envoyfilters

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 6, 2024 License: Apache-2.0, MIT Imports: 5 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrNoHostsGiven = errors.New("no hosts were given, at least one host is needed")
)

Error variables for envoyfilters pkg

Functions

func BuildAPIEnvoyFilterSpecForHelmChart added in v1.0.0

func BuildAPIEnvoyFilterSpecForHelmChart(
	rule *ACLRule, hosts, alwaysAllowedCIDRs []string, istioLabels map[string]string,
) (map[string]interface{}, error)

BuildAPIEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for API server networking for every rule in the extension spec.

func BuildIngressEnvoyFilterSpecForHelmChart added in v1.1.0

func BuildIngressEnvoyFilterSpecForHelmChart(
	cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, istioLabels map[string]string,
) map[string]interface{}

BuildIngressEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for endpoints using the seed ingress domain.

func BuildVPNEnvoyFilterSpecForHelmChart added in v1.0.0

func BuildVPNEnvoyFilterSpecForHelmChart(
	mappings []ACLMapping, alwaysAllowedCIDRs []string, istioLabels map[string]string,
) (map[string]interface{}, error)

BuildVPNEnvoyFilterSpecForHelmChart assembles a single EnvoyFilter for all shoots on the seed, due to the fact that we can't create one EnvoyFilter per shoot - this doesn't work because all the VPN traffic flows through the same filter.

We use the technical ID of the shoot for the VPN rule, which is de facto the same as the seed namespace of the shoot. (Gardener uses the seedNamespace value in the botanist vpnshoot task.)

func CreateAPIConfigPatchFromRule added in v1.0.0

func CreateAPIConfigPatchFromRule(
	rule *ACLRule, hosts, alwaysAllowedCIDRs []string,
) (map[string]interface{}, error)

CreateAPIConfigPatchFromRule combines an ACLRule, the first entry of the hosts list and the alwaysAllowedCIDRs into a network filter patch that can be applied to the `GATEWAY` network filter chain matching the host.

func CreateIngressConfigPatchFromRule added in v1.1.0

func CreateIngressConfigPatchFromRule(
	rule *ACLRule, seedIngressDomain, shootID string, alwaysAllowedCIDRs []string,
) map[string]interface{}

CreateIngressConfigPatchFromRule creates a network filter patch that can be applied to the `GATEWAY` network filter chain matching the wildcard ingress domain.

func CreateInternalFilterPatchFromRule added in v1.0.0

func CreateInternalFilterPatchFromRule(
	rule *ACLRule,
	alwaysAllowedCIDRs []string,
	shootSpecificCIDRs []string,
) (map[string]interface{}, error)

CreateInternalFilterPatchFromRule combines an ACLRule, the alwaysAllowedCIDRs, and the shootSpecificCIDRs into a filter patch.

func CreateVPNConfigPatchFromRule added in v1.0.0

func CreateVPNConfigPatchFromRule(
	mappings []ACLMapping, alwaysAllowedCIDRs []string,
) (map[string]interface{}, error)

CreateVPNConfigPatchFromRule combines a list of ACLMappings and the alwaysAllowedCIDRs into a HTTP filter patch that can be applied to the `GATEWAY` HTTP filter chain for the VPN.

Types

type ACLMapping

type ACLMapping struct {
	ShootName          string   `json:"shootName"`
	Rule               ACLRule  `json:"rule"`
	ShootSpecificCIDRs []string `json:"ShootSpecificCIDRs"`
}

ACLMapping maps a an ACL rule to a specific shoot and also contains the shoot-specific CIDRs.

type ACLRule

type ACLRule struct {
	// Cidrs contains a list of CIDR blocks to which the ACL rule applies
	Cidrs []string `json:"cidrs"`
	// Action defines if the rule is a DENY or an ALLOW rule
	Action string `json:"action"`
	// Type can either be "source_ip", "direct_remote_ip" or "remote_ip"
	Type string `json:"type"`
}

ACLRule contains a single ACL rule, consisting of a list of CIDRs, an action and a rule type.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL