Documentation ¶
Index ¶
- func AddPodLabels(k8s *kubeManager, pod *Pod, newPodLabels map[string]string)
- func CheckSCTPModuleLoadedOnNodes(f *framework.Framework, nodes *v1.NodeList) bool
- func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
- func GetAllowEgress() *networkingv1.NetworkPolicy
- func GetAllowEgressByCIDR(podname string, podserverCIDR string) *networkingv1.NetworkPolicy
- func GetAllowEgressByCIDRExcept(podname string, podserverCIDR string, except []string) *networkingv1.NetworkPolicy
- func GetAllowEgressByNamespaceAndPod(name string, targetLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func GetAllowEgressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy
- func GetAllowEgressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy
- func GetAllowIngress(name string) *networkingv1.NetworkPolicy
- func GetAllowIngressByAnyPod(name string, targetLabels map[string]string, peersLabel []map[string]string) *networkingv1.NetworkPolicy
- func GetAllowIngressByNamespace(name string, targetLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func GetAllowIngressByNamespaceAndPod(name string, targetLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func GetAllowIngressByNamespaceAndPort(name string, targetLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func GetAllowIngressByNamespaceOrPod(name string, targetLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func GetAllowIngressByPod(name string, targetLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func GetAllowIngressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy
- func GetAllowIngressByProtocol(name string, targetLabels map[string]string, protocol *v1.Protocol) *networkingv1.NetworkPolicy
- func GetAllowIngressForTarget(name string, targetLabels map[string]string) *networkingv1.NetworkPolicy
- func GetAllowIngressOnProtocolByPort(name string, protocol v1.Protocol, targetLabels map[string]string, ...) *networkingv1.NetworkPolicy
- func GetDenyAll(name string) *networkingv1.NetworkPolicy
- func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy
- func GetDenyEgress(name string) *networkingv1.NetworkPolicy
- func GetDenyEgressForTarget(name string, targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy
- func GetDenyIngress(name string) *networkingv1.NetworkPolicy
- func GetDenyIngressEmptyPeerSelector(name string) *networkingv1.NetworkPolicy
- func GetDenyIngressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy
- func GetRandomIngressPolicies(num int) []*networkingv1.NetworkPolicy
- func ProbePodToPodConnectivity(k8s *kubeManager, model *Model, testCase *TestCase)
- func ResetNamespaceLabels(k8s *kubeManager, ns string)
- func ResetPodLabels(k8s *kubeManager, pod *Pod)
- func UpdateNamespaceLabels(k8s *kubeManager, ns string, newNsLabel map[string]string)
- func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
- func ValidateOrFail(k8s *kubeManager, model *Model, testCase *TestCase)
- type Container
- type Model
- type Namespace
- type Peer
- type Pod
- type PodString
- type ProbeJob
- type ProbeJobResults
- type Reachability
- func (r *Reachability) AllowLoopback()
- func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)
- func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)
- func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)
- func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)
- func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)
- func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)
- func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)
- type TestCase
- type TruthTable
- func (tt *TruthTable) Compare(other *TruthTable) *TruthTable
- func (tt *TruthTable) Get(from string, to string) bool
- func (tt *TruthTable) IsComplete() bool
- func (tt *TruthTable) PrettyPrint(indent string) string
- func (tt *TruthTable) Set(from string, to string, value bool)
- func (tt *TruthTable) SetAllFrom(from string, value bool)
- func (tt *TruthTable) SetAllTo(to string, value bool)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddPodLabels ¶
AddPodLabels adds new labels to a deployment's template
func CheckSCTPModuleLoadedOnNodes ¶
CheckSCTPModuleLoadedOnNodes checks whether any node on the list has the sctp.ko module loaded For security reasons, and also to allow clusters to use userspace SCTP implementations, we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything that would cause the sctp kernel module to be loaded.
func CreatePolicy ¶
func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
CreatePolicy creates a policy in the given namespace
func GetAllowEgress ¶
func GetAllowEgress() *networkingv1.NetworkPolicy
GetAllowEgress allows all egress
func GetAllowEgressByCIDR ¶
func GetAllowEgressByCIDR(podname string, podserverCIDR string) *networkingv1.NetworkPolicy
GetAllowEgressByCIDR creates an egress netpol with an ipblock
func GetAllowEgressByCIDRExcept ¶
func GetAllowEgressByCIDRExcept(podname string, podserverCIDR string, except []string) *networkingv1.NetworkPolicy
GetAllowEgressByCIDRExcept creates an egress netpol with an ipblock and except
func GetAllowEgressByNamespaceAndPod ¶
func GetAllowEgressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy
GetAllowEgressByNamespaceAndPod allows egress for pods with matching namespace AND pod labels
func GetAllowEgressByPort ¶
func GetAllowEgressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy
GetAllowEgressByPort allows egress by port
func GetAllowEgressForTarget ¶
func GetAllowEgressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy
GetAllowEgressForTarget allows all egress for a target
func GetAllowIngress ¶
func GetAllowIngress(name string) *networkingv1.NetworkPolicy
GetAllowIngress allows all ingress
func GetAllowIngressByAnyPod ¶
func GetAllowIngressByAnyPod(name string, targetLabels map[string]string, peersLabel []map[string]string) *networkingv1.NetworkPolicy
GetAllowIngressByAnyPod allows ingress for pods with matching multiple pod labels
func GetAllowIngressByNamespace ¶
func GetAllowIngressByNamespace(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy
GetAllowIngressByNamespace allows ingress for namespace
func GetAllowIngressByNamespaceAndPod ¶
func GetAllowIngressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy
GetAllowIngressByNamespaceAndPod allows ingress for pods with matching namespace AND pod labels
func GetAllowIngressByNamespaceAndPort ¶
func GetAllowIngressByNamespaceAndPort(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, port *intstr.IntOrString, protocol *v1.Protocol) *networkingv1.NetworkPolicy
GetAllowIngressByNamespaceAndPort allows ingress for namespace AND port AND protocol
func GetAllowIngressByNamespaceOrPod ¶
func GetAllowIngressByNamespaceOrPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy
GetAllowIngressByNamespaceOrPod allows ingress for pods with matching namespace OR pod labels
func GetAllowIngressByPod ¶
func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy
GetAllowIngressByPod allows ingress by pod labels
func GetAllowIngressByPort ¶
func GetAllowIngressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy
GetAllowIngressByPort allows ingress by port
func GetAllowIngressByProtocol ¶
func GetAllowIngressByProtocol(name string, targetLabels map[string]string, protocol *v1.Protocol) *networkingv1.NetworkPolicy
GetAllowIngressByProtocol allows ingress for any ports on a specific protocol.
func GetAllowIngressForTarget ¶
func GetAllowIngressForTarget(name string, targetLabels map[string]string) *networkingv1.NetworkPolicy
GetAllowIngressForTarget allows ingress for target
func GetAllowIngressOnProtocolByPort ¶
func GetAllowIngressOnProtocolByPort(name string, protocol v1.Protocol, targetLabels map[string]string, portNum *intstr.IntOrString) *networkingv1.NetworkPolicy
GetAllowIngressOnProtocolByPort is a base network policy template which distinguishes between the types of v1.Protocol available in v1 core
func GetDenyAll ¶
func GetDenyAll(name string) *networkingv1.NetworkPolicy
GetDenyAll denies ingress traffic, AS WELL as egress traffic. - BOTH policy types must be specified - The Egress rule must (like the ingress default rule) be a array with 0 values.
func GetDenyAllWithEgressDNS ¶
func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy
GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port
func GetDenyEgress ¶
func GetDenyEgress(name string) *networkingv1.NetworkPolicy
GetDenyEgress returns a default deny egress policy.
func GetDenyEgressForTarget ¶
func GetDenyEgressForTarget(name string, targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy
GetDenyEgressForTarget returns a default deny egress policy.
func GetDenyIngress ¶
func GetDenyIngress(name string) *networkingv1.NetworkPolicy
GetDenyIngress returns a default deny ingress policy.
func GetDenyIngressEmptyPeerSelector ¶
func GetDenyIngressEmptyPeerSelector(name string) *networkingv1.NetworkPolicy
GetDenyIngressEmptyPeerSelector returns a default ingress deny policy using empty Peer selector.
func GetDenyIngressForTarget ¶
func GetDenyIngressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy
GetDenyIngressForTarget denies all ingress for target
func GetRandomIngressPolicies ¶
func GetRandomIngressPolicies(num int) []*networkingv1.NetworkPolicy
GetRandomIngressPolicies returns "num" random policies that allow a unique:n label, i.e. unique:1, unique:2, and so on. Used for creating a 'background' set of policies.
func ProbePodToPodConnectivity ¶
ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`
func ResetNamespaceLabels ¶
func ResetNamespaceLabels(k8s *kubeManager, ns string)
ResetNamespaceLabels resets the labels for a namespace
func ResetPodLabels ¶
func ResetPodLabels(k8s *kubeManager, pod *Pod)
ResetPodLabels resets the labels for a deployment's template
func UpdateNamespaceLabels ¶
UpdateNamespaceLabels sets the labels for a namespace
func UpdatePolicy ¶
func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
UpdatePolicy updates a networkpolicy
func ValidateOrFail ¶
ValidateOrFail validates connectivity
Types ¶
type Container ¶
Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details
type Model ¶
type Model struct { Namespaces []*Namespace // the raw data NamespaceNames []string PodNames []string Ports []int32 Protocols []v1.Protocol DNSDomain string // contains filtered or unexported fields }
Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth
func NewModel ¶
func NewModel(namespaces []string, podNames []string, ports []int32, protocols []v1.Protocol, dnsDomain string) *Model
NewModel instantiates a model based on: - namespaces - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.
func (*Model) AllPodStrings ¶
AllPodStrings returns a slice of all pod strings
func (*Model) NewReachability ¶
func (m *Model) NewReachability() *Reachability
NewReachability instantiates a default-true reachability from the model's pods
type Namespace ¶
Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details
func (*Namespace) LabelSelector ¶
LabelSelector returns the default labels that should be placed on a namespace in order for it to be uniquely selectable by label selectors
type Peer ¶
Peer is used for matching pods by either or both of the pod's namespace and name.
type Pod ¶
Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details
func (*Pod) ContainerSpecs ¶
ContainerSpecs builds kubernetes container specs for the pod
func (*Pod) LabelSelector ¶
LabelSelector returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors
func (*Pod) QualifiedServiceAddress ¶
QualifiedServiceAddress returns the address that can be used to hit a service from any namespace in the cluster
func (*Pod) ServiceName ¶
ServiceName returns the unqualified service name
type PodString ¶
type PodString string
PodString represents a namespace 'x' + pod 'a' as "x/a".
func NewPodString ¶
NewPodString instantiates a PodString from the given namespace and name.
type ProbeJob ¶
type ProbeJob struct { PodFrom *Pod PodTo *Pod ToPort int ToPodDNSDomain string Protocol v1.Protocol }
ProbeJob packages the data for the input of a pod->pod connectivity probe
type ProbeJobResults ¶
ProbeJobResults packages the data for the results of a pod->pod connectivity probe
type Reachability ¶
type Reachability struct { Expected *TruthTable Observed *TruthTable Pods []*Pod }
Reachability packages the data for a cluster-wide connectivity probe
func NewReachability ¶
func NewReachability(pods []*Pod, defaultExpectation bool) *Reachability
NewReachability instantiates a reachability
func (*Reachability) AllowLoopback ¶
func (r *Reachability) AllowLoopback()
AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.
func (*Reachability) Expect ¶
func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)
Expect sets the expected value for a single observation
func (*Reachability) ExpectAllEgress ¶
func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)
ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)
func (*Reachability) ExpectAllIngress ¶
func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)
ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)
func (*Reachability) ExpectPeer ¶
func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)
ExpectPeer sets expected values using Peer matchers
func (*Reachability) Observe ¶
func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)
Observe records a single connectivity observation
func (*Reachability) PrintSummary ¶
func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)
PrintSummary prints the summary
func (*Reachability) Summary ¶
func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)
Summary produces a useful summary of expected and observed data
type TestCase ¶
type TestCase struct { ToPort int Protocol v1.Protocol Reachability *Reachability }
TestCase describes the data for a netpol test
type TruthTable ¶
type TruthTable struct { Froms []string Tos []string Values map[string]map[string]bool // contains filtered or unexported fields }
TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair
func NewTruthTable ¶
func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable
NewTruthTable creates a new truth table with froms and tos
func NewTruthTableFromItems ¶
func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable
NewTruthTableFromItems creates a new truth table with items
func (*TruthTable) Compare ¶
func (tt *TruthTable) Compare(other *TruthTable) *TruthTable
Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.
func (*TruthTable) Get ¶
func (tt *TruthTable) Get(from string, to string) bool
Get gets the specified value
func (*TruthTable) IsComplete ¶
func (tt *TruthTable) IsComplete() bool
IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.
func (*TruthTable) PrettyPrint ¶
func (tt *TruthTable) PrettyPrint(indent string) string
PrettyPrint produces a nice visual representation.
func (*TruthTable) Set ¶
func (tt *TruthTable) Set(from string, to string, value bool)
Set sets the value for from->to
func (*TruthTable) SetAllFrom ¶
func (tt *TruthTable) SetAllFrom(from string, value bool)
SetAllFrom sets all values where from = 'from'
func (*TruthTable) SetAllTo ¶
func (tt *TruthTable) SetAllTo(to string, value bool)
SetAllTo sets all values where to = 'to'