netpol

package
v1.25.14 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Sep 13, 2023 License: Apache-2.0 Imports: 28 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddPodLabels

func AddPodLabels(k8s *kubeManager, pod *Pod, newPodLabels map[string]string)

AddPodLabels adds new labels to a deployment's template

func CheckSCTPModuleLoadedOnNodes

func CheckSCTPModuleLoadedOnNodes(f *framework.Framework, nodes *v1.NodeList) bool

CheckSCTPModuleLoadedOnNodes checks whether any node on the list has the sctp.ko module loaded For security reasons, and also to allow clusters to use userspace SCTP implementations, we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything that would cause the sctp kernel module to be loaded.

func CreatePolicy

func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

CreatePolicy creates a policy in the given namespace

func GenNetworkPolicy added in v1.22.0

func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy

func GenNetworkPolicyWithNameAndPodMatchLabel added in v1.22.0

func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy

func GenNetworkPolicyWithNameAndPodSelector added in v1.22.0

func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy

func ProbePodToPodConnectivity

func ProbePodToPodConnectivity(prober Prober, model *Model, testCase *TestCase)

ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`

func ResetNamespaceLabels

func ResetNamespaceLabels(k8s *kubeManager, ns string)

ResetNamespaceLabels resets the labels for a namespace

func ResetPodLabels

func ResetPodLabels(k8s *kubeManager, pod *Pod)

ResetPodLabels resets the labels for a deployment's template

func UpdateNamespaceLabels

func UpdateNamespaceLabels(k8s *kubeManager, ns string, newNsLabel map[string]string)

UpdateNamespaceLabels sets the labels for a namespace

func UpdatePolicy

func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

UpdatePolicy updates a networkpolicy

func ValidateOrFail

func ValidateOrFail(k8s *kubeManager, model *Model, testCase *TestCase)

ValidateOrFail validates connectivity

Types

type Container

type Container struct {
	Port     int32
	Protocol v1.Protocol
}

Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details

func (*Container) Name

func (c *Container) Name() string

Name returns the container name

func (*Container) PortName

func (c *Container) PortName() string

PortName returns the container port name

func (*Container) Spec

func (c *Container) Spec() v1.Container

Spec returns the kube container spec

type Model

type Model struct {
	Namespaces []*Namespace

	// the raw data
	NamespaceNames []string
	PodNames       []string
	Ports          []int32
	Protocols      []v1.Protocol
	DNSDomain      string
	// contains filtered or unexported fields
}

Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth

func NewModel

func NewModel(namespaces []string, podNames []string, ports []int32, protocols []v1.Protocol, dnsDomain string) *Model

NewModel instantiates a model based on: - namespaces - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.

func NewWindowsModel added in v1.22.0

func NewWindowsModel(namespaces []string, podNames []string, ports []int32, dnsDomain string) *Model

NewWindowsModel returns a model specific to windows testing.

func (*Model) AllPodStrings

func (m *Model) AllPodStrings() []PodString

AllPodStrings returns a slice of all pod strings

func (*Model) AllPods

func (m *Model) AllPods() []*Pod

AllPods returns a slice of all pods

func (*Model) FindPod

func (m *Model) FindPod(ns string, name string) (*Pod, error)

FindPod returns the pod of matching namespace and name, or an error

func (*Model) GetProbeTimeoutSeconds added in v1.22.0

func (m *Model) GetProbeTimeoutSeconds() int

GetProbeTimeoutSeconds returns a timeout for how long the probe should work before failing a check, and takes windows heuristics into account, where requests can take longer sometimes.

func (*Model) GetWorkers added in v1.22.0

func (m *Model) GetWorkers() int

GetWorkers returns the number of workers suggested to run when testing.

func (*Model) NewReachability

func (m *Model) NewReachability() *Reachability

NewReachability instantiates a default-true reachability from the model's pods

type Namespace

type Namespace struct {
	Name string
	Pods []*Pod
}

Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details

func (*Namespace) LabelSelector

func (ns *Namespace) LabelSelector() map[string]string

LabelSelector returns the default labels that should be placed on a namespace in order for it to be uniquely selectable by label selectors

func (*Namespace) Spec

func (ns *Namespace) Spec() *v1.Namespace

Spec builds a kubernetes namespace spec

type Peer

type Peer struct {
	Namespace string
	Pod       string
}

Peer is used for matching pods by either or both of the pod's namespace and name.

func (*Peer) Matches

func (p *Peer) Matches(pod PodString) bool

Matches checks whether the Peer matches the PodString: - an empty namespace means the namespace will always match - otherwise, the namespace must match the PodString's namespace - same goes for Pod: empty matches everything, otherwise must match exactly

type Pod

type Pod struct {
	Namespace  string
	Name       string
	Containers []*Container
	ServiceIP  string
}

Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details

func (*Pod) ContainerSpecs

func (p *Pod) ContainerSpecs() []v1.Container

ContainerSpecs builds kubernetes container specs for the pod

func (*Pod) KubePod

func (p *Pod) KubePod() *v1.Pod

KubePod returns the kube pod (will add label selectors for windows if needed).

func (*Pod) LabelSelector

func (p *Pod) LabelSelector() map[string]string

LabelSelector returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors

func (*Pod) PodString

func (p *Pod) PodString() PodString

PodString returns a corresponding pod string

func (*Pod) QualifiedServiceAddress

func (p *Pod) QualifiedServiceAddress(dnsDomain string) string

QualifiedServiceAddress returns the address that can be used to hit a service from any namespace in the cluster

func (*Pod) Service

func (p *Pod) Service() *v1.Service

Service returns a kube service spec

func (*Pod) ServiceName

func (p *Pod) ServiceName() string

ServiceName returns the unqualified service name

type PodString

type PodString string

PodString represents a namespace 'x' + pod 'a' as "x/a".

func NewPodString

func NewPodString(namespace string, podName string) PodString

NewPodString instantiates a PodString from the given namespace and name.

func (PodString) Namespace

func (pod PodString) Namespace() string

Namespace extracts the namespace

func (PodString) PodName

func (pod PodString) PodName() string

PodName extracts the pod name

func (PodString) String

func (pod PodString) String() string

String converts back to a string

type ProbeJob

type ProbeJob struct {
	PodFrom        *Pod
	PodTo          *Pod
	ToPort         int
	ToPodDNSDomain string
	Protocol       v1.Protocol
}

ProbeJob packages the data for the input of a pod->pod connectivity probe

type ProbeJobResults

type ProbeJobResults struct {
	Job         *ProbeJob
	IsConnected bool
	Err         error
	Command     string
}

ProbeJobResults packages the data for the results of a pod->pod connectivity probe

type Prober added in v1.22.0

type Prober interface {
	// contains filtered or unexported methods
}

decouple us from k8smanager.go

type Reachability

type Reachability struct {
	Expected *TruthTable
	Observed *TruthTable
	Pods     []*Pod
}

Reachability packages the data for a cluster-wide connectivity probe

func NewReachability

func NewReachability(pods []*Pod, defaultExpectation bool) *Reachability

NewReachability instantiates a reachability

func (*Reachability) AllowLoopback

func (r *Reachability) AllowLoopback()

AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.

func (*Reachability) Expect

func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)

Expect sets the expected value for a single observation

func (*Reachability) ExpectAllEgress

func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)

ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)

func (*Reachability) ExpectAllIngress

func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)

ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)

func (*Reachability) ExpectPeer

func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)

ExpectPeer sets expected values using Peer matchers

func (*Reachability) Observe

func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)

Observe records a single connectivity observation

func (*Reachability) PrintSummary

func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)

PrintSummary prints the summary

func (*Reachability) Summary

func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)

Summary produces a useful summary of expected and observed data

type SetFunc added in v1.22.0

type SetFunc func(policy *networkingv1.NetworkPolicy)

func SetGenerateName added in v1.22.0

func SetGenerateName(name string) SetFunc

func SetObjectMetaLabel added in v1.22.0

func SetObjectMetaLabel(targetLabels map[string]string) SetFunc

func SetObjectMetaName added in v1.22.0

func SetObjectMetaName(name string) SetFunc

func SetSpecEgressRules added in v1.22.0

func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc

func SetSpecIngressRules added in v1.22.0

func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc

func SetSpecPodSelector added in v1.22.0

func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc

func SetSpecPodSelectorMatchLabels added in v1.22.0

func SetSpecPodSelectorMatchLabels(targetLabels map[string]string) SetFunc

type TestCase

type TestCase struct {
	ToPort       int
	Protocol     v1.Protocol
	Reachability *Reachability
}

TestCase describes the data for a netpol test

type TruthTable

type TruthTable struct {
	Froms []string
	Tos   []string

	Values map[string]map[string]bool
	// contains filtered or unexported fields
}

TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair

func NewTruthTable

func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable

NewTruthTable creates a new truth table with froms and tos

func NewTruthTableFromItems

func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable

NewTruthTableFromItems creates a new truth table with items

func (*TruthTable) Compare

func (tt *TruthTable) Compare(other *TruthTable) *TruthTable

Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.

func (*TruthTable) Get

func (tt *TruthTable) Get(from string, to string) bool

Get gets the specified value

func (*TruthTable) IsComplete

func (tt *TruthTable) IsComplete() bool

IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.

func (*TruthTable) PrettyPrint

func (tt *TruthTable) PrettyPrint(indent string) string

PrettyPrint produces a nice visual representation.

func (*TruthTable) Set

func (tt *TruthTable) Set(from string, to string, value bool)

Set sets the value for from->to

func (*TruthTable) SetAllFrom

func (tt *TruthTable) SetAllFrom(from string, value bool)

SetAllFrom sets all values where from = 'from'

func (*TruthTable) SetAllTo

func (tt *TruthTable) SetAllTo(to string, value bool)

SetAllTo sets all values where to = 'to'

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL