netpol

package
v1.21.0-rc.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Mar 26, 2021 License: Apache-2.0 Imports: 28 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddPodLabels

func AddPodLabels(k8s *kubeManager, pod *Pod, newPodLabels map[string]string)

AddPodLabels adds new labels to a deployment's template

func CheckSCTPModuleLoadedOnNodes

func CheckSCTPModuleLoadedOnNodes(f *framework.Framework, nodes *v1.NodeList) bool

CheckSCTPModuleLoadedOnNodes checks whether any node on the list has the sctp.ko module loaded For security reasons, and also to allow clusters to use userspace SCTP implementations, we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything that would cause the sctp kernel module to be loaded.

func CreatePolicy

func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

CreatePolicy creates a policy in the given namespace

func GetAllowEgress

func GetAllowEgress() *networkingv1.NetworkPolicy

GetAllowEgress allows all egress

func GetAllowEgressByCIDR

func GetAllowEgressByCIDR(podname string, podserverCIDR string) *networkingv1.NetworkPolicy

GetAllowEgressByCIDR creates an egress netpol with an ipblock

func GetAllowEgressByCIDRExcept

func GetAllowEgressByCIDRExcept(podname string, podserverCIDR string, except []string) *networkingv1.NetworkPolicy

GetAllowEgressByCIDRExcept creates an egress netpol with an ipblock and except

func GetAllowEgressByNamespaceAndPod

func GetAllowEgressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowEgressByNamespaceAndPod allows egress for pods with matching namespace AND pod labels

func GetAllowEgressByPort

func GetAllowEgressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy

GetAllowEgressByPort allows egress by port

func GetAllowEgressForTarget

func GetAllowEgressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowEgressForTarget allows all egress for a target

func GetAllowIngress

func GetAllowIngress(name string) *networkingv1.NetworkPolicy

GetAllowIngress allows all ingress

func GetAllowIngressByAnyPod

func GetAllowIngressByAnyPod(name string, targetLabels map[string]string, peersLabel []map[string]string) *networkingv1.NetworkPolicy

GetAllowIngressByAnyPod allows ingress for pods with matching multiple pod labels

func GetAllowIngressByNamespace

func GetAllowIngressByNamespace(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByNamespace allows ingress for namespace

func GetAllowIngressByNamespaceAndPod

func GetAllowIngressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByNamespaceAndPod allows ingress for pods with matching namespace AND pod labels

func GetAllowIngressByNamespaceAndPort

func GetAllowIngressByNamespaceAndPort(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, port *intstr.IntOrString, protocol *v1.Protocol) *networkingv1.NetworkPolicy

GetAllowIngressByNamespaceAndPort allows ingress for namespace AND port AND protocol

func GetAllowIngressByNamespaceOrPod

func GetAllowIngressByNamespaceOrPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByNamespaceOrPod allows ingress for pods with matching namespace OR pod labels

func GetAllowIngressByPod

func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByPod allows ingress by pod labels

func GetAllowIngressByPort

func GetAllowIngressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy

GetAllowIngressByPort allows ingress by port

func GetAllowIngressByProtocol

func GetAllowIngressByProtocol(name string, targetLabels map[string]string, protocol *v1.Protocol) *networkingv1.NetworkPolicy

GetAllowIngressByProtocol allows ingress for any ports on a specific protocol.

func GetAllowIngressForTarget

func GetAllowIngressForTarget(name string, targetLabels map[string]string) *networkingv1.NetworkPolicy

GetAllowIngressForTarget allows ingress for target

func GetAllowIngressOnProtocolByPort

func GetAllowIngressOnProtocolByPort(name string, protocol v1.Protocol, targetLabels map[string]string, portNum *intstr.IntOrString) *networkingv1.NetworkPolicy

GetAllowIngressOnProtocolByPort is a base network policy template which distinguishes between the types of v1.Protocol available in v1 core

func GetDenyAll

func GetDenyAll(name string) *networkingv1.NetworkPolicy

GetDenyAll denies ingress traffic, AS WELL as egress traffic. - BOTH policy types must be specified - The Egress rule must (like the ingress default rule) be a array with 0 values.

func GetDenyAllWithEgressDNS

func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy

GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port

func GetDenyEgress

func GetDenyEgress(name string) *networkingv1.NetworkPolicy

GetDenyEgress returns a default deny egress policy.

func GetDenyEgressForTarget

func GetDenyEgressForTarget(name string, targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy

GetDenyEgressForTarget returns a default deny egress policy.

func GetDenyIngress

func GetDenyIngress(name string) *networkingv1.NetworkPolicy

GetDenyIngress returns a default deny ingress policy.

func GetDenyIngressEmptyPeerSelector

func GetDenyIngressEmptyPeerSelector(name string) *networkingv1.NetworkPolicy

GetDenyIngressEmptyPeerSelector returns a default ingress deny policy using empty Peer selector.

func GetDenyIngressForTarget

func GetDenyIngressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy

GetDenyIngressForTarget denies all ingress for target

func GetRandomIngressPolicies

func GetRandomIngressPolicies(num int) []*networkingv1.NetworkPolicy

GetRandomIngressPolicies returns "num" random policies that allow a unique:n label, i.e. unique:1, unique:2, and so on. Used for creating a 'background' set of policies.

func ProbePodToPodConnectivity

func ProbePodToPodConnectivity(k8s *kubeManager, model *Model, testCase *TestCase)

ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`

func ResetNamespaceLabels

func ResetNamespaceLabels(k8s *kubeManager, ns string)

ResetNamespaceLabels resets the labels for a namespace

func ResetPodLabels

func ResetPodLabels(k8s *kubeManager, pod *Pod)

ResetPodLabels resets the labels for a deployment's template

func UpdateNamespaceLabels

func UpdateNamespaceLabels(k8s *kubeManager, ns string, newNsLabel map[string]string)

UpdateNamespaceLabels sets the labels for a namespace

func UpdatePolicy

func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

UpdatePolicy updates a networkpolicy

func ValidateOrFail

func ValidateOrFail(k8s *kubeManager, model *Model, testCase *TestCase)

ValidateOrFail validates connectivity

Types

type Container

type Container struct {
	Port     int32
	Protocol v1.Protocol
}

Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details

func (*Container) Name

func (c *Container) Name() string

Name returns the container name

func (*Container) PortName

func (c *Container) PortName() string

PortName returns the container port name

func (*Container) Spec

func (c *Container) Spec() v1.Container

Spec returns the kube container spec

type Model

type Model struct {
	Namespaces []*Namespace

	// the raw data
	NamespaceNames []string
	PodNames       []string
	Ports          []int32
	Protocols      []v1.Protocol
	DNSDomain      string
	// contains filtered or unexported fields
}

Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth

func NewModel

func NewModel(namespaces []string, podNames []string, ports []int32, protocols []v1.Protocol, dnsDomain string) *Model

NewModel instantiates a model based on: - namespaces - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.

func (*Model) AllPodStrings

func (m *Model) AllPodStrings() []PodString

AllPodStrings returns a slice of all pod strings

func (*Model) AllPods

func (m *Model) AllPods() []*Pod

AllPods returns a slice of all pods

func (*Model) FindPod

func (m *Model) FindPod(ns string, name string) (*Pod, error)

FindPod returns the pod of matching namespace and name, or an error

func (*Model) NewReachability

func (m *Model) NewReachability() *Reachability

NewReachability instantiates a default-true reachability from the model's pods

type Namespace

type Namespace struct {
	Name string
	Pods []*Pod
}

Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details

func (*Namespace) LabelSelector

func (ns *Namespace) LabelSelector() map[string]string

LabelSelector returns the default labels that should be placed on a namespace in order for it to be uniquely selectable by label selectors

func (*Namespace) Spec

func (ns *Namespace) Spec() *v1.Namespace

Spec builds a kubernetes namespace spec

type Peer

type Peer struct {
	Namespace string
	Pod       string
}

Peer is used for matching pods by either or both of the pod's namespace and name.

func (*Peer) Matches

func (p *Peer) Matches(pod PodString) bool

Matches checks whether the Peer matches the PodString: - an empty namespace means the namespace will always match - otherwise, the namespace must match the PodString's namespace - same goes for Pod: empty matches everything, otherwise must match exactly

type Pod

type Pod struct {
	Namespace  string
	Name       string
	Containers []*Container
}

Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details

func (*Pod) ContainerSpecs

func (p *Pod) ContainerSpecs() []v1.Container

ContainerSpecs builds kubernetes container specs for the pod

func (*Pod) KubePod

func (p *Pod) KubePod() *v1.Pod

KubePod returns the kube pod

func (*Pod) LabelSelector

func (p *Pod) LabelSelector() map[string]string

LabelSelector returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors

func (*Pod) PodString

func (p *Pod) PodString() PodString

PodString returns a corresponding pod string

func (*Pod) QualifiedServiceAddress

func (p *Pod) QualifiedServiceAddress(dnsDomain string) string

QualifiedServiceAddress returns the address that can be used to hit a service from any namespace in the cluster

func (*Pod) Service

func (p *Pod) Service() *v1.Service

Service returns a kube service spec

func (*Pod) ServiceName

func (p *Pod) ServiceName() string

ServiceName returns the unqualified service name

type PodString

type PodString string

PodString represents a namespace 'x' + pod 'a' as "x/a".

func NewPodString

func NewPodString(namespace string, podName string) PodString

NewPodString instantiates a PodString from the given namespace and name.

func (PodString) Namespace

func (pod PodString) Namespace() string

Namespace extracts the namespace

func (PodString) PodName

func (pod PodString) PodName() string

PodName extracts the pod name

func (PodString) String

func (pod PodString) String() string

String converts back to a string

type ProbeJob

type ProbeJob struct {
	PodFrom        *Pod
	PodTo          *Pod
	ToPort         int
	ToPodDNSDomain string
	Protocol       v1.Protocol
}

ProbeJob packages the data for the input of a pod->pod connectivity probe

type ProbeJobResults

type ProbeJobResults struct {
	Job         *ProbeJob
	IsConnected bool
	Err         error
	Command     string
}

ProbeJobResults packages the data for the results of a pod->pod connectivity probe

type Reachability

type Reachability struct {
	Expected *TruthTable
	Observed *TruthTable
	Pods     []*Pod
}

Reachability packages the data for a cluster-wide connectivity probe

func NewReachability

func NewReachability(pods []*Pod, defaultExpectation bool) *Reachability

NewReachability instantiates a reachability

func (*Reachability) AllowLoopback

func (r *Reachability) AllowLoopback()

AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.

func (*Reachability) Expect

func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)

Expect sets the expected value for a single observation

func (*Reachability) ExpectAllEgress

func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)

ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)

func (*Reachability) ExpectAllIngress

func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)

ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)

func (*Reachability) ExpectPeer

func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)

ExpectPeer sets expected values using Peer matchers

func (*Reachability) Observe

func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)

Observe records a single connectivity observation

func (*Reachability) PrintSummary

func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)

PrintSummary prints the summary

func (*Reachability) Summary

func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)

Summary produces a useful summary of expected and observed data

type TestCase

type TestCase struct {
	ToPort       int
	Protocol     v1.Protocol
	Reachability *Reachability
}

TestCase describes the data for a netpol test

type TruthTable

type TruthTable struct {
	Froms []string
	Tos   []string

	Values map[string]map[string]bool
	// contains filtered or unexported fields
}

TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair

func NewTruthTable

func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable

NewTruthTable creates a new truth table with froms and tos

func NewTruthTableFromItems

func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable

NewTruthTableFromItems creates a new truth table with items

func (*TruthTable) Compare

func (tt *TruthTable) Compare(other *TruthTable) *TruthTable

Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.

func (*TruthTable) Get

func (tt *TruthTable) Get(from string, to string) bool

Get gets the specified value

func (*TruthTable) IsComplete

func (tt *TruthTable) IsComplete() bool

IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.

func (*TruthTable) PrettyPrint

func (tt *TruthTable) PrettyPrint(indent string) string

PrettyPrint produces a nice visual representation.

func (*TruthTable) Set

func (tt *TruthTable) Set(from string, to string, value bool)

Set sets the value for from->to

func (*TruthTable) SetAllFrom

func (tt *TruthTable) SetAllFrom(from string, value bool)

SetAllFrom sets all values where from = 'from'

func (*TruthTable) SetAllTo

func (tt *TruthTable) SetAllTo(to string, value bool)

SetAllTo sets all values where to = 'to'

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL