Documentation ¶
Overview ¶
This renderer is responsible for all resources related to a Guardian Deployment in a multicluster setup.
Index ¶
- Constants
- Variables
- func APIServerServiceAccountName(v operatorv1.ProductVariant) string
- func CNIPluginFinalizedObjects() []client.Object
- func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap
- func CreateCertificateSecret(caPem []byte, secretName string, namespace string) *corev1.Secret
- func CreateDexClientSecret() *corev1.Secret
- func CreateElasticsearchKeystoreSecret() *corev1.Secret
- func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard) *corev1.Namespace
- func DefaultWindowsCNIDirectories(installation operatorv1.InstallationSpec) (string, string, string)
- func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
- func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
- func GetLinseedTokenPath(managedCluster bool) string
- func ImagePullPolicy() corev1.PullPolicy
- func KibanaEnabled(tenant *operatorv1.Tenant, installation *operatorv1.InstallationSpec) bool
- func LinseedNamespace(tenant *operatorv1.Tenant) string
- func ManagerService(tenant *operatorv1.Tenant) string
- func NewDexKeyValidatorConfig(authentication *oprv1.Authentication, idpSecret *corev1.Secret, ...) authentication.KeyValidatorConfig
- func ProjectCalicoAPIServerServiceName(v operatorv1.ProductVariant) string
- func ProjectCalicoAPIServerTLSSecretName(v operatorv1.ProductVariant) string
- func SetClusterCriticalPod(t *corev1.PodTemplateSpec)
- func SetTestLogger(l logr.Logger)
- type APIServerConfiguration
- type AWSSGSetupConfiguration
- type CSIConfiguration
- type ComplianceConfiguration
- type Component
- func APIServer(cfg *APIServerConfiguration) (Component, error)
- func APIServerPolicy(cfg *APIServerConfiguration) Component
- func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)
- func CSI(cfg *CSIConfiguration) Component
- func Compliance(cfg *ComplianceConfiguration) (Component, error)
- func Dex(cfg *DexComponentConfiguration) Component
- func Fluentd(cfg *FluentdConfiguration) Component
- func Guardian(cfg *GuardianConfiguration) Component
- func GuardianPolicy(cfg *GuardianConfiguration) (Component, error)
- func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component
- func IntrusionDetectionNamespaceComponent(cfg *IntrusionDetectionNamespaceConfiguration) Component
- func LogStorage(cfg *ElasticsearchConfiguration) Component
- func Manager(cfg *ManagerConfiguration) (Component, error)
- func Namespaces(cfg *NamespaceConfiguration) Component
- func NewDeletionPassthrough(objs ...client.Object) Component
- func NewManagedClusterLogStorage(cfg *ManagedClusterLogStorageConfiguration) Component
- func NewPassthrough(objs ...client.Object) Component
- func NewPassthroughWithLog(l logr.Logger, objs ...client.Object) Component
- func Node(cfg *NodeConfiguration) Component
- func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component
- func PacketCaptureAPIPolicy(cfg *PacketCaptureApiConfiguration) Component
- func PolicyRecommendation(cfg *PolicyRecommendationConfiguration) Component
- func Typha(cfg *TyphaConfiguration) Component
- func Windows(cfg *WindowsConfiguration) Component
- type DexComponentConfiguration
- type DexConfig
- type DexKeyValidatorConfig
- func (d DexKeyValidatorConfig) BaseURL() string
- func (d DexKeyValidatorConfig) ClientID() string
- func (d DexKeyValidatorConfig) ClientSecret() []byte
- func (d DexKeyValidatorConfig) Issuer() string
- func (d DexKeyValidatorConfig) RedirectURIs() []string
- func (d DexKeyValidatorConfig) RequestedScopes() []string
- func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string
- func (d DexKeyValidatorConfig) RequiredConfigMaps(string) []*corev1.ConfigMap
- func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar
- func (d DexKeyValidatorConfig) RequiredSecrets(namespace string) []*corev1.Secret
- func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount
- func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume
- func (d DexKeyValidatorConfig) UsernameClaim() string
- type EksCloudwatchLogConfig
- type ElasticsearchConfiguration
- type ElasticsearchLicenseType
- type FluentdConfiguration
- type FluentdFilters
- type GuardianComponent
- type GuardianConfiguration
- type IntrusionDetectionConfiguration
- type IntrusionDetectionNamespaceConfiguration
- type ManagedClusterLogStorageConfiguration
- type ManagerConfiguration
- type NamespaceConfiguration
- type NodeConfiguration
- type PacketCaptureApiConfiguration
- type PodSecurityStandard
- type PolicyRecommendationConfiguration
- type Renderer
- type S3Credential
- type SplunkCredential
- type TyphaConfiguration
- type TyphaNodeTLS
- type WindowsConfiguration
Constants ¶
const ( APIServerPort = 5443 APIServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "cnx-apiserver-access" )
const ( QueryServerPort = 8080 QueryserverNamespace = "tigera-system" QueryserverServiceName = "tigera-api" // Use the same API server container name for both OSS and Enterprise. APIServerContainerName = "calico-apiserver" APIServerK8sAppName = "calico-apiserver" TigeraAPIServerQueryServerContainerName = "tigera-queryserver" APIServerSecretsRBACName = "tigera-extension-apiserver-secrets-access" MultiTenantManagedClustersAccessClusterRoleName = "tigera-managed-cluster-access" )
const ( ComplianceNamespace = "tigera-compliance" ComplianceServiceName = "compliance" ComplianceServerName = "compliance-server" ComplianceControllerName = "compliance-controller" ComplianceSnapshotterName = "compliance-snapshotter" ComplianceReporterName = "compliance-reporter" ComplianceBenchmarkerName = "compliance-benchmarker" ComplianceAccessPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "compliance-access" ComplianceServerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + ComplianceServerName MultiTenantComplianceManagedClustersAccessRoleBindingName = "compliance-server-managed-cluster-access" // ServiceAccount names. ComplianceServerServiceAccount = "tigera-compliance-server" ComplianceSnapshotterServiceAccount = "tigera-compliance-snapshotter" ComplianceBenchmarkerServiceAccount = "tigera-compliance-benchmarker" ComplianceReporterServiceAccount = "tigera-compliance-reporter" ComplianceControllerServiceAccount = "tigera-compliance-controller" )
const ( ElasticsearchCuratorUserSecret = "tigera-ee-curator-elasticsearch-access" ComplianceServerCertSecret = "tigera-compliance-server-tls" ComplianceSnapshotterSecret = "tigera-compliance-snapshotter-tls" ComplianceBenchmarkerSecret = "tigera-compliance-benchmarker-tls" ComplianceControllerSecret = "tigera-compliance-controller-tls" ComplianceReporterSecret = "tigera-compliance-reporter-tls" )
const ( CSIDriverName = "csi.tigera.io" CSIDaemonSetName = "csi-node-driver" CSIDaemonSetNamespace = "calico-system" CSIContainerName = "calico-csi" CSIRegistrarContainerName = "csi-node-driver-registrar" )
const ( DexNamespace = "tigera-dex" DexObjectName = "tigera-dex" DexPort = 5556 DexTLSSecretName = "tigera-dex-tls" DexClientId = "tigera-manager" DexPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "allow-tigera-dex" )
const ( ClientSecretSecretField = "clientSecret" RootCASecretField = "rootCA" OIDCSecretName = "tigera-oidc-credentials" OpenshiftSecretName = "tigera-openshift-credentials" LDAPSecretName = "tigera-ldap-credentials" ClientIDSecretField = "clientID" BindDNSecretField = "bindDN" BindPWSecretField = "bindPW" // Default claims to use to data from a JWT. DefaultGroupsClaim = "groups" )
const ( // OperatorCompleteFinalizer is applied by the core controller as part of Installation defaulting to ensure it can // clean up resources if the Installation is ever deleted. This Finalizer is only removed after all operator // finalization logic has completed. OperatorCompleteFinalizer = "tigera.io/operator-cleanup" // APIServerFinalizer is added to the Installation by the API server controller when installing the API server so that // Calico CNI resources are not removed until the API server controller has had time to properly tear down pods. APIServerFinalizer = "operator.tigera.io/apiserver-controller" // InstallationControllerFinalizer is added to the Installation by the core Installation controller when installing Calico // so that Calico CNI resources are not removed until calico-kube-controllers has had time to properly be torn down. InstallationControllerFinalizer = "operator.tigera.io/installation-controller" )
const ( LogCollectorNamespace = "tigera-fluentd" FluentdFilterConfigMapName = "fluentd-filters" FluentdFilterFlowName = "flow" FluentdFilterDNSName = "dns" S3FluentdSecretName = "log-collector-s3-credentials" S3KeyIdName = "key-id" S3KeySecretName = "key-secret" // FluentdPrometheusTLSSecretName is the name of the secret containing the key pair fluentd presents to identify itself. // Somewhat confusingly, this is named the prometheus TLS key pair because that was the first // use-case for this credential. However, it is used on all TLS connections served by fluentd. FluentdPrometheusTLSSecretName = "tigera-fluentd-prometheus-tls" FluentdMetricsService = "fluentd-metrics" FluentdMetricsServiceWindows = "fluentd-metrics-windows" FluentdMetricsPortName = "fluentd-metrics-port" FluentdMetricsPort = 9081 FluentdPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "allow-fluentd-node" ElasticsearchEksLogForwarderUserSecret = "tigera-eks-log-forwarder-elasticsearch-access" EksLogForwarderSecret = "tigera-eks-log-forwarder-secret" EksLogForwarderAwsId = "aws-id" EksLogForwarderAwsKey = "aws-key" SplunkFluentdTokenSecretName = "logcollector-splunk-credentials" SplunkFluentdSecretTokenKey = "token" SplunkFluentdSecretCertificateKey = "ca.pem" SysLogPublicCADir = "/etc/pki/tls/certs/" SysLogPublicCertKey = "ca-bundle.crt" SysLogPublicCAPath = SysLogPublicCADir + SysLogPublicCertKey SyslogCAConfigMapName = "syslog-ca" // Constants for Linseed token volume mounting in managed clusters. LinseedTokenVolumeName = "linseed-token" LinseedTokenKey = "token" LinseedTokenSubPath = "token" LinseedTokenSecret = "%s-tigera-linseed-token" LinseedVolumeMountPath = "/var/run/secrets/tigera.io/linseed/" LinseedTokenPath = "/var/run/secrets/tigera.io/linseed/token" FluentdNodeName = "fluentd-node" EKSLogForwarderName = "eks-log-forwarder" EKSLogForwarderTLSSecretName = "tigera-eks-log-forwarder-tls" PacketCaptureAPIRole = "packetcapture-api-role" PacketCaptureAPIRoleBinding = "packetcapture-api-role-binding" )
const ( GuardianName = "tigera-guardian" GuardianNamespace = GuardianName GuardianServiceAccountName = GuardianName GuardianClusterRoleName = GuardianName GuardianClusterRoleBindingName = GuardianName GuardianDeploymentName = GuardianName GuardianServiceName = "tigera-guardian" GuardianVolumeName = "tigera-guardian-certs" GuardianSecretName = "tigera-managed-cluster-connection" GuardianTargetPort = 8080 GuardianPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "guardian-access" )
The names of the components related to the Guardian related rendered objects.
const ( IntrusionDetectionNamespace = "tigera-intrusion-detection" IntrusionDetectionName = "intrusion-detection-controller" ElasticsearchIntrusionDetectionUserSecret = "tigera-ee-intrusion-detection-elasticsearch-access" ElasticsearchIntrusionDetectionJobUserSecret = "tigera-ee-installer-elasticsearch-access" ElasticsearchPerformanceHotspotsUserSecret = "tigera-ee-performance-hotspots-elasticsearch-access" IntrusionDetectionInstallerJobName = "intrusion-detection-es-job-installer" IntrusionDetectionControllerName = "intrusion-detection-controller" IntrusionDetectionControllerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + IntrusionDetectionControllerName IntrusionDetectionInstallerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "intrusion-detection-elastic" MultiTenantManagedClustersAccessClusterRoleBindingName = "tigera-intrusion-detection-managed-cluster-access" ADAPIObjectName = "anomaly-detection-api" IntrusionDetectionTLSSecretName = "intrusion-detection-tls" DPITLSSecretName = "deep-packet-inspection-tls" ADAPIPolicyName = networkpolicy.TigeraComponentPolicyPrefix + ADAPIObjectName ADPersistentVolumeClaimName = "tigera-anomaly-detection" ADJobPodTemplateBaseName = "tigera.io.detectors" ADDetectorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + adDetectorName )
const ( ElasticsearchObjectName = "tigera-elasticsearch" ElasticsearchNamespace = ElasticsearchObjectName // TigeraLinseedSecret is the name of the secret that holds the TLS key pair mounted into Linseed. // The secret contains server key and certificate. TigeraLinseedSecret = "tigera-secure-linseed-cert" // TigeraLinseedSecretsClusterRole is the name of the ClusterRole used to make RoleBindings in namespaces where Linseed // needs to be able to manipulate secrets TigeraLinseedSecretsClusterRole = "tigera-linseed-secrets" // TigeraLinseedTokenSecret is the name of the secret that holds the access token signing key for Linseed. TigeraLinseedTokenSecret = "tigera-secure-linseed-token-tls" // TigeraElasticsearchGatewaySecret is the TLS key pair that is mounted by Elasticsearch gateway. TigeraElasticsearchGatewaySecret = "tigera-secure-elasticsearch-cert" // TigeraElasticsearchInternalCertSecret is the TLS key pair that is mounted by the Elasticsearch pods. TigeraElasticsearchInternalCertSecret = "tigera-secure-internal-elasticsearch-cert" // Linseed vars. LinseedServiceName = "tigera-linseed" ElasticsearchName = "tigera-secure" ElasticsearchServiceName = "tigera-secure-es-http" ESGatewayServiceName = "tigera-secure-es-gateway-http" ElasticsearchDefaultPort = 9200 ElasticsearchInternalPort = 9300 ElasticsearchAdminUserSecret = "tigera-secure-es-elastic-user" ElasticsearchLinseedUserSecret = "tigera-ee-linseed-elasticsearch-user-secret" ElasticsearchPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-access" ElasticsearchInternalPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "elasticsearch-internal" KibanaBasePath = "tigera-kibana" DefaultElasticsearchClusterName = "cluster" DefaultElasticsearchReplicas = 0 DefaultElasticStorageGi = 10 ESCuratorName = "elastic-curator" EsCuratorServiceAccount = "tigera-elastic-curator" EsCuratorPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "allow-elastic-curator" OIDCUsersConfigMapName = "tigera-known-oidc-users" OIDCUsersESSecretName = "tigera-oidc-users-elasticsearch-credentials" ElasticsearchLicenseTypeBasic ElasticsearchLicenseType = "basic" ElasticsearchLicenseTypeEnterprise ElasticsearchLicenseType = "enterprise" ElasticsearchLicenseTypeEnterpriseTrial ElasticsearchLicenseType = "enterprise_trial" ElasticsearchLicenseTypeUnknown ElasticsearchLicenseType = "" EsManagerRole = "es-manager" EsManagerRoleBinding = "es-manager" ElasticsearchTLSHashAnnotation = "hash.operator.tigera.io/es-secrets" )
const ( // ElasticsearchKeystoreSecret Currently only used when FIPS mode is enabled, we need to initialize the keystore with a password. ElasticsearchKeystoreSecret = "tigera-secure-elasticsearch-keystore" ElasticsearchKeystoreEnvName = "KEYSTORE_PASSWORD" ElasticsearchKeystoreHashAnnotation = "hash.operator.tigera.io/keystore-password" )
const ( // Volume that is added by ECK and is overridden if certificate management is used. CSRVolumeNameHTTP = "elastic-internal-http-certificates" // Volume that is added by ECK and is overridden if certificate management is used. CSRVolumeNameTransport = "elastic-internal-transport-certificates" // Volume name that is added by ECK for the purpose of mounting certs. CAVolumeName = "elasticsearch-certs" )
Certificate management constants.
const ( ManagerServiceName = "tigera-manager" ManagerDeploymentName = "tigera-manager" ManagerNamespace = "tigera-manager" ManagerServiceAccount = "tigera-manager" ManagerClusterRole = "tigera-manager-role" ManagerClusterRoleBinding = "tigera-manager-binding" ManagerTLSSecretName = "manager-tls" ManagerInternalTLSSecretName = "internal-manager-tls" ManagerPolicyName = networkpolicy.TigeraComponentPolicyPrefix + "manager-access" // The name of the TLS certificate used by Voltron to authenticate connections from managed // cluster clients talking to Linseed. VoltronLinseedTLS = "tigera-voltron-linseed-tls" VoltronLinseedPublicCert = "tigera-voltron-linseed-certs-public" ManagerClusterSettings = "cluster-settings" ManagerUserSettings = "user-settings" ManagerClusterSettingsLayerTigera = "cluster-settings.layer.tigera-infrastructure" ManagerClusterSettingsViewDefault = "cluster-settings.view.default" ElasticsearchManagerUserSecret = "tigera-ee-manager-elasticsearch-access" TlsSecretHashAnnotation = "hash.operator.tigera.io/tls-secret" KibanaTLSHashAnnotation = "hash.operator.tigera.io/kibana-secrets" ElasticsearchUserHashAnnotation = "hash.operator.tigera.io/elasticsearch-user" ManagerMultiTenantManagedClustersAccessClusterRoleBindingName = "tigera-manager-managed-cluster-access" )
const ( VoltronName = "tigera-voltron" VoltronTunnelSecretName = "tigera-management-cluster-connection" )
ManagementClusterConnection configuration constants
const ( PSSPrivileged = "privileged" PSSBaseline = "baseline" PSSRestricted = "restricted" )
const ( BirdTemplatesConfigMapName = "bird-templates" BPFOperatorAnnotation = "operator.tigera.io/bpfEnabled" BGPLayoutConfigMapName = "bgp-layout" BGPLayoutConfigMapKey = "earlyNetworkConfiguration" BGPLayoutVolumeName = "bgp-layout" BGPLayoutPath = "/etc/calico/early-networking.yaml" K8sSvcEndpointConfigMapName = "kubernetes-services-endpoint" CNIFinalizer = "tigera.io/cni-protector" CalicoNodeMetricsService = "calico-node-metrics" NodePrometheusTLSServerSecret = "calico-node-prometheus-server-tls" CalicoNodeObjectName = "calico-node" CalicoCNIPluginObjectName = "calico-cni-plugin" BPFVolumeName = "bpffs" )
const ( PacketCaptureContainerName = "tigera-packetcapture-server" PacketCaptureName = "tigera-packetcapture" PacketCaptureNamespace = PacketCaptureName PacketCaptureServiceAccountName = PacketCaptureName PacketCaptureClusterRoleName = PacketCaptureName PacketCaptureClusterRoleBindingName = PacketCaptureName PacketCaptureDeploymentName = PacketCaptureName PacketCaptureServiceName = PacketCaptureName PacketCapturePolicyName = networkpolicy.TigeraComponentPolicyPrefix + PacketCaptureName PacketCapturePort = 8444 PacketCaptureServerCert = "tigera-packetcapture-server-tls" )
The names of the components related to the PacketCapture APIs related rendered objects.
const ( ElasticsearchPolicyRecommendationUserSecret = "tigera-ee-policy-recommendation-elasticsearch-access" PolicyRecommendationName = "tigera-policy-recommendation" PolicyRecommendationNamespace = PolicyRecommendationName PolicyRecommendationPolicyName = networkpolicy.TigeraComponentPolicyPrefix + PolicyRecommendationName PolicyRecommendationTLSSecretName = "policy-recommendation-tls" PolicyRecommendationMultiTenantManagedClustersAccessRoleBindingName = "tigera-policy-recommendation-managed-cluster-access" )
The names of the components related to the PolicyRecommendation APIs related rendered objects.
const ( TyphaServiceName = "calico-typha" TyphaPortName = "calico-typha" TyphaK8sAppName = "calico-typha" TyphaServiceAccountName = "calico-typha" AppLabelName = "k8s-app" TyphaPort int32 = 5473 TyphaMetricsName = "calico-typha-metrics" TyphaContainerName = "calico-typha" )
const ( WindowsNodeObjectName = "calico-node-windows" WindowsNodeMetricsService = "calico-node-metrics-windows" )
const TigeraAWSSGSetupName = "tigera-aws-security-group-setup"
Variables ¶
var ( GuardianEntityRule = networkpolicy.CreateEntityRule(GuardianNamespace, GuardianDeploymentName, GuardianTargetPort) GuardianSourceEntityRule = networkpolicy.CreateSourceEntityRule(GuardianNamespace, GuardianDeploymentName) GuardianServiceSelectorEntityRule = networkpolicy.CreateServiceSelectorEntityRule(GuardianNamespace, GuardianName) )
var ( ElasticsearchSelector = fmt.Sprintf("elasticsearch.k8s.elastic.co/cluster-name == '%s'", ElasticsearchName) ElasticsearchEntityRule = v3.EntityRule{ NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace), Selector: ElasticsearchSelector, Ports: []numorstring.Port{{MinPort: ElasticsearchDefaultPort, MaxPort: ElasticsearchDefaultPort}}, } )
var ( SourceKibanaEntityRule = networkpolicy.CreateSourceEntityRule("tigera-kibana", "tigera-secure") ECKOperatorSourceEntityRule = networkpolicy.CreateSourceEntityRule("tigera-eck-operator", "elastic-operator") )
var ( PacketCaptureEntityRule = networkpolicy.CreateEntityRule(PacketCaptureNamespace, PacketCaptureDeploymentName, PacketCapturePort) PacketCaptureSourceEntityRule = networkpolicy.CreateSourceEntityRule(PacketCaptureNamespace, PacketCaptureDeploymentName) )
var ( CommonName = "common-name" URISAN = "uri-san" TyphaCommonName = "typha-server" FelixCommonName = "typha-client" NodePriorityClassName = "system-node-critical" ClusterPriorityClassName = "system-cluster-critical" )
var ( TyphaTLSSecretName = "typha-certs" TyphaCAConfigMapName = "typha-ca" TyphaCABundleName = "caBundle" )
var DexEntityRule = networkpolicy.CreateEntityRule(DexNamespace, DexObjectName, DexPort)
var EKSLogForwarderEntityRule = networkpolicy.CreateSourceEntityRule(LogCollectorNamespace, EKSLogForwarderName)
var FluentdSourceEntityRule = v3.EntityRule{ NamespaceSelector: fmt.Sprintf("name == '%s'", LogCollectorNamespace), Selector: networkpolicy.KubernetesAppSelector(FluentdNodeName, fluentdNodeWindowsName), }
var InternalElasticsearchEntityRule = v3.EntityRule{ NamespaceSelector: fmt.Sprintf("projectcalico.org/name == '%s'", ElasticsearchNamespace), Selector: ElasticsearchSelector, Ports: []numorstring.Port{{MinPort: ElasticsearchInternalPort, MaxPort: ElasticsearchInternalPort}}, }
var IntrusionDetectionInstallerSourceEntityRule = v3.EntityRule{ NamespaceSelector: intrusionDetectionNamespaceSelector, Selector: fmt.Sprintf("job-name == '%s'", IntrusionDetectionInstallerJobName), }
var ( IntrusionDetectionSourceEntityRule = v3.EntityRule{ NamespaceSelector: intrusionDetectionNamespaceSelector, Selector: fmt.Sprintf("k8s-app == '%s'", IntrusionDetectionControllerName), } )
Register secret/certs that need Server and Client Key usage
var (
NodeTLSSecretName = "node-certs"
)
var TigeraAPIServerEntityRule = v3.EntityRule{ Services: &v3.ServiceMatch{ Namespace: QueryserverNamespace, Name: QueryserverServiceName, }, }
Functions ¶
func APIServerServiceAccountName ¶ added in v1.30.0
func APIServerServiceAccountName(v operatorv1.ProductVariant) string
func CNIPluginFinalizedObjects ¶ added in v1.34.1
CNIPluginFinalizedObjects returns a list of objects that use the CNIFinalizer that should be removed only after the CNI plugin is removed.
func CreateCertificateConfigMap ¶ added in v1.25.1
func CreateCertificateConfigMap(caPem string, secretName string, namespace string) *corev1.ConfigMap
CreateCertificateConfigMap is a convenience method for creating a configmap that contains only a ca or cert to trust.
func CreateCertificateSecret ¶ added in v1.18.0
CreateCertificateSecret is a convenience method for creating a secret that contains only a ca or cert to trust.
func CreateDexClientSecret ¶ added in v1.12.0
func CreateElasticsearchKeystoreSecret ¶ added in v1.28.2
CreateElasticsearchKeystoreSecret creates a secret to be used for initializing the keystore on Elasticsearch.
func CreateNamespace ¶ added in v1.22.0
func CreateNamespace(name string, provider operatorv1.Provider, pss PodSecurityStandard) *corev1.Namespace
func DefaultWindowsCNIDirectories ¶ added in v1.32.0
func DefaultWindowsCNIDirectories(installation operatorv1.InstallationSpec) (string, string, string)
DefaultWindowsCNIDirectories returns the CNI binary, network config and log directories and the CNI conf filename for the configured platform. FIXME: populate with known default for other providers
func GetIPv4Pool ¶ added in v1.2.0
func GetIPv4Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
GetIPv4Pool returns the IPv4 IPPool in an installation, or nil if one can't be found.
func GetIPv6Pool ¶ added in v1.2.0
func GetIPv6Pool(pools []operatorv1.IPPool) *operatorv1.IPPool
GetIPv6Pool returns the IPv6 IPPool in an installation, or nil if one can't be found.
func GetLinseedTokenPath ¶ added in v1.30.0
func ImagePullPolicy ¶ added in v1.31.0
func ImagePullPolicy() corev1.PullPolicy
ImagePullPolicy returns the image pull policy to use for all components.
func KibanaEnabled ¶ added in v1.33.0
func KibanaEnabled(tenant *operatorv1.Tenant, installation *operatorv1.InstallationSpec) bool
func LinseedNamespace ¶ added in v1.33.0
func LinseedNamespace(tenant *operatorv1.Tenant) string
LinseedNamespace determine the namespace in which Linseed is running. For management and standalone clusters, this is always the tigera-elasticsearch namespace. For multi-tenant management clusters, this is the tenant namespace
func ManagerService ¶ added in v1.33.0
func ManagerService(tenant *operatorv1.Tenant) string
ManagerService determine the name of the tigera manager service. For management and standalone clusters, this is always the tigera-manager.tigera-manager namespace. For multi-tenant management clusters, this is a service that resides within the tenant namespace
func NewDexKeyValidatorConfig ¶ added in v1.12.0
func NewDexKeyValidatorConfig( authentication *oprv1.Authentication, idpSecret *corev1.Secret, clusterDomain string) authentication.KeyValidatorConfig
func ProjectCalicoAPIServerServiceName ¶ added in v1.30.0
func ProjectCalicoAPIServerServiceName(v operatorv1.ProductVariant) string
func ProjectCalicoAPIServerTLSSecretName ¶ added in v1.30.0
func ProjectCalicoAPIServerTLSSecretName(v operatorv1.ProductVariant) string
The following functions are helpers for determining resource names based on the configured product variant.
func SetClusterCriticalPod ¶ added in v1.22.0
func SetClusterCriticalPod(t *corev1.PodTemplateSpec)
func SetTestLogger ¶
Types ¶
type APIServerConfiguration ¶ added in v1.25.0
type APIServerConfiguration struct { K8SServiceEndpoint k8sapi.ServiceEndpoint Installation *operatorv1.InstallationSpec APIServer *operatorv1.APIServerSpec ForceHostNetwork bool ManagementCluster *operatorv1.ManagementCluster ManagementClusterConnection *operatorv1.ManagementClusterConnection TLSKeyPair certificatemanagement.KeyPairInterface PullSecrets []*corev1.Secret OpenShift bool TrustedBundle certificatemanagement.TrustedBundle MultiTenant bool }
APIServerConfiguration contains all the config information needed to render the component.
type AWSSGSetupConfiguration ¶ added in v1.25.0
type AWSSGSetupConfiguration struct { PullSecrets []corev1.LocalObjectReference Installation *operatorv1.InstallationSpec }
AWSSGSetupConfiguration contains all the config information needed to render the component.
type CSIConfiguration ¶ added in v1.28.0
type CSIConfiguration struct { Installation *operatorv1.InstallationSpec Terminating bool OpenShift bool }
type ComplianceConfiguration ¶ added in v1.25.0
type ComplianceConfiguration struct { Installation *operatorv1.InstallationSpec PullSecrets []*corev1.Secret OpenShift bool ManagementCluster *operatorv1.ManagementCluster ManagementClusterConnection *operatorv1.ManagementClusterConnection KeyValidatorConfig authentication.KeyValidatorConfig ClusterDomain string HasNoLicense bool // Trusted certificate bundle for all compliance pods. TrustedBundle certificatemanagement.TrustedBundleRO // Key pairs used for mTLS. ServerKeyPair certificatemanagement.KeyPairInterface BenchmarkerKeyPair certificatemanagement.KeyPairInterface ReporterKeyPair certificatemanagement.KeyPairInterface SnapshotterKeyPair certificatemanagement.KeyPairInterface ControllerKeyPair certificatemanagement.KeyPairInterface Namespace string BindingNamespaces []string // Whether to run the rendered components in multi-tenant, single-tenant, or zero-tenant mode Tenant *operatorv1.Tenant ExternalElastic bool Compliance *operatorv1.Compliance }
ComplianceConfiguration contains all the config information needed to render the component.
type Component ¶
type Component interface { // ResolveImages should call components.GetReference for all images that the Component // needs, passing 'is' to the GetReference call and if there are any errors those // are returned. It is valid to pass nil for 'is' as GetReference accepts the value. // ResolveImages must be called before Objects is called for the component. ResolveImages(is *operatorv1.ImageSet) error // Objects returns the lists of objects in this component that should be created and/or deleted during // rendering. Objects() (objsToCreate, objsToDelete []client.Object) // Ready returns true if the component is ready to be created. Ready() bool // SupportedOSTypes returns operating systems that is supported of the components returned by the Objects() function. // The "componentHandler" converts the returned OSTypes to a node selectors for the "kubernetes.io/os" label on client.Objects // that create pods. Return OSTypeAny means that no node selector should be set for the "kubernetes.io/os" label. SupportedOSType() rmeta.OSType }
func APIServer ¶
func APIServer(cfg *APIServerConfiguration) (Component, error)
func APIServerPolicy ¶ added in v1.28.0
func APIServerPolicy(cfg *APIServerConfiguration) Component
func AWSSecurityGroupSetup ¶ added in v1.0.0
func AWSSecurityGroupSetup(cfg *AWSSGSetupConfiguration) (Component, error)
func CSI ¶ added in v1.28.0
func CSI(cfg *CSIConfiguration) Component
func Compliance ¶
func Compliance(cfg *ComplianceConfiguration) (Component, error)
func Dex ¶ added in v1.12.0
func Dex(cfg *DexComponentConfiguration) Component
func Fluentd ¶ added in v1.0.0
func Fluentd(cfg *FluentdConfiguration) Component
func Guardian ¶ added in v1.2.0
func Guardian(cfg *GuardianConfiguration) Component
func GuardianPolicy ¶ added in v1.28.0
func GuardianPolicy(cfg *GuardianConfiguration) (Component, error)
func IntrusionDetection ¶
func IntrusionDetection(cfg *IntrusionDetectionConfiguration) Component
func IntrusionDetectionNamespaceComponent ¶ added in v1.35.0
func IntrusionDetectionNamespaceComponent(cfg *IntrusionDetectionNamespaceConfiguration) Component
func LogStorage ¶ added in v1.4.0
func LogStorage(cfg *ElasticsearchConfiguration) Component
LogStorage renders the components necessary for kibana and elasticsearch
func Manager ¶ added in v1.0.0
func Manager(cfg *ManagerConfiguration) (Component, error)
Manager returns a component for rendering namespaced manager resources.
func Namespaces ¶
func Namespaces(cfg *NamespaceConfiguration) Component
func NewDeletionPassthrough ¶ added in v1.29.1
func NewManagedClusterLogStorage ¶ added in v1.32.0
func NewManagedClusterLogStorage(cfg *ManagedClusterLogStorageConfiguration) Component
NewManagedClusterLogStorage returns a component for managed cluster log storage resources.
func NewPassthrough ¶ added in v1.22.0
func NewPassthroughWithLog ¶ added in v1.34.0
func Node ¶
func Node(cfg *NodeConfiguration) Component
Node creates the node daemonset and other resources for the daemonset to operate normally.
func PacketCaptureAPI ¶ added in v1.21.0
func PacketCaptureAPI(cfg *PacketCaptureApiConfiguration) Component
func PacketCaptureAPIPolicy ¶ added in v1.28.0
func PacketCaptureAPIPolicy(cfg *PacketCaptureApiConfiguration) Component
func PolicyRecommendation ¶ added in v1.30.0
func PolicyRecommendation(cfg *PolicyRecommendationConfiguration) Component
func Typha ¶ added in v1.0.0
func Typha(cfg *TyphaConfiguration) Component
Typha creates the typha daemonset and other resources for the daemonset to operate normally.
func Windows ¶ added in v1.23.0
func Windows( cfg *WindowsConfiguration, ) Component
type DexComponentConfiguration ¶ added in v1.25.0
type DexComponentConfiguration struct { PullSecrets []*corev1.Secret OpenShift bool Installation *operatorv1.InstallationSpec DexConfig DexConfig ClusterDomain string DeleteDex bool TLSKeyPair certificatemanagement.KeyPairInterface TrustedBundle certificatemanagement.TrustedBundle Authentication *operatorv1.Authentication }
DexComponentConfiguration contains all the config information needed to render the component.
type DexConfig ¶ added in v1.12.0
type DexConfig interface { Connector() map[string]interface{} RedirectURIs() []string // RequiredVolumeMounts returns volume mounts that the KeyValidatorConfig implementation requires. RequiredVolumeMounts() []corev1.VolumeMount // RequiredVolumes returns volumes that the KeyValidatorConfig implementation requires. RequiredVolumes() []corev1.Volume authentication.KeyValidatorConfig }
DexConfig is a config for DexIdP itself.
func NewDexConfig ¶ added in v1.12.0
func NewDexConfig( certificateManagement *oprv1.CertificateManagement, authentication *oprv1.Authentication, dexSecret *corev1.Secret, idpSecret *corev1.Secret, clusterDomain string) DexConfig
Create a new DexConfig.
type DexKeyValidatorConfig ¶ added in v1.12.0
type DexKeyValidatorConfig struct {
// contains filtered or unexported fields
}
func (DexKeyValidatorConfig) BaseURL ¶ added in v1.18.0
func (d DexKeyValidatorConfig) BaseURL() string
func (DexKeyValidatorConfig) ClientID ¶ added in v1.18.0
func (d DexKeyValidatorConfig) ClientID() string
func (DexKeyValidatorConfig) ClientSecret ¶ added in v1.18.0
func (d DexKeyValidatorConfig) ClientSecret() []byte
func (DexKeyValidatorConfig) Issuer ¶ added in v1.18.0
func (d DexKeyValidatorConfig) Issuer() string
func (DexKeyValidatorConfig) RedirectURIs ¶ added in v1.18.0
func (d DexKeyValidatorConfig) RedirectURIs() []string
func (DexKeyValidatorConfig) RequestedScopes ¶ added in v1.18.0
func (d DexKeyValidatorConfig) RequestedScopes() []string
func (*DexKeyValidatorConfig) RequiredAnnotations ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredAnnotations() map[string]string
RequiredAnnotations returns the annotations that are relevant for a validator config.
func (DexKeyValidatorConfig) RequiredConfigMaps ¶ added in v1.18.0
func (*DexKeyValidatorConfig) RequiredEnv ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredEnv(prefix string) []corev1.EnvVar
Append variables that are necessary for using the dex authenticator.
func (DexKeyValidatorConfig) RequiredSecrets ¶ added in v1.12.0
func (*DexKeyValidatorConfig) RequiredVolumeMounts ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredVolumeMounts() []corev1.VolumeMount
func (*DexKeyValidatorConfig) RequiredVolumes ¶ added in v1.12.0
func (d *DexKeyValidatorConfig) RequiredVolumes() []corev1.Volume
func (DexKeyValidatorConfig) UsernameClaim ¶ added in v1.18.0
func (d DexKeyValidatorConfig) UsernameClaim() string
type EksCloudwatchLogConfig ¶ added in v1.0.0
type ElasticsearchConfiguration ¶ added in v1.25.0
type ElasticsearchConfiguration struct { LogStorage *operatorv1.LogStorage Installation *operatorv1.InstallationSpec ManagementCluster *operatorv1.ManagementCluster Elasticsearch *esv1.Elasticsearch ClusterConfig *relasticsearch.ClusterConfig ElasticsearchUserSecret *corev1.Secret ElasticsearchKeyPair certificatemanagement.KeyPairInterface PullSecrets []*corev1.Secret Provider operatorv1.Provider CuratorSecrets []*corev1.Secret ESService *corev1.Service ClusterDomain string ElasticLicenseType ElasticsearchLicenseType TrustedBundle certificatemanagement.TrustedBundleRO UnusedTLSSecret *corev1.Secret ApplyTrial bool KeyStoreSecret *corev1.Secret }
ElasticsearchConfiguration contains all the config information needed to render the component.
type ElasticsearchLicenseType ¶ added in v1.14.0
type ElasticsearchLicenseType string
type FluentdConfiguration ¶ added in v1.25.0
type FluentdConfiguration struct { LogCollector *operatorv1.LogCollector S3Credential *S3Credential SplkCredential *SplunkCredential Filters *FluentdFilters // ESClusterConfig is only populated for when EKSConfig // is also defined ESClusterConfig *relasticsearch.ClusterConfig EKSConfig *EksCloudwatchLogConfig PullSecrets []*corev1.Secret Installation *operatorv1.InstallationSpec ClusterDomain string OSType rmeta.OSType FluentdKeyPair certificatemanagement.KeyPairInterface TrustedBundle certificatemanagement.TrustedBundle ManagedCluster bool // Set if running as a multi-tenant management cluster. Configures the management cluster's // own fluentd daemonset. Tenant *operatorv1.Tenant ExternalElastic bool // Whether to use User provided certificate or not. UseSyslogCertificate bool // EKSLogForwarderKeyPair contains the certificate presented by EKS LogForwarder when communicating with Linseed EKSLogForwarderKeyPair certificatemanagement.KeyPairInterface PacketCapture *operatorv1.PacketCaptureAPI }
FluentdConfiguration contains all the config information needed to render the component.
type FluentdFilters ¶ added in v1.0.0
type GuardianComponent ¶ added in v1.2.0
type GuardianComponent struct {
// contains filtered or unexported fields
}
func (*GuardianComponent) Objects ¶ added in v1.2.0
func (c *GuardianComponent) Objects() ([]client.Object, []client.Object)
func (*GuardianComponent) Ready ¶ added in v1.2.0
func (c *GuardianComponent) Ready() bool
func (*GuardianComponent) ResolveImages ¶ added in v1.14.0
func (c *GuardianComponent) ResolveImages(is *operatorv1.ImageSet) error
func (*GuardianComponent) SupportedOSType ¶ added in v1.11.0
func (c *GuardianComponent) SupportedOSType() rmeta.OSType
type GuardianConfiguration ¶ added in v1.25.0
type GuardianConfiguration struct { URL string PullSecrets []*corev1.Secret OpenShift bool Installation *operatorv1.InstallationSpec TunnelSecret *corev1.Secret TrustedCertBundle certificatemanagement.TrustedBundle TunnelCAType operatorv1.CAType ManagementClusterConnection *operatorv1.ManagementClusterConnection }
GuardianConfiguration contains all the config information needed to render the component.
type IntrusionDetectionConfiguration ¶ added in v1.25.0
type IntrusionDetectionConfiguration struct { IntrusionDetection *operatorv1.IntrusionDetection LogCollector *operatorv1.LogCollector Installation *operatorv1.InstallationSpec PullSecrets []*corev1.Secret OpenShift bool ClusterDomain string ESLicenseType ElasticsearchLicenseType ManagedCluster bool ManagementCluster bool SyslogForwardingIsEnabled bool HasNoLicense bool TrustedCertBundle certificatemanagement.TrustedBundleRO IntrusionDetectionCertSecret certificatemanagement.KeyPairInterface Namespace string BindNamespaces []string Tenant *operatorv1.Tenant ExternalElastic bool }
IntrusionDetectionConfiguration contains all the config information needed to render the component.
type IntrusionDetectionNamespaceConfiguration ¶ added in v1.35.0
type IntrusionDetectionNamespaceConfiguration struct { Tenant *operatorv1.Tenant SyslogForwardingIsEnabled bool Namespace string KubernetesProvider operatorv1.Provider HasNoLicense bool }
type ManagedClusterLogStorageConfiguration ¶ added in v1.32.0
type ManagedClusterLogStorageConfiguration struct { Installation *operatorv1.InstallationSpec ClusterDomain string Provider operatorv1.Provider }
ManagedClusterLogStorageConfiguration contains configuration for managed cluster log storage.
type ManagerConfiguration ¶ added in v1.25.0
type ManagerConfiguration struct { VoltronRouteConfig *manager.VoltronRouteConfig KeyValidatorConfig authentication.KeyValidatorConfig PullSecrets []*corev1.Secret OpenShift bool Installation *operatorv1.InstallationSpec ManagementCluster *operatorv1.ManagementCluster // If provided, the KeyPair to used for external connections terminated by Voltron, // and connections from the manager pod to Linseed. TLSKeyPair certificatemanagement.KeyPairInterface // The key pair to use for TLS between Linseed clients in managed clusters and Voltron // in the management cluster. VoltronLinseedKeyPair certificatemanagement.KeyPairInterface // KeyPair used by Voltron as the server certificate when establishing an mTLS tunnel with Guardian. TunnelServerCert certificatemanagement.KeyPairInterface // TLS KeyPair used by both Voltron and es-proxy, presented by each as part of the mTLS handshake with // other services within the cluster. This is used in both management and standalone clusters. InternalTLSKeyPair certificatemanagement.KeyPairInterface // Certificate bundle used by the manager pod to verify certificates presented // by clients as part of mTLS authentication. TrustedCertBundle certificatemanagement.TrustedBundleRO ClusterDomain string ESLicenseType ElasticsearchLicenseType Replicas *int32 Compliance *operatorv1.Compliance ComplianceLicenseActive bool ComplianceNamespace string Namespace string TruthNamespace string BindingNamespaces []string // Whether to run the rendered components in multi-tenant, single-tenant, or zero-tenant mode Tenant *operatorv1.Tenant ExternalElastic bool Manager *operatorv1.Manager }
ManagerConfiguration contains all the config information needed to render the component.
type NamespaceConfiguration ¶ added in v1.25.0
type NamespaceConfiguration struct { Installation *operatorv1.InstallationSpec PullSecrets []*corev1.Secret Terminating bool }
NamespaceConfiguration contains all the config information needed to render the component.
type NodeConfiguration ¶ added in v1.22.0
type NodeConfiguration struct { K8sServiceEp k8sapi.ServiceEndpoint Installation *operatorv1.InstallationSpec IPPools []operatorv1.IPPool TLS *TyphaNodeTLS ClusterDomain string // Optional fields. LogCollector *operatorv1.LogCollector MigrateNamespaces bool NodeAppArmorProfile string BirdTemplates map[string]string NodeReporterMetricsPort int // CanRemoveCNIFinalizer specifies whether CNI plugin is still needed during uninstall since the CNI plugin and // associated RBAC resources are required for pod teardown to succeed. Setting this to true removes // the finalizer from the CNI plugin and associated RBAC resources, allowing them to be deleted. // For details on why this is needed see 'Node and Installation finalizer' in the core_controller. CanRemoveCNIFinalizer bool PrometheusServerTLS certificatemanagement.KeyPairInterface // BGPLayouts is returned by the rendering code after modifying its namespace // so that it can be deployed into the cluster. // TODO: The controller should pass the contents, the renderer should build its own // configmap, rather than this "copy" semantic. BGPLayouts *corev1.ConfigMap // The health port that Felix should bind to. The controller reads FelixConfiguration // and sets this. FelixHealthPort int // The bindMode read from the default BGPConfiguration. Used to trigger rolling updates // should this value change. BindMode string }
NodeConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/node on a cluster.
type PacketCaptureApiConfiguration ¶ added in v1.25.0
type PacketCaptureApiConfiguration struct { PullSecrets []*corev1.Secret OpenShift bool Installation *operatorv1.InstallationSpec KeyValidatorConfig authentication.KeyValidatorConfig ServerCertSecret certificatemanagement.KeyPairInterface TrustedBundle certificatemanagement.TrustedBundle ClusterDomain string ManagementClusterConnection *operatorv1.ManagementClusterConnection PacketCaptureAPI *operatorv1.PacketCaptureAPI }
PacketCaptureApiConfiguration contains all the config information needed to render the component.
type PodSecurityStandard ¶ added in v1.28.0
type PodSecurityStandard string
type PolicyRecommendationConfiguration ¶ added in v1.30.0
type PolicyRecommendationConfiguration struct { ClusterDomain string Installation *operatorv1.InstallationSpec ManagedCluster bool OpenShift bool PullSecrets []*corev1.Secret TrustedBundle certificatemanagement.TrustedBundleRO PolicyRecommendationCertSecret certificatemanagement.KeyPairInterface Namespace string BindingNamespaces []string // Whether or not to run the rendered components in multi-tenant mode. Tenant *operatorv1.Tenant ExternalElastic bool PolicyRecommendation *operatorv1.PolicyRecommendation }
PolicyRecommendationConfiguration contains all the config information needed to render the component.
type Renderer ¶
type Renderer interface {
Render() []Component
}
A Renderer is capable of generating components to be installed on the cluster.
type S3Credential ¶ added in v1.0.0
type SplunkCredential ¶ added in v1.4.0
type SplunkCredential struct {
Token []byte
}
type TyphaConfiguration ¶ added in v1.22.0
type TyphaConfiguration struct { K8sServiceEp k8sapi.ServiceEndpoint Installation *operatorv1.InstallationSpec TLS *TyphaNodeTLS MigrateNamespaces bool ClusterDomain string // The health port that Felix is bound to. We configure Typha to bind to the port // that is one less. FelixHealthPort int }
TyphaConfiguration is the public API used to provide information to the render code to generate Kubernetes objects for installing calico/typha on a cluster.
type TyphaNodeTLS ¶ added in v1.0.0
type TyphaNodeTLS struct { TrustedBundle certificatemanagement.TrustedBundle TyphaSecret certificatemanagement.KeyPairInterface TyphaCommonName string TyphaURISAN string NodeSecret certificatemanagement.KeyPairInterface NodeCommonName string NodeURISAN string }
TyphaNodeTLS holds configuration for Node and Typha to establish TLS.
type WindowsConfiguration ¶ added in v1.32.0
type WindowsConfiguration struct { K8sServiceEp k8sapi.ServiceEndpoint K8sDNSServers []string Installation *operatorv1.InstallationSpec ClusterDomain string TLS *TyphaNodeTLS PrometheusServerTLS certificatemanagement.KeyPairInterface NodeReporterMetricsPort int VXLANVNI int }
Source Files ¶
- apiserver.go
- aws-securitygroup-setup.go
- compliance.go
- component.go
- crypto_utils.go
- csi.go
- dex.go
- dex_config.go
- finalizers.go
- fluentd.go
- guardian.go
- intrusion_detection.go
- logstorage.go
- manager.go
- namespaces.go
- node.go
- packet_capture_api.go
- passthru.go
- policyrecommendation.go
- render.go
- typha.go
- utils.go
- windows.go