networkpolicy

package
v1.36.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 21, 2024 License: Apache-2.0 Imports: 6 Imported by: 0

Documentation

Index

Constants

View Source
const (
	TigeraComponentTierName              = "allow-tigera"
	TigeraComponentPolicyPrefix          = TigeraComponentTierName + "."
	TigeraComponentDefaultDenyPolicyName = TigeraComponentPolicyPrefix + "default-deny"
)
View Source
const PrometheusSelector = "k8s-app == 'tigera-prometheus'"

Variables

View Source
var (
	TCPProtocol               = numorstring.ProtocolFromString(numorstring.ProtocolTCP)
	UDPProtocol               = numorstring.ProtocolFromString(numorstring.ProtocolUDP)
	HighPrecedenceOrder       = 1.0
	AfterHighPrecendenceOrder = 10.0
)
View Source
var KubeAPIServerEntityRule = v3.EntityRule{
	NamespaceSelector: "projectcalico.org/name == 'default'",
	Selector:          "(provider == 'kubernetes' && component == 'apiserver' && endpoints.projectcalico.org/serviceName == 'kubernetes')",
	Ports:             Ports(443, 6443, 12388),
}

Entity rules not belonging to Calico/Tigera components.

View Source
var KubeAPIServerServiceSelectorEntityRule = v3.EntityRule{
	Services: &v3.ServiceMatch{
		Namespace: "default",
		Name:      "kubernetes",
	},
}
View Source
var PrometheusEntityRule = v3.EntityRule{
	NamespaceSelector: "projectcalico.org/name == 'tigera-prometheus'",
	Selector:          PrometheusSelector,
	Ports:             Ports(9095),
}
View Source
var PrometheusSourceEntityRule = v3.EntityRule{
	NamespaceSelector: "name == 'tigera-prometheus'",
	Selector:          PrometheusSelector,
}

Functions

func AllowTigeraDefaultDeny

func AllowTigeraDefaultDeny(namespace string) *v3.NetworkPolicy

func AppendDNSEgressRules

func AppendDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule

AppendDNSEgressRules appends a rule to the provided slice that allows DNS egress. The appended rule utilizes label selectors and ports.

func AppendServiceSelectorDNSEgressRules

func AppendServiceSelectorDNSEgressRules(egressRules []v3.Rule, openShift bool) []v3.Rule

AppendServiceSelectorDNSEgressRules is equivalent to AppendDNSEgressRules, utilizing service selector instead of label selector and ports.

func CreateEntityRule

func CreateEntityRule(namespace string, deploymentName string, ports ...uint16) v3.EntityRule

CreateEntityRule creates an entity rule that matches traffic using label selectors based on namespace, deployment name, and port.

func CreateServiceSelectorEntityRule

func CreateServiceSelectorEntityRule(namespace string, name string) v3.EntityRule

CreateServiceSelectorEntityRule creates an entity rule that matches traffic based on service name and namespace.

func CreateSourceEntityRule

func CreateSourceEntityRule(namespace string, deploymentName string) v3.EntityRule

CreateSourceEntityRule creates a conventional entity rule that matches ingress traffic based on namespace and deployment name.

func GetOIDCEgressRule added in v1.36.2

func GetOIDCEgressRule(parsedURL *url.URL) v3.Rule

GetOIDCEgressRule creates egress rule for oidc connection. the result will include an egress rules with the urlString passed in:

  1. egress rule: egress rule assuming the oidc is external to the cluster

func KubernetesAppSelector

func KubernetesAppSelector(deploymentNames ...string) string

func Ports

func Ports(ports ...uint16) []numorstring.Port

Types

type NetworkPolicyHelper added in v1.32.0

type NetworkPolicyHelper struct {
	// contains filtered or unexported fields
}

func DefaultHelper added in v1.32.0

func DefaultHelper() *NetworkPolicyHelper

DefaultHelper returns a NetworkPolicyHelper configured for services that only run in single-tenant clusters.

func Helper added in v1.32.0

func Helper(mt bool, ns string) *NetworkPolicyHelper

Helper creates a helper for building network policies for multi-tenant capable components. It takes two arguments: - mt: true if running in multi-tenant mode, false otherwise. - ns: The tenant's namespce.

func (*NetworkPolicyHelper) ComplianceBenchmarkerSourceEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) ComplianceBenchmarkerSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ComplianceControllerSourceEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) ComplianceControllerSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ComplianceReporterSourceEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) ComplianceReporterSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ComplianceServerEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) ComplianceServerEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ComplianceServerSourceEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) ComplianceServerSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ComplianceSnapshotterSourceEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) ComplianceSnapshotterSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) DashboardInstallerEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) DashboardInstallerEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) DashboardInstallerSourceEntityRule added in v1.34.0

func (h *NetworkPolicyHelper) DashboardInstallerSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ESGatewayEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) ESGatewayEntityRule() v3.EntityRule

ESGatewayEntityRule returns an entity rule that selects es-gateway pods in the given namespace.

func (*NetworkPolicyHelper) ESGatewayServiceSelectorEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) ESGatewayServiceSelectorEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ESGatewaySourceEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) ESGatewaySourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) IntrusionDetectionSourceEntityRule added in v1.35.0

func (h *NetworkPolicyHelper) IntrusionDetectionSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) LinseedEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) LinseedEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) LinseedServiceSelectorEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) LinseedServiceSelectorEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) LinseedSourceEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) LinseedSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ManagerEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) ManagerEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) ManagerSourceEntityRule added in v1.32.0

func (h *NetworkPolicyHelper) ManagerSourceEntityRule() v3.EntityRule

func (*NetworkPolicyHelper) PolicyRecommendationSourceEntityRule added in v1.33.0

func (h *NetworkPolicyHelper) PolicyRecommendationSourceEntityRule() v3.EntityRule

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL