networkpolicy

package
v1.0.1 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Apr 30, 2021 License: Apache-2.0 Imports: 53 Imported by: 0

Documentation

Index

Constants

View Source
const (

	// TierIndex is used to index ClusterNetworkPolicies by Tier names.
	TierIndex = "tier"
	// PriorityIndex is used to index Tiers by their priorities.
	PriorityIndex = "priority"
	// ClusterGroupIndex is used to index ClusterNetworkPolicies by ClusterGroup names.
	ClusterGroupIndex = "clustergroup"
)

Variables

View Source
var (

	// DefaultTierPriority maintains the priority for the system generated default Tier.
	// This is the lowest priority for tiers that will be enforced before K8s NetworkPolicies.
	DefaultTierPriority = int32(250)
	// BaselineTierPriority maintains the priority for the system generated baseline Tier.
	// This is the tier that will be enforced after K8s NetworkPolicies.
	BaselineTierPriority = int32(253)
)

Functions

func GetAdmissionResponseForErr added in v0.10.0

func GetAdmissionResponseForErr(err error) *admv1.AdmissionResponse

GetAdmissionResponseForErr returns an object of type AdmissionResponse with the submitted error message.

func NewEndpointQuerier added in v0.10.0

func NewEndpointQuerier(networkPolicyController *NetworkPolicyController) *endpointQuerier

NewEndpointQuerier returns a new *endpointQuerier.

Types

type Endpoint added in v0.10.0

type Endpoint struct {
	Namespace string   `json:"namespace,omitempty"`
	Name      string   `json:"name,omitempty"`
	Policies  []Policy `json:"policies,omitempty"`
	Rules     []Rule   `json:"rules,omitempty"`
}

type EndpointQuerier added in v0.10.0

type EndpointQuerier interface {
	// QueryNetworkPolicies returns the list of NetworkPolicies which apply to the provided Pod,
	// along with the list NetworkPolicies which select the provided Pod in one of their policy
	// rules (ingress or egress).
	QueryNetworkPolicies(namespace string, podName string) (*EndpointQueryResponse, error)
}

EndpointQuerier handles requests for antctl query

type EndpointQueryResponse added in v0.10.0

type EndpointQueryResponse struct {
	Endpoints []Endpoint `json:"endpoints,omitempty"`
}

EndpointQueryResponse is the reply struct for anctl endpoint queries

type NetworkPolicyController

type NetworkPolicyController struct {
	// contains filtered or unexported fields
}

NetworkPolicyController is responsible for synchronizing the Namespaces and Pods affected by a Network Policy.

func NewNetworkPolicyController

func NewNetworkPolicyController(kubeClient clientset.Interface,
	crdClient versioned.Interface,
	groupingInterface grouping.Interface,
	serviceInformer coreinformers.ServiceInformer,
	networkPolicyInformer networkinginformers.NetworkPolicyInformer,
	cnpInformer secinformers.ClusterNetworkPolicyInformer,
	anpInformer secinformers.NetworkPolicyInformer,
	tierInformer secinformers.TierInformer,
	cgInformer corev1a2informers.ClusterGroupInformer,
	addressGroupStore storage.Interface,
	appliedToGroupStore storage.Interface,
	internalNetworkPolicyStore storage.Interface,
	internalGroupStore storage.Interface) *NetworkPolicyController

NewNetworkPolicyController returns a new *NetworkPolicyController.

func (*NetworkPolicyController) GetAddressGroupNum added in v0.3.0

func (n *NetworkPolicyController) GetAddressGroupNum() int

func (*NetworkPolicyController) GetAppliedToGroupNum added in v0.3.0

func (n *NetworkPolicyController) GetAppliedToGroupNum() int

func (*NetworkPolicyController) GetAssociatedGroups added in v0.13.0

func (n *NetworkPolicyController) GetAssociatedGroups(name, namespace string) ([]antreatypes.Group, error)

GetAssociatedGroups retrieves the internal Groups associated with the entity being queried (Pod or ExternalEntity identified by name and namespace).

func (*NetworkPolicyController) GetConnectedAgentNum added in v0.3.0

func (n *NetworkPolicyController) GetConnectedAgentNum() int

GetConnectedAgentNum gets the number of Agents which are connected to this Controller. Since Agent will watch all the three stores (internalNetworkPolicyStore, appliedToGroupStore, addressGroupStore), the number of watchers of one of these three stores is equal to the number of connected Agents. Here, we uses the number of watchers of appliedToGroupStore to represent the number of connected Agents as internalNetworkPolicyStore is also watched by the StatusController of the process itself.

