Documentation ¶
Index ¶
- Constants
- func AddInpodMarkIPRule(cfg *IptablesConfig) error
- func AddLoopbackRoutes(cfg *IptablesConfig) error
- func DelInpodMarkIPRule(cfg *IptablesConfig) error
- func DelLoopbackRoutes(cfg *IptablesConfig) error
- func NewIptablesConfigurator(hostCfg *IptablesConfig, podCfg *IptablesConfig, hostDeps dep.Dependencies, ...) (*IptablesConfigurator, *IptablesConfigurator, error)
- func ReadSysctl(key string) (string, error)
- type IptablesConfig
- type IptablesConfigurator
- func (cfg *IptablesConfigurator) AppendHostRules() *builder.IptablesRuleBuilder
- func (cfg *IptablesConfigurator) AppendInpodRules(podOverrides PodLevelOverrides) *builder.IptablesRuleBuilder
- func (cfg *IptablesConfigurator) CreateHostRulesForHealthChecks() error
- func (cfg *IptablesConfigurator) CreateInpodRules(log *istiolog.Scope, podOverrides PodLevelOverrides) error
- func (cfg *IptablesConfigurator) DeleteHostRules()
- func (cfg *IptablesConfigurator) DeleteInpodRules(log *istiolog.Scope) error
- type NetlinkDependencies
- type PodLevelOverrides
Constants ¶
const ( // INPOD marks/masks InpodTProxyMark = 0x111 InpodTProxyMask = 0xfff InpodMark = 1337 // this needs to match the inpod config mark in ztunnel. InpodMask = 0xfff InpodRestoreMask = 0xffffffff ChainInpodOutput = "ISTIO_OUTPUT" ChainInpodPrerouting = "ISTIO_PRERT" ChainHostPostrouting = "ISTIO_POSTRT" RouteTableInbound = 100 DNSCapturePort = 15053 ZtunnelInboundPort = 15008 ZtunnelOutboundPort = 15001 ZtunnelInboundPlaintextPort = 15006 ProbeIPSet = "istio-inpod-probes" )
Variables ¶
This section is empty.
Functions ¶
func AddInpodMarkIPRule ¶
func AddInpodMarkIPRule(cfg *IptablesConfig) error
func AddLoopbackRoutes ¶
func AddLoopbackRoutes(cfg *IptablesConfig) error
func DelInpodMarkIPRule ¶
func DelInpodMarkIPRule(cfg *IptablesConfig) error
func DelLoopbackRoutes ¶
func DelLoopbackRoutes(cfg *IptablesConfig) error
func NewIptablesConfigurator ¶
func NewIptablesConfigurator( hostCfg *IptablesConfig, podCfg *IptablesConfig, hostDeps dep.Dependencies, podDeps dep.Dependencies, nlDeps NetlinkDependencies, ) (*IptablesConfigurator, *IptablesConfigurator, error)
func ReadSysctl ¶
Types ¶
type IptablesConfig ¶
type IptablesConfig struct { TraceLogging bool `json:"IPTABLES_TRACE_LOGGING"` EnableIPv6 bool `json:"ENABLE_INBOUND_IPV6"` RedirectDNS bool `json:"REDIRECT_DNS"` HostProbeSNATAddress netip.Addr `json:"HOST_PROBE_SNAT_ADDRESS"` HostProbeV6SNATAddress netip.Addr `json:"HOST_PROBE_V6_SNAT_ADDRESS"` Reconcile bool `json:"RECONCILE"` CleanupOnly bool `json:"CLEANUP_ONLY"` ForceApply bool `json:"FORCE_APPLY"` }
"global"/per-instance IptablesConfig
type IptablesConfigurator ¶
type IptablesConfigurator struct {
// contains filtered or unexported fields
}
func (*IptablesConfigurator) AppendHostRules ¶
func (cfg *IptablesConfigurator) AppendHostRules() *builder.IptablesRuleBuilder
func (*IptablesConfigurator) AppendInpodRules ¶
func (cfg *IptablesConfigurator) AppendInpodRules(podOverrides PodLevelOverrides) *builder.IptablesRuleBuilder
func (*IptablesConfigurator) CreateHostRulesForHealthChecks ¶
func (cfg *IptablesConfigurator) CreateHostRulesForHealthChecks() error
Setup iptables rules for HOST netnamespace. Ideally this should be an idempotent function. NOTE that this expects to be run from within the HOST network namespace!
We need to do this specifically to be able to distinguish between traffic coming from different node-level processes via the nodeIP - kubelet (node-local healthchecks, which we do not capture) - kube-proxy (fowarded/proxied traffic from LoadBalancer-backed services, potentially with public IPs, which we must capture)
func (*IptablesConfigurator) CreateInpodRules ¶
func (cfg *IptablesConfigurator) CreateInpodRules(log *istiolog.Scope, podOverrides PodLevelOverrides) error
Setup iptables rules for in-pod mode. Ideally this should be an idempotent function. NOTE that this expects to be run from within the pod network namespace!
func (*IptablesConfigurator) DeleteHostRules ¶
func (cfg *IptablesConfigurator) DeleteHostRules()
func (*IptablesConfigurator) DeleteInpodRules ¶
func (cfg *IptablesConfigurator) DeleteInpodRules(log *istiolog.Scope) error
type NetlinkDependencies ¶
type NetlinkDependencies interface { AddInpodMarkIPRule(cfg *IptablesConfig) error DelInpodMarkIPRule(cfg *IptablesConfig) error AddLoopbackRoutes(cfg *IptablesConfig) error DelLoopbackRoutes(cfg *IptablesConfig) error }
func EmptyNlDeps ¶
func EmptyNlDeps() NetlinkDependencies
func RealNlDeps ¶
func RealNlDeps() NetlinkDependencies
type PodLevelOverrides ¶
For inpod rules, any runtime/dynamic pod-level config overrides that may need to be taken into account when injecting pod rules