Documentation ¶
Index ¶
- Constants
- Variables
- func AllowTigeraDefaultDeny(namespace string) *v3.NetworkPolicy
- func AppendDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule
- func AppendServiceSelectorDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule
- func CreateEntityRule(namespace string, deploymentName string, ports ...uint16) v3.EntityRule
- func CreateServiceSelectorEntityRule(namespace string, name string) v3.EntityRule
- func CreateSourceEntityRule(namespace string, deploymentName string) v3.EntityRule
- func GetOIDCEgressRule(parsedURL *url.URL) v3.Rule
- func KubernetesAppSelector(deploymentNames ...string) string
- func Ports(ports ...uint16) []numorstring.Port
- type NetworkPolicyHelper
- func (h *NetworkPolicyHelper) ComplianceBenchmarkerSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ComplianceControllerSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ComplianceReporterSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ComplianceServerEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ComplianceServerSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ComplianceSnapshotterSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) DashboardInstallerEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) DashboardInstallerSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ESGatewayEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ESGatewayServiceSelectorEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ESGatewaySourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) IntrusionDetectionSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) LinseedEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) LinseedServiceSelectorEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) LinseedSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ManagerEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) ManagerSourceEntityRule() v3.EntityRule
- func (h *NetworkPolicyHelper) PolicyRecommendationSourceEntityRule() v3.EntityRule
Constants ¶
const ( TigeraComponentTierName = "allow-tigera" TigeraComponentPolicyPrefix = TigeraComponentTierName + "." TigeraComponentDefaultDenyPolicyName = TigeraComponentPolicyPrefix + "default-deny" )
const PrometheusSelector = "k8s-app == 'tigera-prometheus'"
Variables ¶
var ( TCPProtocol = numorstring.ProtocolFromString(numorstring.ProtocolTCP) UDPProtocol = numorstring.ProtocolFromString(numorstring.ProtocolUDP) HighPrecedenceOrder = 1.0 AfterHighPrecendenceOrder = 10.0 )
var KubeAPIServerEntityRule = v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'default'", Selector: "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')", Ports: Ports(443, 6443, 12388), }
Entity rules not belonging to Calico/Tigera components.
var KubeAPIServerServiceSelectorEntityRule = v3.EntityRule{ Services: &v3.ServiceMatch{ Namespace: "default", Name: "kubernetes", }, }
var PrometheusEntityRule = v3.EntityRule{ NamespaceSelector: "projectcalico.org/name == 'tigera-prometheus'", Selector: PrometheusSelector, Ports: Ports(9095), }
var PrometheusSourceEntityRule = v3.EntityRule{ NamespaceSelector: "name == 'tigera-prometheus'", Selector: PrometheusSelector, }
Functions ¶
func AllowTigeraDefaultDeny ¶
func AllowTigeraDefaultDeny(namespace string) *v3.NetworkPolicy
func AppendDNSEgressRules ¶
AppendDNSEgressRules appends a rule to the provided slice that allows DNS egress. The appended rule utilizes label selectors and ports.
func AppendServiceSelectorDNSEgressRules ¶
AppendServiceSelectorDNSEgressRules is equivalent to AppendDNSEgressRules, utilizing service selector instead of label selector and ports.
func CreateEntityRule ¶
func CreateEntityRule(namespace string, deploymentName string, ports ...uint16) v3.EntityRule
CreateEntityRule creates an entity rule that matches traffic using label selectors based on namespace, deployment name, and port.
func CreateServiceSelectorEntityRule ¶
func CreateServiceSelectorEntityRule(namespace string, name string) v3.EntityRule
CreateServiceSelectorEntityRule creates an entity rule that matches traffic based on service name and namespace.
func CreateSourceEntityRule ¶
func CreateSourceEntityRule(namespace string, deploymentName string) v3.EntityRule
CreateSourceEntityRule creates a conventional entity rule that matches ingress traffic based on namespace and deployment name.
func GetOIDCEgressRule ¶ added in v1.36.2
GetOIDCEgressRule creates egress rule for oidc connection. the result will include an egress rules with the urlString passed in:
- egress rule: egress rule assuming the oidc is external to the cluster
func KubernetesAppSelector ¶
func Ports ¶
func Ports(ports ...uint16) []numorstring.Port
Types ¶
type NetworkPolicyHelper ¶ added in v1.32.0
type NetworkPolicyHelper struct {
// contains filtered or unexported fields
}
func DefaultHelper ¶ added in v1.32.0
func DefaultHelper() *NetworkPolicyHelper
DefaultHelper returns a NetworkPolicyHelper configured for services that only run in single-tenant clusters.
func Helper ¶ added in v1.32.0
func Helper(mt bool, ns string) *NetworkPolicyHelper
Helper creates a helper for building network policies for multi-tenant capable components. It takes two arguments: - mt: true if running in multi-tenant mode, false otherwise. - ns: The tenant's namespce.
func (*NetworkPolicyHelper) ComplianceBenchmarkerSourceEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) ComplianceBenchmarkerSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ComplianceControllerSourceEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) ComplianceControllerSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ComplianceReporterSourceEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) ComplianceReporterSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ComplianceServerEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) ComplianceServerEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ComplianceServerSourceEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) ComplianceServerSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ComplianceSnapshotterSourceEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) ComplianceSnapshotterSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) DashboardInstallerEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) DashboardInstallerEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) DashboardInstallerSourceEntityRule ¶ added in v1.34.0
func (h *NetworkPolicyHelper) DashboardInstallerSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ESGatewayEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) ESGatewayEntityRule() v3.EntityRule
ESGatewayEntityRule returns an entity rule that selects es-gateway pods in the given namespace.
func (*NetworkPolicyHelper) ESGatewayServiceSelectorEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) ESGatewayServiceSelectorEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ESGatewaySourceEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) ESGatewaySourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) IntrusionDetectionSourceEntityRule ¶ added in v1.35.0
func (h *NetworkPolicyHelper) IntrusionDetectionSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) LinseedEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) LinseedEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) LinseedServiceSelectorEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) LinseedServiceSelectorEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) LinseedSourceEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) LinseedSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ManagerEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) ManagerEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) ManagerSourceEntityRule ¶ added in v1.32.0
func (h *NetworkPolicyHelper) ManagerSourceEntityRule() v3.EntityRule
func (*NetworkPolicyHelper) PolicyRecommendationSourceEntityRule ¶ added in v1.33.0
func (h *NetworkPolicyHelper) PolicyRecommendationSourceEntityRule() v3.EntityRule