policy

package
v6.26.0+incompatible Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 4, 2018 License: GPL-2.0 Imports: 6 Imported by: 25

Documentation

Overview

Package policy describes a generic interface for retrieving policies. Different implementations are possible for environments such as Kubernetes, Mesos or other custom environments. An implementation has to provide a method for retrieving policy based on the metadata associated with the container and deleting the policy when the container dies. It is up to the implementation to decide how to generate the policy. The package also defines the basic data structure for communicating policy information. The implementations are responsible for providing all the necessary data.

Index

Constants

View Source
const (
	// AllowAll allows everything for the specific PU.
	AllowAll = 0x1
	// Police filters on the PU based on the PolicyRules.
	Police = 0x2
)
View Source
const (
	// Equal is the equal operator
	Equal = "="
	// NotEqual is the not equal operator
	NotEqual = "=!"
	// KeyExists is the key=* operator
	KeyExists = "*"
	// KeyNotExists means that the key doesnt exist in the incoming tags
	KeyNotExists = "!*"
)
View Source
const (
	// DefaultNamespace is the default namespace for applying policy
	DefaultNamespace = "bridge"
)

Variables

This section is empty.

Functions

func ConvertServicesToPortList added in v1.0.63

func ConvertServicesToPortList(services []Service) string

ConvertServicesToPortList converts an array of services to a port list

func DefaultLogPrefix

func DefaultLogPrefix(contextID string) string

DefaultLogPrefix return the prefix used in nf-log action for default rule.

func EncodedStringToAction

func EncodedStringToAction(e string) (ActionType, ObserveActionType, error)

EncodedStringToAction returns action and observed action from encoded string.

Types

type ActionType added in v1.0.24

type ActionType byte

ActionType is the action that can be applied to a flow.

const (
	// Accept is the accept action
	Accept ActionType = 0x1
	// Reject is the reject  action
	Reject ActionType = 0x2
	// Encrypt instructs data to be encrypted
	Encrypt ActionType = 0x4
	// Log instructs the datapath to log the IP addresses
	Log ActionType = 0x8
	// Observe instructs the datapath to observe policy results
	Observe ActionType = 0x10
)

func (ActionType) Accepted added in v1.0.24

func (f ActionType) Accepted() bool

Accepted returns if the action mask contains the Accepted mask.

func (ActionType) ActionString added in v1.0.24

func (f ActionType) ActionString() string

ActionString returns if the action if accepted of rejected as a long string.

func (ActionType) Encrypted added in v1.0.24

func (f ActionType) Encrypted() bool

Encrypted returns if the action mask contains the Encrypted mask.

func (ActionType) Logged added in v1.0.24

func (f ActionType) Logged() bool

Logged returns if the action mask contains the Logged mask.

func (ActionType) Observed

func (f ActionType) Observed() bool

Observed returns if the action mask contains the Observed mask.

func (ActionType) Rejected added in v1.0.24

func (f ActionType) Rejected() bool

Rejected returns if the action mask contains the Rejected mask.

func (ActionType) String added in v1.0.24

func (f ActionType) String() string

type ExtendedMap added in v1.0.10

type ExtendedMap map[string]string

ExtendedMap is a common map with additional functions

func (ExtendedMap) Copy added in v1.0.10

func (s ExtendedMap) Copy() ExtendedMap

Copy copies an ExtendedMap

func (ExtendedMap) Get added in v1.0.10

func (s ExtendedMap) Get(key string) (string, bool)

Get does a lookup in the map

type FlowPolicy added in v1.0.24

type FlowPolicy struct {
	ObserveAction ObserveActionType
	Action        ActionType
	ServiceID     string
	PolicyID      string
}

FlowPolicy captures the policy for a particular flow

func (*FlowPolicy) EncodedActionString

func (f *FlowPolicy) EncodedActionString() string

EncodedActionString is used to encode observed action as well as action

func (*FlowPolicy) LogPrefix

func (f *FlowPolicy) LogPrefix(contextID string) string

LogPrefix is the prefix used in nf-log action. It must be less than

type IPRule

type IPRule struct {
	Address  string
	Port     string
	Protocol string
	Policy   *FlowPolicy
}

IPRule holds IP rules to external services

type IPRuleList

type IPRuleList []IPRule

IPRuleList is a list of IP rules

func (IPRuleList) Copy added in v1.0.10

func (l IPRuleList) Copy() IPRuleList

Copy creates a clone of the IP rule list

type KeyValueOperator

type KeyValueOperator struct {
	Key      string
	Value    []string
	Operator Operator
}

KeyValueOperator describes an individual matching rule

type ObserveActionType

type ObserveActionType byte

ObserveActionType is the action that can be applied to a flow for an observation rule.

const (
	// ObserveNone specifies if any observation was made or not.
	ObserveNone ObserveActionType = 0x0
	// ObserveContinue is used to not take any action on packet and is deferred to
	// an actual rule with accept or deny action.
	ObserveContinue ObserveActionType = 0x1
	// ObserveApply is used to apply action to packets hitting this rule.
	ObserveApply ObserveActionType = 0x2
)

Observe actions are used in conjunction with action.

func (ObserveActionType) ObserveApply

func (f ObserveActionType) ObserveApply() bool

ObserveApply returns if the action of observation rule is allow.

func (ObserveActionType) ObserveContinue

func (f ObserveActionType) ObserveContinue() bool

ObserveContinue returns if the action of observation rule is continue.

func (ObserveActionType) Observed

func (f ObserveActionType) Observed() bool

Observed returns true if any observed action was found.

func (ObserveActionType) String

func (f ObserveActionType) String() string

type Operator

type Operator string

Operator defines the operation between your key and value.

type OptionsType added in v1.0.63

type OptionsType struct {
	// CgroupName is the name of the cgroup
	CgroupName string

	// CgroupMark is the tag of the cgroup
	CgroupMark string

	// UserID is the user ID if it exists
	UserID string

	// Services is the list of services of interest
	Services []Service

	// ProxyPort is the port on which the proxy listens
	ProxyPort string

	// PolicyExtensions is policy resolution extensions
	PolicyExtensions interface{}
}

OptionsType is a set of options that can be passed with a policy request

type PUAction

type PUAction int

PUAction defines the action types that applies for a specific PU as a whole.

type PUInfo

type PUInfo struct {
	// ContextID is the ID of the container that the policy applies to
	ContextID string
	// Policy is an instantiation of the container policy
	Policy *PUPolicy
	// RunTime captures all data that are captured from the container
	Runtime *PURuntime
}

PUInfo captures all policy information related to a connection

func NewPUInfo

func NewPUInfo(contextID string, puType constants.PUType) *PUInfo

NewPUInfo instantiates a new ContainerPolicy

func PUInfoFromPolicyAndRuntime

func PUInfoFromPolicyAndRuntime(contextID string, policyInfo *PUPolicy, runtimeInfo *PURuntime) *PUInfo

PUInfoFromPolicyAndRuntime generates a ContainerInfo Struct from an existing RuntimeInfo and PolicyInfo

type PUPolicy

type PUPolicy struct {
	sync.Mutex
	// contains filtered or unexported fields
}

PUPolicy captures all policy information related ot the container

func NewPUPolicy

func NewPUPolicy(
	id string,
	action PUAction,
	appACLs IPRuleList,
	netACLs IPRuleList,
	txtags TagSelectorList,
	rxtags TagSelectorList,
	identity *TagStore,
	annotations *TagStore,
	ips ExtendedMap,
	triremeNetworks []string,
	excludedNetworks []string,
	proxiedServices *ProxiedServicesInfo,
) *PUPolicy

NewPUPolicy generates a new ContainerPolicyInfo appACLs are the ACLs for packet coming from the Application/PU to the Network. netACLs are the ACLs for packet coming from the Network to the Application/PU.

func NewPUPolicyWithDefaults

func NewPUPolicyWithDefaults() *PUPolicy

NewPUPolicyWithDefaults sets up a PU policy with defaults

func (*PUPolicy) AddIdentityTag

func (p *PUPolicy) AddIdentityTag(k, v string)

AddIdentityTag adds a policy tag

func (*PUPolicy) AddReceiverRules

func (p *PUPolicy) AddReceiverRules(t TagSelector)

AddReceiverRules adds a receiver rule

func (*PUPolicy) AddTransmitterRules

func (p *PUPolicy) AddTransmitterRules(t TagSelector)

AddTransmitterRules adds a transmitter rule

func (*PUPolicy) Annotations

func (p *PUPolicy) Annotations() *TagStore

Annotations returns a copy of the annotations

func (*PUPolicy) ApplicationACLs

func (p *PUPolicy) ApplicationACLs() IPRuleList

ApplicationACLs returns a copy of IPRuleList

func (*PUPolicy) Clone

func (p *PUPolicy) Clone() *PUPolicy

Clone returns a copy of the policy

func (*PUPolicy) DefaultIPAddress

func (p *PUPolicy) DefaultIPAddress() (string, bool)

DefaultIPAddress returns the default IP address for the processing unit

func (*PUPolicy) ExcludedNetworks

func (p *PUPolicy) ExcludedNetworks() []string

ExcludedNetworks returns the list of excluded networks.

func (*PUPolicy) IPAddresses

func (p *PUPolicy) IPAddresses() ExtendedMap

IPAddresses returns all the IP addresses for the processing unit

func (*PUPolicy) Identity

func (p *PUPolicy) Identity() *TagStore

Identity returns a copy of the Identity

func (*PUPolicy) ManagementID

func (p *PUPolicy) ManagementID() string

ManagementID returns the management ID

func (*PUPolicy) NetworkACLs

func (p *PUPolicy) NetworkACLs() IPRuleList

NetworkACLs returns a copy of IPRuleList

func (*PUPolicy) ProxiedServices

func (p *PUPolicy) ProxiedServices() *ProxiedServicesInfo

ProxiedServices returns the list of networks that Trireme must be applied

func (*PUPolicy) ReceiverRules

func (p *PUPolicy) ReceiverRules() TagSelectorList

ReceiverRules returns a copy of TagSelectorList

func (*PUPolicy) SetIPAddresses

func (p *PUPolicy) SetIPAddresses(l ExtendedMap)

SetIPAddresses sets the IP addresses for the processing unit

func (*PUPolicy) SetTriremeAction added in v1.0.10

func (p *PUPolicy) SetTriremeAction(action PUAction)

SetTriremeAction returns the TriremeAction

func (*PUPolicy) TransmitterRules

func (p *PUPolicy) TransmitterRules() TagSelectorList

TransmitterRules returns a copy of TagSelectorList

func (*PUPolicy) TriremeAction

func (p *PUPolicy) TriremeAction() PUAction

TriremeAction returns the TriremeAction

func (*PUPolicy) TriremeNetworks

func (p *PUPolicy) TriremeNetworks() []string

TriremeNetworks returns the list of networks that Trireme must be applied

func (*PUPolicy) UpdateExcludedNetworks

func (p *PUPolicy) UpdateExcludedNetworks(networks []string)

UpdateExcludedNetworks updates the list of excluded networks.

func (*PUPolicy) UpdateTriremeNetworks

func (p *PUPolicy) UpdateTriremeNetworks(networks []string)

UpdateTriremeNetworks updates the set of networks for trireme

type PURuntime

type PURuntime struct {

	// GlobalLock is used by Trireme to make sure that two operations do not
	// get interleaved for the same container.
	GlobalLock *sync.Mutex

	sync.Mutex
	// contains filtered or unexported fields
}

PURuntime holds all data related to the status of the container run time

func NewPURuntime

func NewPURuntime(name string, pid int, nsPath string, tags *TagStore, ips ExtendedMap, puType constants.PUType, options *OptionsType) *PURuntime

NewPURuntime Generate a new RuntimeInfo

func NewPURuntimeWithDefaults

func NewPURuntimeWithDefaults() *PURuntime

NewPURuntimeWithDefaults sets up PURuntime with defaults

func (*PURuntime) Clone

func (r *PURuntime) Clone() *PURuntime

Clone returns a copy of the policy

func (*PURuntime) DefaultIPAddress

func (r *PURuntime) DefaultIPAddress() (string, bool)

DefaultIPAddress returns the default IP address for the processing unit

func (*PURuntime) IPAddresses

func (r *PURuntime) IPAddresses() ExtendedMap

IPAddresses returns all the IP addresses for the processing unit

func (*PURuntime) MarshalJSON

func (r *PURuntime) MarshalJSON() ([]byte, error)

MarshalJSON Marshals this struct.

func (*PURuntime) NSPath added in v1.0.46

func (r *PURuntime) NSPath() string

NSPath returns the NSPath

func (*PURuntime) Name

func (r *PURuntime) Name() string

Name returns the PID

func (*PURuntime) Options

func (r *PURuntime) Options() OptionsType

Options returns tags for the processing unit

func (*PURuntime) PUType

func (r *PURuntime) PUType() constants.PUType

PUType returns the PU type

func (*PURuntime) Pid

func (r *PURuntime) Pid() int

Pid returns the PID

func (*PURuntime) SetIPAddresses

func (r *PURuntime) SetIPAddresses(ipa ExtendedMap)

SetIPAddresses sets up all the IP addresses for the processing unit

func (*PURuntime) SetNSPath added in v1.0.46

func (r *PURuntime) SetNSPath(nsPath string)

SetNSPath sets the NSPath

func (*PURuntime) SetOptions

func (r *PURuntime) SetOptions(options OptionsType)

SetOptions sets the Options

func (*PURuntime) SetPUType added in v1.0.3

func (r *PURuntime) SetPUType(puType constants.PUType)

SetPUType sets the PU Type

func (*PURuntime) SetPid

func (r *PURuntime) SetPid(pid int)

SetPid sets the PID

func (*PURuntime) SetTags

func (r *PURuntime) SetTags(t *TagStore)

SetTags returns tags for the processing unit

func (*PURuntime) Tag

func (r *PURuntime) Tag(key string) (string, bool)

Tag returns a specific tag for the processing unit

func (*PURuntime) Tags

func (r *PURuntime) Tags() *TagStore

Tags returns tags for the processing unit

func (*PURuntime) UnmarshalJSON

func (r *PURuntime) UnmarshalJSON(param []byte) error

UnmarshalJSON Unmarshals this struct.

type PURuntimeJSON

type PURuntimeJSON struct {
	// PUType is the type of the PU
	PUType constants.PUType
	// Pid holds the value of the first process of the container
	Pid int
	// NSPath is the path to the networking namespace for this PURuntime if applicable.
	NSPath string
	// Name is the name of the container
	Name string
	// IPAddress is the IP Address of the container
	IPAddresses ExtendedMap
	// Tags is a map of the metadata of the container
	Tags *TagStore
	// Options is a map of the options of the container
	Options *OptionsType
}

PURuntimeJSON is a Json representation of PURuntime

type ProxiedServicesInfo

type ProxiedServicesInfo struct {
	// PublicIPPortPair  is an array public ip,port  of load balancer or passthrough object per pu
	PublicIPPortPair []string
	// PrivateIPPortPair is an array of private ip,port of load balancer or passthrough object per pu
	PrivateIPPortPair []string
}

ProxiedServicesInfo holds the info for a proxied service.

func (*ProxiedServicesInfo) AddPrivateIPPortPair

func (p *ProxiedServicesInfo) AddPrivateIPPortPair(ipportpair string)

AddPrivateIPPortPair adds a private ip port pair

func (*ProxiedServicesInfo) AddPublicIPPortPair

func (p *ProxiedServicesInfo) AddPublicIPPortPair(ipportpair string)

AddPublicIPPortPair add a ip port pair to proxied services

type RuntimeReader

type RuntimeReader interface {

	// Pid returns the Pid of the Runtime.
	Pid() int

	// Name returns the process name of the Runtime.
	Name() string

	// Tag returns  the value of the given tag.
	Tag(string) (string, bool)

	// Tags returns a copy of the list of the tags.
	Tags() *TagStore

	// Options returns a copy of the list of options.
	Options() OptionsType

	// DefaultIPAddress retutns the default IP address.
	DefaultIPAddress() (string, bool)

	// IPAddresses returns a copy of all the IP addresses.
	IPAddresses() ExtendedMap

	// Returns the PUType for the PU
	PUType() constants.PUType
}

A RuntimeReader allows to get the specific parameters stored in the Runtime

type Service added in v1.0.63

type Service struct {
	// Protocol is the protocol number
	Protocol uint8

	// Port is the target port
	Port uint16
}

Service is a protocol/port service of interest - used to pass user requests

type TagSelector

type TagSelector struct {
	Clause []KeyValueOperator
	Policy *FlowPolicy
}

TagSelector info describes a tag selector key Operator value

type TagSelectorList

type TagSelectorList []TagSelector

TagSelectorList defines a list of TagSelectors

func (TagSelectorList) Copy added in v1.0.10

Copy returns a copy of the TagSelectorList

type TagStore added in v1.0.10

type TagStore struct {
	Tags []string
}

TagStore stores the tags - it allows duplicate key values

func NewTagStore added in v1.0.10

func NewTagStore() *TagStore

NewTagStore creates a new TagStore

func NewTagStoreFromMap added in v1.0.10

func NewTagStoreFromMap(tags map[string]string) *TagStore

NewTagStoreFromMap creates a tag store from an input map

func (*TagStore) AppendKeyValue added in v1.0.10

func (t *TagStore) AppendKeyValue(key, value string)

AppendKeyValue appends a key and value to the tag store

func (*TagStore) Copy added in v1.0.10

func (t *TagStore) Copy() *TagStore

Copy copies a TagStore

func (*TagStore) Get added in v1.0.10

func (t *TagStore) Get(key string) (string, bool)

Get does a lookup in the list of tags

func (*TagStore) GetSlice added in v1.0.10

func (t *TagStore) GetSlice() []string

GetSlice returns the tagstore as a slice

func (*TagStore) Merge

func (t *TagStore) Merge(m *TagStore) (merged int)

Merge merges tags from m into native tag store. if the key exists, the provided tag from m is ignored.

func (*TagStore) String

func (t *TagStore) String() string

String provides a string representation of tag store.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL