configurator

package
v1.5.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 31, 2018 License: Apache-2.0 Imports: 11 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// PolicyIngress tells policy to apply to ingress only.
	PolicyIngress = iota

	// PolicyEgress tells policy to apply to egress only.
	PolicyEgress

	// PolicyAll tells policy to apply to both traffic directions.
	PolicyAll
)

Variables

This section is empty.

Functions

This section is empty.

Types

type ContivPolicies

type ContivPolicies []*ContivPolicy

ContivPolicies is a list of policies that can be ordered by policy ID.

func (ContivPolicies) Copy

func (cp ContivPolicies) Copy() ContivPolicies

Copy creates a shallow copy of ContivPolicies.

func (ContivPolicies) Equals

func (cp ContivPolicies) Equals(cp2 ContivPolicies) bool

Equals returns true for equal lists of policies.

func (ContivPolicies) Len

func (cp ContivPolicies) Len() int

Len return the number of policies in the list.

func (ContivPolicies) Less

func (cp ContivPolicies) Less(i, j int) bool

Less compares two policies by their IDs.

func (ContivPolicies) Swap

func (cp ContivPolicies) Swap(i, j int)

Swap replaces order of two policies in the list.

type ContivPolicy

type ContivPolicy struct {
	// ID should uniquely identify policy across all namespaces.
	ID policymodel.ID

	// Type selects the rule types that the network policy relates to.
	Type PolicyType

	// Matches is an array of Match-es: predicates that select a subset of the
	// traffic to be ALLOWED.
	Matches []Match
}

ContivPolicy is a less-abstract, free of indirect references representation of K8s Network Policy. It has:

  • expanded namespaces
  • translated port names
  • evaluated label selectors
  • IP network addresses converted to net.IP

It is produced in this form and passed to Configurator by Policy Processor. Traffic matched by a Contiv policy should by ALLOWED. Traffic not matched by any policy from a **non-empty** set of policies assigned to the source/destination pod should be DENIED.

func (ContivPolicy) String

func (cp ContivPolicy) String() string

String converts ContivPolicy into a human-readable string.

type ContivRules

type ContivRules struct {
	// contains filtered or unexported fields
}

ContivRules is a list of Contiv rules without duplicities.

func (*ContivRules) CopySlice added in v1.5.1

func (cr *ContivRules) CopySlice() []*renderer.ContivRule

CopySlice returns a deep-copied slice of all rules (in the order as inserted).

func (*ContivRules) Insert added in v1.5.1

func (cr *ContivRules) Insert(rule *renderer.ContivRule) bool

Insert inserts the rule into the list. Returns *true* if the rule was inserted, *false* if the same rule is already in the list.

type Deps

type Deps struct {
	Log    logging.Logger
	Cache  cache.PolicyCacheAPI
	Contiv contiv.API /* to get the NAT-loopback IP */
}

Deps lists dependencies of PolicyConfigurator.

type IPBlock

type IPBlock struct {
	Network net.IPNet
	Except  []net.IPNet
}

IPBlock selects a particular CIDR with possible exceptions.

func (IPBlock) String

func (ipb IPBlock) String() string

String return a human-readable string representation of the IP Block.

type Match

type Match struct {
	// Type selects the direction of the traffic.
	Type MatchType

	// Layer 3: destinations (egress) / sources (ingress)
	// If both arrays are nils, then this predicate matches all
	// sources(ingress) / destinations(egress). Otherwise, this predicate
	// applies to a given traffic only if the traffic matches at least one item
	// in one of the lists.
	Pods     []podmodel.ID
	IPBlocks []IPBlock

	// Layer 4: destination ports
	// If the array is empty or nil, then this predicate matches all ports
	// (traffic not restricted by port).
	// If the array is non-empty, then this applies to a given traffic only
	// if the traffic matches at least one port in the list.
	Ports []Port
}

Match is a predicate that select a subset of the traffic.

func (Match) String

func (m Match) String() string

String converts Match into a human-readable string.

type MatchType

type MatchType int

MatchType selects the direction of the traffic to apply a Match to. The direction is from the Pod point of view!

const (
	// MatchIngress matches ingress traffic.
	MatchIngress MatchType = iota

	// MatchEgress matches egress traffic.
	MatchEgress
)

func (MatchType) String

func (mt MatchType) String() string

String converts MatchType into a human-readable string.

type PeerPod

type PeerPod struct {
	ID    podmodel.ID
	IPNet *net.IPNet
}

PeerPod represents the opposite pod in the policy rule.

type PodIPAddresses

type PodIPAddresses map[podmodel.ID]*net.IPNet

PodIPAddresses is a map used to remember IP address for each configured pod.

func (PodIPAddresses) Copy

func (pa PodIPAddresses) Copy() PodIPAddresses

Copy creates a deep copy of PodIPAddresses.

type PolicyConfigurator

type PolicyConfigurator struct {
	Deps
	// contains filtered or unexported fields
}

PolicyConfigurator translates a set of Contiv Policies into ingress and egress lists of Contiv Rules (n-tuples with the most basic policy rule definition) and applies them into the target vswitch via registered renderers. Allows to register multiple renderers for different network stacks. For the best performance, creates a shortest possible sequence of rules that implement a given policy. Furthermore, to allow renderers share a list of ingress or egress rules between interfaces, the same set of policies always results in the same list of rules.

func (*PolicyConfigurator) Close

func (pc *PolicyConfigurator) Close() error

Close deallocates resource held by the configurator.

func (*PolicyConfigurator) Init

func (pc *PolicyConfigurator) Init(parallelRendering bool) error

Init initializes policy configurator.

func (*PolicyConfigurator) NewTxn

func (pc *PolicyConfigurator) NewTxn(resync bool) Txn

NewTxn starts a new transaction. The re-configuration executes only after Commit() is called. If <resync> is enabled, the supplied configuration will completely replace the existing one, otherwise pods not mentioned in the transaction are left unchanged.

func (*PolicyConfigurator) RegisterRenderer

func (pc *PolicyConfigurator) RegisterRenderer(renderer renderer.PolicyRendererAPI) error

RegisterRenderer registers a new renderer. The renderer will be receiving rules for all pods in this K8s node. It is up to the render to possibly filter out rules for pods without an inter-connection in the destination network stack.

type PolicyConfiguratorAPI

type PolicyConfiguratorAPI interface {
	// RegisterRenderer registers a new renderer.
	// The renderer will be receiving rules for all pods in this K8s node.
	// It is up to the render to possibly filter out rules for pods without
	// an inter-connection in the destination network stack.
	RegisterRenderer(renderer renderer.PolicyRendererAPI) error

	// NewTxn starts a new transaction. The re-configuration executes only
	// after Commit() is called.
	// If <resync> is enabled, the supplied configuration will completely
	// replace the existing one, otherwise pods not mentioned in the transaction
	// are left unchanged.
	NewTxn(resync bool) Txn
}

PolicyConfiguratorAPI defines the API of Policy Configurator. For a given pod, the configurator translates a set of Contiv Policies into ingress and egress lists of Contiv Rules (n-tuples with the most basic policy rule definition) and applies them into the target vswitch via registered renderers. Allows to register multiple renderers for different network stacks. For the best performance, creates a shortest possible sequence of rules that implement a given policy. For the sake of renderers that install rules into per-interface tables (as opposed to one or more global tables), the configurator ensures that the same set of policies always results in the same list of rules, allowing renderers to group and share them across multiple interfaces (if supported by the destination network stack)

type PolicyConfiguratorTxn

type PolicyConfiguratorTxn struct {
	Log logging.Logger
	// contains filtered or unexported fields
}

PolicyConfiguratorTxn represents a single transaction of the policy configurator.

func (*PolicyConfiguratorTxn) Commit

func (pct *PolicyConfiguratorTxn) Commit() error

Commit proceeds with the reconfiguration.

func (*PolicyConfiguratorTxn) Configure

func (pct *PolicyConfiguratorTxn) Configure(pod podmodel.ID, policies []*ContivPolicy) Txn

Configure applies the set of policies for a given pod. The existing policies are replaced. The order of policies is not important (it is a set).

type PolicyType

type PolicyType int

PolicyType selects the rule types that the network policy relates to.

func (PolicyType) String

func (pt PolicyType) String() string

String converts PolicyType into a human-readable string.

type Port

type Port struct {
	Protocol ProtocolType
	Number   uint16
}

Port represent a TCP or UDP port. Number=0 represents all ports for a given protocol.

func (Port) String

func (port Port) String() string

String return a human-readable string representation of the Port.

type ProcessedPolicySet

type ProcessedPolicySet struct {
	// contains filtered or unexported fields
}

ProcessedPolicySet stores configuration already generated for a given set of policies. It is used only temporarily for a duration of the commit for a performance optimization.

type ProtocolType

type ProtocolType int

ProtocolType is either TCP or UDP.

const (
	// TCP protocol.
	TCP ProtocolType = iota

	// UDP protocol.
	UDP
)

func (ProtocolType) String

func (pt ProtocolType) String() string

String converts ProtocolType into a human-readable string.

type Txn

type Txn interface {
	// Configure applies the set of policies for a given pod.
	// The existing policies are replaced.
	// The order of policies is not important (it is a set).
	Configure(pod podmodel.ID, policies []*ContivPolicy) Txn

	// Commit proceeds with the reconfiguration.
	Commit() error
}

Txn defines the API of PolicyConfigurator transaction.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL