Documentation ¶
Index ¶
- Variables
- func BuildAPIEnvoyFilterSpecForHelmChart(rule *ACLRule, hosts, alwaysAllowedCIDRs []string, ...) (map[string]interface{}, error)
- func BuildIngressEnvoyFilterSpecForHelmChart(cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, ...) map[string]interface{}
- func BuildVPNEnvoyFilterSpecForHelmChart(mappings []ACLMapping, alwaysAllowedCIDRs []string, ...) (map[string]interface{}, error)
- func CreateAPIConfigPatchFromRule(rule *ACLRule, hosts, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- func CreateIngressConfigPatchFromRule(rule *ACLRule, seedIngressDomain, shootID string, alwaysAllowedCIDRs []string) map[string]interface{}
- func CreateInternalFilterPatchFromRule(rule *ACLRule, alwaysAllowedCIDRs []string, shootSpecificCIDRs []string) (map[string]interface{}, error)
- func CreateVPNConfigPatchFromRule(mappings []ACLMapping, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- type ACLMapping
- type ACLRule
Constants ¶
This section is empty.
Variables ¶
var (
ErrNoHostsGiven = errors.New("no hosts were given, at least one host is needed")
)
Error variables for envoyfilters pkg
Functions ¶
func BuildAPIEnvoyFilterSpecForHelmChart ¶ added in v1.0.0
func BuildAPIEnvoyFilterSpecForHelmChart( rule *ACLRule, hosts, alwaysAllowedCIDRs []string, istioLabels map[string]string, ) (map[string]interface{}, error)
BuildAPIEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for API server networking for every rule in the extension spec.
func BuildIngressEnvoyFilterSpecForHelmChart ¶ added in v1.1.0
func BuildIngressEnvoyFilterSpecForHelmChart( cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, istioLabels map[string]string, ) map[string]interface{}
BuildIngressEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for endpoints using the seed ingress domain.
func BuildVPNEnvoyFilterSpecForHelmChart ¶ added in v1.0.0
func BuildVPNEnvoyFilterSpecForHelmChart( mappings []ACLMapping, alwaysAllowedCIDRs []string, istioLabels map[string]string, ) (map[string]interface{}, error)
BuildVPNEnvoyFilterSpecForHelmChart assembles a single EnvoyFilter for all shoots on the seed, due to the fact that we can't create one EnvoyFilter per shoot - this doesn't work because all the VPN traffic flows through the same filter.
We use the technical ID of the shoot for the VPN rule, which is de facto the same as the seed namespace of the shoot. (Gardener uses the seedNamespace value in the botanist vpnshoot task.)
func CreateAPIConfigPatchFromRule ¶ added in v1.0.0
func CreateAPIConfigPatchFromRule( rule *ACLRule, hosts, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
CreateAPIConfigPatchFromRule combines an ACLRule, the first entry of the hosts list and the alwaysAllowedCIDRs into a network filter patch that can be applied to the `GATEWAY` network filter chain matching the host.
func CreateIngressConfigPatchFromRule ¶ added in v1.1.0
func CreateIngressConfigPatchFromRule( rule *ACLRule, seedIngressDomain, shootID string, alwaysAllowedCIDRs []string, ) map[string]interface{}
CreateIngressConfigPatchFromRule creates a network filter patch that can be applied to the `GATEWAY` network filter chain matching the wildcard ingress domain.
func CreateInternalFilterPatchFromRule ¶ added in v1.0.0
func CreateInternalFilterPatchFromRule( rule *ACLRule, alwaysAllowedCIDRs []string, shootSpecificCIDRs []string, ) (map[string]interface{}, error)
CreateInternalFilterPatchFromRule combines an ACLRule, the alwaysAllowedCIDRs, and the shootSpecificCIDRs into a filter patch.
func CreateVPNConfigPatchFromRule ¶ added in v1.0.0
func CreateVPNConfigPatchFromRule( mappings []ACLMapping, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
CreateVPNConfigPatchFromRule combines a list of ACLMappings and the alwaysAllowedCIDRs into a HTTP filter patch that can be applied to the `GATEWAY` HTTP filter chain for the VPN.
Types ¶
type ACLMapping ¶
type ACLMapping struct { ShootName string `json:"shootName"` Rule ACLRule `json:"rule"` ShootSpecificCIDRs []string `json:"ShootSpecificCIDRs"` }
ACLMapping maps a an ACL rule to a specific shoot and also contains the shoot-specific CIDRs.
type ACLRule ¶
type ACLRule struct { // Cidrs contains a list of CIDR blocks to which the ACL rule applies Cidrs []string `json:"cidrs"` // Action defines if the rule is a DENY or an ALLOW rule Action string `json:"action"` // Type can either be "source_ip", "direct_remote_ip" or "remote_ip" Type string `json:"type"` }
ACLRule contains a single ACL rule, consisting of a list of CIDRs, an action and a rule type.