Documentation ¶
Index ¶
- func AddNamespaceLabel(k8s *kubeManager, name string, key string, val string)
- func AddPodLabels(k8s *kubeManager, namespace string, name string, ...)
- func CheckSCTPModuleLoadedOnNodes(f *framework.Framework, nodes *v1.NodeList) bool
- func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
- func DeleteNamespaceLabel(k8s *kubeManager, name string, key string)
- func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy
- func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
- func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
- func ProbePodToPodConnectivity(prober Prober, allPods []TestPod, dnsDomain string, testCase *TestCase)
- func ResetPodLabels(k8s *kubeManager, namespace string, name string)
- func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
- func ValidateOrFail(k8s *kubeManager, testCase *TestCase)
- type Container
- type Model
- type Namespace
- type Peer
- type Pod
- func (p *Pod) ContainerSpecs() []v1.Container
- func (p *Pod) KubePod(namespace string) *v1.Pod
- func (p *Pod) Labels() map[string]string
- func (p *Pod) QualifiedServiceAddress(namespace string, dnsDomain string) string
- func (p *Pod) Service(namespace string) *v1.Service
- func (p *Pod) ServiceName(namespace string) string
- type PodString
- type ProbeJob
- type ProbeJobResults
- type Prober
- type Reachability
- func (r *Reachability) AllowLoopback()
- func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)
- func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)
- func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)
- func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)
- func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)
- func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)
- func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)
- type SetFunc
- func SetGenerateName(name string) SetFunc
- func SetObjectMetaLabel(targetLabels map[string]string) SetFunc
- func SetObjectMetaName(name string) SetFunc
- func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc
- func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc
- func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc
- func SetSpecPodSelectorMatchLabels(targetLabels map[string]string) SetFunc
- type TestCase
- type TestPod
- type TruthTable
- func (tt *TruthTable) Compare(other *TruthTable) *TruthTable
- func (tt *TruthTable) Get(from string, to string) bool
- func (tt *TruthTable) IsComplete() bool
- func (tt *TruthTable) PrettyPrint(indent string) string
- func (tt *TruthTable) Set(from string, to string, value bool)
- func (tt *TruthTable) SetAllFrom(from string, value bool)
- func (tt *TruthTable) SetAllTo(to string, value bool)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func AddNamespaceLabel ¶ added in v1.26.0
AddNamespaceLabels adds a new label to a namespace
func AddPodLabels ¶
AddPodLabels adds new labels to a running pod
func CheckSCTPModuleLoadedOnNodes ¶
CheckSCTPModuleLoadedOnNodes checks whether any node on the list has the sctp.ko module loaded For security reasons, and also to allow clusters to use userspace SCTP implementations, we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything that would cause the sctp kernel module to be loaded.
func CreatePolicy ¶
func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
CreatePolicy creates a policy in the given namespace
func DeleteNamespaceLabel ¶ added in v1.26.0
DeleteNamespaceLabel deletes a label from a namespace (if present)
func GenNetworkPolicy ¶ added in v1.22.0
func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy
func GenNetworkPolicyWithNameAndPodMatchLabel ¶ added in v1.22.0
func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
func GenNetworkPolicyWithNameAndPodSelector ¶ added in v1.22.0
func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy
func ProbePodToPodConnectivity ¶
func ProbePodToPodConnectivity(prober Prober, allPods []TestPod, dnsDomain string, testCase *TestCase)
ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`
func ResetPodLabels ¶
ResetPodLabels resets the labels for a deployment's template
func UpdatePolicy ¶
func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)
UpdatePolicy updates a networkpolicy
func ValidateOrFail ¶
func ValidateOrFail(k8s *kubeManager, testCase *TestCase)
ValidateOrFail validates connectivity
Types ¶
type Container ¶
Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details
type Model ¶
type Model struct { Namespaces []*Namespace PodNames []string Ports []int32 Protocols []v1.Protocol }
Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth
func NewModel ¶
func NewModel(namespaceBaseNames []string, podNames []string, ports []int32, protocols []v1.Protocol) *Model
NewModel instantiates a model based on: - namespaceBaseNames - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.
type Namespace ¶
Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details
type Peer ¶
Peer is used for matching pods by either or both of the pod's namespace and name.
type Pod ¶
Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details
func (*Pod) ContainerSpecs ¶
ContainerSpecs builds kubernetes container specs for the pod
func (*Pod) KubePod ¶
KubePod returns the kube pod (will add label selectors for windows if needed).
func (*Pod) Labels ¶ added in v1.26.0
Labels returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors
func (*Pod) QualifiedServiceAddress ¶
QualifiedServiceAddress returns the address that can be used to access the service
func (*Pod) ServiceName ¶
ServiceName returns the unqualified service name
type PodString ¶
type PodString string
PodString represents a namespace 'x' + pod 'a' as "x/a".
func NewPodString ¶
NewPodString instantiates a PodString from the given namespace and name.
type ProbeJob ¶
type ProbeJob struct { PodFrom TestPod PodTo TestPod PodToServiceIP string ToPort int ToPodDNSDomain string Protocol v1.Protocol }
ProbeJob packages the data for the input of a pod->pod connectivity probe
type ProbeJobResults ¶
ProbeJobResults packages the data for the results of a pod->pod connectivity probe
type Prober ¶ added in v1.22.0
type Prober interface {
// contains filtered or unexported methods
}
decouple us from k8smanager.go
type Reachability ¶
type Reachability struct { Expected *TruthTable Observed *TruthTable PodStrings []PodString }
Reachability packages the data for a cluster-wide connectivity probe
func NewReachability ¶
func NewReachability(podStrings []PodString, defaultExpectation bool) *Reachability
NewReachability instantiates a reachability
func (*Reachability) AllowLoopback ¶
func (r *Reachability) AllowLoopback()
AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.
func (*Reachability) Expect ¶
func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)
Expect sets the expected value for a single observation
func (*Reachability) ExpectAllEgress ¶
func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)
ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)
func (*Reachability) ExpectAllIngress ¶
func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)
ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)
func (*Reachability) ExpectPeer ¶
func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)
ExpectPeer sets expected values using Peer matchers
func (*Reachability) Observe ¶
func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)
Observe records a single connectivity observation
func (*Reachability) PrintSummary ¶
func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)
PrintSummary prints the summary
func (*Reachability) Summary ¶
func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)
Summary produces a useful summary of expected and observed data
type SetFunc ¶ added in v1.22.0
type SetFunc func(policy *networkingv1.NetworkPolicy)
func SetGenerateName ¶ added in v1.22.0
func SetObjectMetaLabel ¶ added in v1.22.0
func SetObjectMetaName ¶ added in v1.22.0
func SetSpecEgressRules ¶ added in v1.22.0
func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc
func SetSpecIngressRules ¶ added in v1.22.0
func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc
func SetSpecPodSelector ¶ added in v1.22.0
func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc
func SetSpecPodSelectorMatchLabels ¶ added in v1.22.0
type TestCase ¶
type TestCase struct { ToPort int Protocol v1.Protocol Reachability *Reachability }
TestCase describes the data for a netpol test
type TestPod ¶ added in v1.26.0
TestPod represents an actual running pod. For each Pod defined by the model, there will be a corresponding TestPod. TestPod includes some runtime info (namespace name, service IP) which is not available in the model.
type TruthTable ¶
type TruthTable struct { Froms []string Tos []string Values map[string]map[string]bool // contains filtered or unexported fields }
TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair
func NewTruthTable ¶
func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable
NewTruthTable creates a new truth table with froms and tos
func NewTruthTableFromItems ¶
func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable
NewTruthTableFromItems creates a new truth table with items
func (*TruthTable) Compare ¶
func (tt *TruthTable) Compare(other *TruthTable) *TruthTable
Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.
func (*TruthTable) Get ¶
func (tt *TruthTable) Get(from string, to string) bool
Get gets the specified value
func (*TruthTable) IsComplete ¶
func (tt *TruthTable) IsComplete() bool
IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.
func (*TruthTable) PrettyPrint ¶
func (tt *TruthTable) PrettyPrint(indent string) string
PrettyPrint produces a nice visual representation.
func (*TruthTable) Set ¶
func (tt *TruthTable) Set(from string, to string, value bool)
Set sets the value for from->to
func (*TruthTable) SetAllFrom ¶
func (tt *TruthTable) SetAllFrom(from string, value bool)
SetAllFrom sets all values where from = 'from'
func (*TruthTable) SetAllTo ¶
func (tt *TruthTable) SetAllTo(to string, value bool)
SetAllTo sets all values where to = 'to'