Documentation ¶
Index ¶
- Variables
- type ACLMapping
- type ACLRule
- type EnvoyFilterService
- func (e *EnvoyFilterService) BuildAPIEnvoyFilterSpecForHelmChart(rule *ACLRule, hosts, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- func (e *EnvoyFilterService) BuildVPNEnvoyFilterSpecForHelmChart(mappings []ACLMapping, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- func (e *EnvoyFilterService) CreateAPIConfigPatchFromRule(rule *ACLRule, hosts, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- func (e *EnvoyFilterService) CreateInternalFilterPatchFromRule(rule *ACLRule, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- func (e *EnvoyFilterService) CreateVPNConfigPatchFromRule(mappings []ACLMapping, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
Constants ¶
This section is empty.
Variables ¶
View Source
var (
ErrNoHostsGiven = errors.New("no hosts were given, at least one host is needed")
)
Functions ¶
This section is empty.
Types ¶
type ACLMapping ¶
type ACLRule ¶
type ACLRule struct { // Cidrs contains a list of CIDR blocks to which the ACL rule applies Cidrs []string `json:"cidrs"` // Action defines if the rule is a DENY or an ALLOW rule Action string `json:"action"` // Type can either be "source_ip", "direct_remote_ip" or "remote_ip" Type string `json:"type"` }
type EnvoyFilterService ¶
type EnvoyFilterService struct{}
func (*EnvoyFilterService) BuildAPIEnvoyFilterSpecForHelmChart ¶
func (e *EnvoyFilterService) BuildAPIEnvoyFilterSpecForHelmChart( rule *ACLRule, hosts, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
BuildAPIEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for API server networking for every rule in the extension spec.
func (*EnvoyFilterService) BuildVPNEnvoyFilterSpecForHelmChart ¶
func (e *EnvoyFilterService) BuildVPNEnvoyFilterSpecForHelmChart( mappings []ACLMapping, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
BuildVPNEnvoyFilterSpecForHelmChart assembles a single EnvoyFilter for all shoots on the seed, due to the fact that we can't create one EnvoyFilter per shoot - this doesn't work because all the VPN traffic flows through the same filter.
We use the technical ID of the shoot for the VPN rule, which is de facto the same as the seed namespace of the shoot. (Gardener uses the seedNamespace value in the botanist vpnshoot task.)
func (*EnvoyFilterService) CreateAPIConfigPatchFromRule ¶
func (e *EnvoyFilterService) CreateAPIConfigPatchFromRule( rule *ACLRule, hosts, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
func (*EnvoyFilterService) CreateInternalFilterPatchFromRule ¶
func (e *EnvoyFilterService) CreateInternalFilterPatchFromRule(rule *ACLRule, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
func (*EnvoyFilterService) CreateVPNConfigPatchFromRule ¶
func (e *EnvoyFilterService) CreateVPNConfigPatchFromRule( mappings []ACLMapping, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
Click to show internal directories.
Click to hide internal directories.