acl

package
v1.4.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 5, 2018 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// ACLNamePrefix is used to tag ACLs created for the implementation of K8s policies.
	ACLNamePrefix = "contiv/vpp-policy-"

	// ReflectiveACLName is the name of the *reflective* ACL (full name prefixed with
	// ACLNamePrefix). Reflective ACL is used to allow responses of accepted sessions
	// regardless of installed policies on the way back.
	ReflectiveACLName = "REFLECTION"
)

Variables

This section is empty.

Functions

This section is empty.

Types

type Deps 

type Deps struct {
	Log           logging.Logger
	LogFactory    logging.LoggerFactory /* optional */
	Contiv        contiv.API            /* for GetIfName() */
	VPP           vpp.API               /* for DumpACLs() */
	ACLTxnFactory func() (dsl linuxclient.DataChangeDSL)
	LatestRevs    *syncbase.PrevRevisions
}

Deps lists dependencies of Renderer.

type PodInterfaces 

type PodInterfaces map[podmodel.ID]string

PodInterfaces is a map used to remember interface of each (configured) pod.

type Renderer 

type Renderer struct {
	Deps
	// contains filtered or unexported fields
}

Renderer renders Contiv Rules into VPP ACLs. ACLs are installed into VPP by the aclplugin from vpp-agent. The configuration changes are transported into aclplugin via localclient.

func (*Renderer) Init 

func (r *Renderer) Init() error

Init initializes the ACL Renderer.

func (*Renderer) NewTxn 

func (r *Renderer) NewTxn(resync bool) renderer.Txn

NewTxn starts a new transaction. The rendering executes only after Commit() is called. Rollback is not yet supported however. If <resync> is enabled, the supplied configuration will completely replace the existing one. Otherwise, the change is performed incrementally, i.e. interfaces not mentioned in the transaction are left unaffected.

type RendererTxn 

type RendererTxn struct {
	Log logging.Logger
	// contains filtered or unexported fields
}

RendererTxn represents a single transaction of Renderer.

func (*RendererTxn) Commit 

func (art *RendererTxn) Commit() error

Commit proceeds with the rendering. A minimalistic set of changes is calculated using RendererCache and applied as one transaction via the localclient.

func (*RendererTxn) Render 

func (art *RendererTxn) Render(pod podmodel.ID, podIP *net.IPNet, ingress []*renderer.ContivRule, egress []*renderer.ContivRule, removed bool) renderer.Txn

Render applies the set of ingress & egress rules for a given pod. The existing rules are replaced. Te actual change is performed only after the commit.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.