Documentation ¶
Index ¶
- Constants
- Variables
- func AllowTigeraDefaultDeny(namespace string) *v3.NetworkPolicy
- func AppendDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule
- func AppendServiceSelectorDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule
- func CreateEntityRule(namespace string, deploymentName string, ports ...uint16) v3.EntityRule
- func CreateServiceSelectorEntityRule(namespace string, name string) v3.EntityRule
- func CreateSourceEntityRule(namespace string, deploymentName string) v3.EntityRule
- func KubernetesAppSelector(deploymentNames ...string) string
- func Ports(ports ...uint16) []numorstring.Port
Constants ¶
const PrometheusSelector = "" /* 149-byte string literal not displayed */
const TigeraComponentDefaultDenyPolicyName = TigeraComponentPolicyPrefix + "default-deny"
const TigeraComponentPolicyPrefix = TigeraComponentTierName + "."
const TigeraComponentTierName = "allow-tigera"
Variables ¶
var ESGatewayEntityRule = CreateEntityRule("tigera-elasticsearch", "tigera-secure-es-gateway", 5554)
The entity rules below are extracted from render subpackages to prevent cyclic dependencies.
var ESGatewayServiceSelectorEntityRule = CreateServiceSelectorEntityRule("tigera-elasticsearch", "tigera-secure-es-gateway-http")
var ESGatewaySourceEntityRule = CreateSourceEntityRule("tigera-elasticsearch", "tigera-secure-es-gateway")
var HighPrecedenceOrder = 1.0
var KubeAPIServerEntityRule = v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'default'", Selector: "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", Ports: Ports(443, 6443, 12388), }
Entity rules not belonging to Calico/Tigera components.
var KubeAPIServerServiceSelectorEntityRule = v3.EntityRule{ Services: &v3.ServiceMatch{ Namespace: "default", Name: "kubernetes", }, }
var PrometheusEntityRule = v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'tigera-prometheus'", Selector: PrometheusSelector, Ports: Ports(9095), }
var PrometheusSourceEntityRule = v3.EntityRule{ NamespaceSelector: "name == 'tigera-prometheus'", Selector: PrometheusSelector, }
var TCPProtocol = numorstring.ProtocolFromString(numorstring.ProtocolTCP)
var UDPProtocol = numorstring.ProtocolFromString(numorstring.ProtocolUDP)
Functions ¶
func AllowTigeraDefaultDeny ¶
func AllowTigeraDefaultDeny(namespace string) *v3.NetworkPolicy
func AppendDNSEgressRules ¶
AppendDNSEgressRules appends a rule to the provided slice that allows DNS egress. The appended rule utilizes label selectors and ports.
func AppendServiceSelectorDNSEgressRules ¶
AppendServiceSelectorDNSEgressRules is equivalent to AppendDNSEgressRules, utilizing service selector instead of label selector and ports.
func CreateEntityRule ¶
func CreateEntityRule(namespace string, deploymentName string, ports ...uint16) v3.EntityRule
CreateEntityRule creates an entity rule that matches traffic using label selectors based on namespace, deployment name, and port.
func CreateServiceSelectorEntityRule ¶
func CreateServiceSelectorEntityRule(namespace string, name string) v3.EntityRule
CreateServiceSelectorEntityRule creates an entity rule that matches traffic based on service name and namespace.
func CreateSourceEntityRule ¶
func CreateSourceEntityRule(namespace string, deploymentName string) v3.EntityRule
CreateSourceEntityRule creates a conventional entity rule that matches ingress traffic based on namespace and deployment name.
func KubernetesAppSelector ¶
func Ports ¶
func Ports(ports ...uint16) []numorstring.Port
Types ¶
This section is empty.