Documentation
¶
Index ¶
- Variables
- func BuildAPIEnvoyFilterSpecForHelmChart(rule *ACLRule, hosts, alwaysAllowedCIDRs []string, ...) (map[string]interface{}, error)
- func BuildIngressEnvoyFilterSpecForHelmChart(cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, ...) map[string]interface{}
- func BuildLegacyVPNEnvoyFilterSpecForHelmChart(mappings []ACLMapping, alwaysAllowedCIDRs []string, ...) (map[string]interface{}, error)
- func BuildVPNEnvoyFilterSpecForHelmChart(cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, ...) (map[string]interface{}, error)
- func CreateAPIConfigPatchFromRule(rule *ACLRule, hosts, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- func CreateIngressConfigPatchFromRule(rule *ACLRule, seedIngressDomain, shootID string, alwaysAllowedCIDRs []string) map[string]interface{}
- func CreateInternalFilterPatchFromRule(rule *ACLRule, alwaysAllowedCIDRs []string, shootSpecificCIDRs []string) (map[string]interface{}, error)
- func CreateLegacyVPNConfigPatchFromRule(mappings []ACLMapping, alwaysAllowedCIDRs []string) (map[string]interface{}, error)
- func CreateVPNConfigPatchFromRule(rule *ACLRule, shortShootID, technicalShootID string, ...) (map[string]interface{}, error)
- type ACLMapping
- type ACLRule
Constants ¶
This section is empty.
Variables ¶
var (
ErrNoHostsGiven = errors.New("no hosts were given, at least one host is needed")
)
Error variables for envoyfilters pkg
Functions ¶
func BuildAPIEnvoyFilterSpecForHelmChart ¶ added in v1.0.0
func BuildAPIEnvoyFilterSpecForHelmChart( rule *ACLRule, hosts, alwaysAllowedCIDRs []string, istioLabels map[string]string, ) (map[string]interface{}, error)
BuildAPIEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for API server networking for every rule in the extension spec.
func BuildIngressEnvoyFilterSpecForHelmChart ¶ added in v1.1.0
func BuildIngressEnvoyFilterSpecForHelmChart( cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, istioLabels map[string]string, ) map[string]interface{}
BuildIngressEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for endpoints using the seed ingress domain.
func BuildLegacyVPNEnvoyFilterSpecForHelmChart ¶ added in v1.3.0
func BuildLegacyVPNEnvoyFilterSpecForHelmChart( mappings []ACLMapping, alwaysAllowedCIDRs []string, istioLabels map[string]string, ) (map[string]interface{}, error)
BuildLegacyVPNEnvoyFilterSpecForHelmChart assembles a single EnvoyFilter for all shoots on the seed, due to the fact that we can't create one EnvoyFilter per shoot - this doesn't work because all the VPN traffic flows through the same filter.
We use the technical ID of the shoot for the VPN rule, which is de facto the same as the seed namespace of the shoot. (Gardener uses the seedNamespace value in the botanist vpnshoot task.)
func BuildVPNEnvoyFilterSpecForHelmChart ¶ added in v1.0.0
func BuildVPNEnvoyFilterSpecForHelmChart( cluster *controller.Cluster, rule *ACLRule, alwaysAllowedCIDRs []string, istioLabels map[string]string, ) (map[string]interface{}, error)
BuildVPNEnvoyFilterSpecForHelmChart assembles EnvoyFilter patches for VPN.
func CreateAPIConfigPatchFromRule ¶ added in v1.0.0
func CreateAPIConfigPatchFromRule( rule *ACLRule, hosts, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
CreateAPIConfigPatchFromRule combines an ACLRule, the first entry of the hosts list and the alwaysAllowedCIDRs into a network filter patch that can be applied to the `GATEWAY` network filter chain matching the host.
func CreateIngressConfigPatchFromRule ¶ added in v1.1.0
func CreateIngressConfigPatchFromRule( rule *ACLRule, seedIngressDomain, shootID string, alwaysAllowedCIDRs []string, ) map[string]interface{}
CreateIngressConfigPatchFromRule creates a network filter patch that can be applied to the `GATEWAY` network filter chain matching the wildcard ingress domain.
func CreateInternalFilterPatchFromRule ¶ added in v1.0.0
func CreateInternalFilterPatchFromRule( rule *ACLRule, alwaysAllowedCIDRs []string, shootSpecificCIDRs []string, ) (map[string]interface{}, error)
CreateInternalFilterPatchFromRule combines an ACLRule, the alwaysAllowedCIDRs, and the shootSpecificCIDRs into a filter patch.
func CreateLegacyVPNConfigPatchFromRule ¶ added in v1.3.0
func CreateLegacyVPNConfigPatchFromRule( mappings []ACLMapping, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
CreateLegacyVPNConfigPatchFromRule combines a list of ACLMappings and the alwaysAllowedCIDRs into a HTTP filter patch that can be applied to the `GATEWAY` HTTP filter chain for the VPN.
func CreateVPNConfigPatchFromRule ¶ added in v1.0.0
func CreateVPNConfigPatchFromRule(rule *ACLRule, shortShootID, technicalShootID string, alwaysAllowedCIDRs []string, ) (map[string]interface{}, error)
CreateVPNConfigPatchFromRule creates an HTTP filter patch that can be applied to the `GATEWAY` HTTP filter chain for the VPN.
Types ¶
type ACLMapping ¶
type ACLMapping struct {
ShootName string `json:"shootName"`
Rule ACLRule `json:"rule"`
ShootSpecificCIDRs []string `json:"ShootSpecificCIDRs"`
}
ACLMapping maps a an ACL rule to a specific shoot and also contains the shoot-specific CIDRs.
type ACLRule ¶
type ACLRule struct {
// Cidrs contains a list of CIDR blocks to which the ACL rule applies
Cidrs []string `json:"cidrs"`
// Action defines if the rule is a DENY or an ALLOW rule
Action string `json:"action"`
// Type can either be "source_ip", "direct_remote_ip" or "remote_ip"
Type string `json:"type"`
}
ACLRule contains a single ACL rule, consisting of a list of CIDRs, an action and a rule type.
Source Files