixes []net.IPNet `json:"allow_spoofed_source_prefixes,omitempty"` }
WorkloadEndpointMetadata contains the specification for a WorkloadEndpoint resource.