Documentation
¶
Overview ¶
Policy enforcer package translates romana policies into iptables rules.
Policy enforcer package translates romana policies into iptables rules.
Index ¶
- Constants
- Variables
- func ApplyIPtables(iptables *iptsave.IPtables, exec utilexec.Executable, restoreFlags ...string) error
- func EnsureChainExists(table *iptsave.IPtable, chainName string) *iptsave.IPchain
- func EnsureRules(baseChain *iptsave.IPchain, rules []*iptsave.IPrule)
- func InsertNormalRule(chain *iptsave.IPchain, rule *iptsave.IPrule)
- func LoadIPtables(exec utilexec.Executable) (*iptsave.IPtables, error)
- func MakeBaseRules() []*iptsave.IPchain
- func MakeConntrackEstablishedRule() *iptsave.IPrule
- func MakeOperatorPolicyChainName() string
- func MakeOperatorPolicyIngressChainName() string
- func MakePolicyChainFooterRule() *iptsave.IPrule
- func MakeSimpleJumpRule(target string) *iptsave.IPrule
- func MetricsRegister(registry *prometheus.Registry) error
- func ValidateIPtables(iptables *iptsave.IPtables, exec utilexec.Executable) bool
- type Enforcer
- type Interface
Constants ¶
const LocalBlockSetName = "localBlocks"
LocalBlockSetName is an ipset set that matches traffic for endpoints located on current host.
Variables ¶
var ( IptablesSaveBin string IptablesRestoreBin string )
var ( ErrMakeSets = prometheus.NewCounter( prometheus.CounterOpts{ Name: "romana_err_make_sets_total", Help: "Number of errors attempting to build ipset Sets.", }, ) ErrApplySets = prometheus.NewCounter( prometheus.CounterOpts{ Name: "romana_err_apply_sets_total", Help: "Number of errors attempting to apply ipset Sets.", }, ) ErrValidateIptables = prometheus.NewCounter( prometheus.CounterOpts{ Name: "romana_err_validate_iptables_total", Help: "Number of errors when validating iptables.", }, ) ErrApplyIptables = prometheus.NewCounter( prometheus.CounterOpts{ Name: "romana_err_apply_iptables_total", Help: "Number of errors attempting to apply iptables.", }, ) NumPolicyUpdates = prometheus.NewCounter( prometheus.CounterOpts{ Name: "romana_policy_updates_total", Help: "Number of policy updates processed.", }, ) NumBlockUpdates = prometheus.NewCounter( prometheus.CounterOpts{ Name: "romana_block_updates_total", Help: "Number of block updates processed.", }, ) NumEnforcerTick = prometheus.NewCounter( prometheus.CounterOpts{ Name: "romana_enforcer_ticks_total", Help: "Number of enforcer ticks since start.", }, ) NumManagedSets = prometheus.NewGauge( prometheus.GaugeOpts{ Name: "romana_managed_sets", Help: "Number ipset sets managed by Romana policy.", }, ) NumPolicyRules = prometheus.NewGauge( prometheus.GaugeOpts{ Name: "romana_policy_rules", Help: "Number of Romana policy rules applied to the host.", }, ) )
Functions ¶
func ApplyIPtables ¶
func ApplyIPtables(iptables *iptsave.IPtables, exec utilexec.Executable, restoreFlags ...string) error
ApplyIPtables calls iptables-restore to apply iptables.
func EnsureChainExists ¶
EnsureChainExists ensures that IPchain exists in IPtable.
func InsertNormalRule ¶
InsertNormalRule discovers position in a chain just above all DROP and RETURN rules. Useful for the rules other then default drops and chain terminators.
func LoadIPtables ¶
func LoadIPtables(exec utilexec.Executable) (*iptsave.IPtables, error)
LoadIPtables calls iptables-save, parses result into iptsave.IPtables.
func MakeBaseRules ¶
MakeBaseRules produces static iptables rules, that form backbone of romana policy flow. * ROMANA-FORWARD-IN captures all ingress traffic from world to pods. -A ROMANA-FORWARD-IN -m comment --comment Ingress -m state --state RELATED,ESTABLISHED -j ACCEPT -A ROMANA-FORWARD-IN -m comment --comment DefaultDrop -j DROP
* ROMANA-FORWARD-OUT captures all egres traffic from pods to the world. -A ROMANA-FORWARD-OUT -m set --match-set localBlocks dst -j ROMANA-FORWARD-IN -A ROMANA-FORWARD-OUT -m comment --comment Egress -j ACCEPT
* ROMANA-INPUT captures traffic from pods to the host. -A ROMANA-INPUT -j ACCEPT
* ROMANA-OUTPUT captures traffic from host to the pods. -A ROMANA-OUTPUT -j ACCEPT
func MakeConntrackEstablishedRule ¶
MakeConntrackEstablishedRule returns a rule that usually sits on top of a certan chain and accepts TCP packets known to iptables conntrack module.
func MakeOperatorPolicyChainName ¶
func MakeOperatorPolicyChainName() string
MakeOperatorPolicyChainName returns the name for iptables chain that hosts policies applied to all tenants.
func MakeOperatorPolicyIngressChainName ¶
func MakeOperatorPolicyIngressChainName() string
func MakePolicyChainFooterRule ¶
MakePolicyChainFooterRule returns iptsave rule that sits at the bottom of a chain which hosts jumps to the romana policies. The rule is redaundant in many cases since default chain policy is also RETURN, but it highlights a flow.
func MakeSimpleJumpRule ¶
MakeSimpleJumpRule is a convinience function that returns ipsave.IPrule with no match field and single action field. e.g. `-j TARGET`
func MetricsRegister ¶
func MetricsRegister(registry *prometheus.Registry) error
MetricsRegister registers package global metrics into registry provided, for later exposure.
func ValidateIPtables ¶
func ValidateIPtables(iptables *iptsave.IPtables, exec utilexec.Executable) bool
ValidateIPtables calls iptables-restore to validate iptables.
Types ¶
type Enforcer ¶
type Enforcer struct {
// contains filtered or unexported fields
}
Endpoint implements Interface.
type Interface ¶
type Interface interface {
// Run starts internal loop that handles updates from policies.
Run(context.Context)
}
Interface defines policy enforcer behavior.
func New ¶
func New(policy policycache.Interface, policies <-chan api.Policy, blocks api.IPAMBlocksResponse, blocksChannel <-chan api.IPAMBlocksResponse, hostname string, utilexec utilexec.Executable, refreshSeconds int) (Interface, error)
New returns new policy enforcer.
Source Files