func (*NetworkPolicyController) GetGroupMembers added in v0.13.0

func (n *NetworkPolicyController) GetGroupMembers(cgName string) (controlplane.GroupMemberSet, error)

GetGroupMembers returns the current members of a ClusterGroup.

func (*NetworkPolicyController) GetNetworkPolicyNum added in v0.3.0

func (n *NetworkPolicyController) GetNetworkPolicyNum() int

func (*NetworkPolicyController) InitializeTiers added in v0.10.0

func (n *NetworkPolicyController) InitializeTiers()

InitializeTiers initializes the default Tiers created by Antrea on init. It will first attempt to retrieve the Tier by it's name from K8s and if missing, create the CR. InitializeTiers will be called as part of a Post-Start hook of antrea-controller's APIServer.

func (*NetworkPolicyController) Run

func (n *NetworkPolicyController) Run(stopCh <-chan struct{})

Run begins watching and syncing of a NetworkPolicyController.

type NetworkPolicyMutator added in v0.11.0

type NetworkPolicyMutator struct {
	// contains filtered or unexported fields
}

func NewNetworkPolicyMutator added in v0.11.0

func NewNetworkPolicyMutator(networkPolicyController *NetworkPolicyController) *NetworkPolicyMutator

NewNetworkPolicyMutator returns a new *NetworkPolicyMutator.

func (*NetworkPolicyMutator) Mutate added in v0.11.0

Mutate function mutates an Antrea-native policy object

type NetworkPolicyValidator added in v0.10.0

type NetworkPolicyValidator struct {
	// contains filtered or unexported fields
}

NetworkPolicyValidator maintains list of validator objects which validate the Antrea-native policy related resources.

func NewNetworkPolicyValidator added in v0.10.0

func NewNetworkPolicyValidator(networkPolicyController *NetworkPolicyController) *NetworkPolicyValidator

NewNetworkPolicyValidator returns a new *NetworkPolicyValidator.

func (*NetworkPolicyValidator) RegisterAntreaPolicyValidator added in v0.12.0

func (v *NetworkPolicyValidator) RegisterAntreaPolicyValidator(a validator)

RegisterAntreaPolicyValidator registers an Antrea-native policy validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) RegisterGroupValidator added in v0.13.0

func (v *NetworkPolicyValidator) RegisterGroupValidator(g validator)

RegisterGroupValidator registers a Group validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) RegisterTierValidator added in v0.12.0

func (v *NetworkPolicyValidator) RegisterTierValidator(t validator)

RegisterTierValidator registers a Tier validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) Validate added in v0.10.0

Validate function validates a ClusterGroup, Tier or Antrea Policy object

type Policy added in v0.10.0

type Policy struct {
	PolicyRef
}

type PolicyRef added in v0.10.0

type PolicyRef struct {
	Namespace string    `json:"namespace,omitempty"`
	Name      string    `json:"name,omitempty"`
	UID       types.UID `json:"uid,omitempty"`
}

type Rule added in v0.10.0

type Rule struct {
	PolicyRef
	Direction cpv1beta.Direction `json:"direction,omitempty"`
	RuleIndex int                `json:"ruleindex,omitempty"`
}

type StatusController added in v0.11.0

type StatusController struct {
	// contains filtered or unexported fields
}

StatusController is responsible for synchronizing the status of Antrea ClusterNetworkPolicy and Antrea NetworkPolicy.

func NewStatusController added in v0.11.0

func NewStatusController(antreaClient antreaclientset.Interface, internalNetworkPolicyStore storage.Interface, cnpInformer crdinformers.ClusterNetworkPolicyInformer, anpInformer crdinformers.NetworkPolicyInformer) *StatusController

func (*StatusController) Run added in v0.11.0

func (c *StatusController) Run(stopCh <-chan struct{})

Run begins watching and syncing of a StatusController.

func (*StatusController) UpdateStatus added in v0.11.0

func (c *StatusController) UpdateStatus(status *controlplane.NetworkPolicyStatus) error

Directories

Path Synopsis
Package testing is a generated GoMock package.
Package testing is a generated GoMock package.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL