netpol

package
v1.27.16 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jul 17, 2024 License: Apache-2.0 Imports: 29 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddNamespaceLabel added in v1.26.0

func AddNamespaceLabel(ctx context.Context, k8s *kubeManager, name string, key string, val string)

AddNamespaceLabels adds a new label to a namespace

func AddPodLabels

func AddPodLabels(ctx context.Context, k8s *kubeManager, namespace string, name string, newPodLabels map[string]string)

AddPodLabels adds new labels to a running pod

func CheckSCTPModuleLoadedOnNodes

func CheckSCTPModuleLoadedOnNodes(ctx context.Context, f *framework.Framework, nodes *v1.NodeList) bool

CheckSCTPModuleLoadedOnNodes checks whether any node on the list has the sctp.ko module loaded For security reasons, and also to allow clusters to use userspace SCTP implementations, we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything that would cause the sctp kernel module to be loaded.

func CreatePolicy

func CreatePolicy(ctx context.Context, k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

CreatePolicy creates a policy in the given namespace

func DeleteNamespaceLabel added in v1.26.0

func DeleteNamespaceLabel(ctx context.Context, k8s *kubeManager, name string, key string)

DeleteNamespaceLabel deletes a label from a namespace (if present)

func GenNetworkPolicy added in v1.22.0

func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy

func GenNetworkPolicyWithNameAndPodMatchLabel added in v1.22.0

func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy

func GenNetworkPolicyWithNameAndPodSelector added in v1.22.0

func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy

func ProbePodToPodConnectivity

func ProbePodToPodConnectivity(prober Prober, allPods []TestPod, dnsDomain string, testCase *TestCase)

ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`

func ResetPodLabels

func ResetPodLabels(ctx context.Context, k8s *kubeManager, namespace string, name string)

ResetPodLabels resets the labels for a deployment's template

func UpdatePolicy

func UpdatePolicy(ctx context.Context, k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

UpdatePolicy updates a networkpolicy

func ValidateOrFail

func ValidateOrFail(k8s *kubeManager, testCase *TestCase)

ValidateOrFail validates connectivity

Types

type Container

type Container struct {
	Port     int32
	Protocol v1.Protocol
}

Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details

func (*Container) Name

func (c *Container) Name() string

Name returns the container name

func (*Container) PortName

func (c *Container) PortName() string

PortName returns the container port name

func (*Container) Spec

func (c *Container) Spec() v1.Container

Spec returns the kube container spec

type Model

type Model struct {
	Namespaces []*Namespace
	PodNames   []string
	Ports      []int32
	Protocols  []v1.Protocol
}

Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth

func NewModel

func NewModel(namespaceBaseNames []string, podNames []string, ports []int32, protocols []v1.Protocol) *Model

NewModel instantiates a model based on: - namespaceBaseNames - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.

func NewWindowsModel added in v1.22.0

func NewWindowsModel(namespaceBaseNames []string, podNames []string, ports []int32) *Model

NewWindowsModel returns a model specific to windows testing.

type Namespace

type Namespace struct {
	BaseName string
	Pods     []*Pod
}

Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details

type Peer

type Peer struct {
	Namespace string
	Pod       string
}

Peer is used for matching pods by either or both of the pod's namespace and name.

func (*Peer) Matches

func (p *Peer) Matches(pod PodString) bool

Matches checks whether the Peer matches the PodString: - an empty namespace means the namespace will always match - otherwise, the namespace must match the PodString's namespace - same goes for Pod: empty matches everything, otherwise must match exactly

type Pod

type Pod struct {
	Name       string
	Containers []*Container
}

Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details

func (*Pod) ContainerSpecs

func (p *Pod) ContainerSpecs() []v1.Container

ContainerSpecs builds kubernetes container specs for the pod

func (*Pod) KubePod

func (p *Pod) KubePod(namespace string) *v1.Pod

KubePod returns the kube pod (will add label selectors for windows if needed).

func (*Pod) Labels added in v1.26.0

func (p *Pod) Labels() map[string]string

Labels returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors

func (*Pod) QualifiedServiceAddress

func (p *Pod) QualifiedServiceAddress(namespace string, dnsDomain string) string

QualifiedServiceAddress returns the address that can be used to access the service

func (*Pod) Service

func (p *Pod) Service(namespace string) *v1.Service

Service returns a kube service spec

func (*Pod) ServiceName

func (p *Pod) ServiceName(namespace string) string

ServiceName returns the unqualified service name

type PodString

type PodString string

PodString represents a namespace 'x' + pod 'a' as "x/a".

func NewPodString

func NewPodString(namespace string, podName string) PodString

NewPodString instantiates a PodString from the given namespace and name.

func (PodString) Namespace

func (pod PodString) Namespace() string

Namespace extracts the namespace

func (PodString) PodName

func (pod PodString) PodName() string

PodName extracts the pod name

func (PodString) String

func (pod PodString) String() string

String converts back to a string

type ProbeJob

type ProbeJob struct {
	PodFrom            TestPod
	PodTo              TestPod
	PodToServiceIP     string
	ToPort             int
	ToPodDNSDomain     string
	Protocol           v1.Protocol
	ExpectConnectivity bool
}

ProbeJob packages the data for the input of a pod->pod connectivity probe

type ProbeJobResults

type ProbeJobResults struct {
	Job         *ProbeJob
	IsConnected bool
	Err         error
	Command     string
}

ProbeJobResults packages the data for the results of a pod->pod connectivity probe

type Prober added in v1.22.0

type Prober interface {
	// contains filtered or unexported methods
}

decouple us from k8smanager.go

type Reachability

type Reachability struct {
	Expected   *TruthTable
	Observed   *TruthTable
	PodStrings []PodString
}

Reachability packages the data for a cluster-wide connectivity probe

func NewReachability

func NewReachability(podStrings []PodString, defaultExpectation bool) *Reachability

NewReachability instantiates a reachability

func (*Reachability) AllowLoopback

func (r *Reachability) AllowLoopback()

AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.

func (*Reachability) Expect

func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)

Expect sets the expected value for a single observation

func (*Reachability) ExpectAllEgress

func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)

ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)

func (*Reachability) ExpectAllIngress

func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)

ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)

func (*Reachability) ExpectPeer

func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)

ExpectPeer sets expected values using Peer matchers

func (*Reachability) Observe

func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)

Observe records a single connectivity observation

func (*Reachability) PrintSummary

func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)

PrintSummary prints the summary

func (*Reachability) Summary

func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)

Summary produces a useful summary of expected and observed data

type SetFunc added in v1.22.0

type SetFunc func(policy *networkingv1.NetworkPolicy)

func SetGenerateName added in v1.22.0

func SetGenerateName(name string) SetFunc

func SetObjectMetaLabel added in v1.22.0

func SetObjectMetaLabel(targetLabels map[string]string) SetFunc

func SetObjectMetaName added in v1.22.0

func SetObjectMetaName(name string) SetFunc

func SetSpecEgressRules added in v1.22.0

func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc

func SetSpecIngressRules added in v1.22.0

func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc

func SetSpecPodSelector added in v1.22.0

func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc

func SetSpecPodSelectorMatchLabels added in v1.22.0

func SetSpecPodSelectorMatchLabels(targetLabels map[string]string) SetFunc

type TestCase

type TestCase struct {
	ToPort       int
	Protocol     v1.Protocol
	Reachability *Reachability
}

TestCase describes the data for a netpol test

type TestPod added in v1.26.0

type TestPod struct {
	Namespace     string
	Name          string
	ContainerName string
	ServiceIP     string
}

TestPod represents an actual running pod. For each Pod defined by the model, there will be a corresponding TestPod. TestPod includes some runtime info (namespace name, service IP) which is not available in the model.

func (TestPod) PodString added in v1.26.0

func (pod TestPod) PodString() PodString

type TruthTable

type TruthTable struct {
	Froms []string
	Tos   []string

	Values map[string]map[string]bool
	// contains filtered or unexported fields
}

TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair

func NewTruthTable

func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable

NewTruthTable creates a new truth table with froms and tos

func NewTruthTableFromItems

func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable

NewTruthTableFromItems creates a new truth table with items

func (*TruthTable) Compare

func (tt *TruthTable) Compare(other *TruthTable) *TruthTable

Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.

func (*TruthTable) Get

func (tt *TruthTable) Get(from string, to string) bool

Get gets the specified value

func (*TruthTable) IsComplete

func (tt *TruthTable) IsComplete() bool

IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.

func (*TruthTable) PrettyPrint

func (tt *TruthTable) PrettyPrint(indent string) string

PrettyPrint produces a nice visual representation.

func (*TruthTable) Set

func (tt *TruthTable) Set(from string, to string, value bool)

Set sets the value for from->to

func (*TruthTable) SetAllFrom

func (tt *TruthTable) SetAllFrom(from string, value bool)

SetAllFrom sets all values where from = 'from'

func (*TruthTable) SetAllTo

func (tt *TruthTable) SetAllTo(to string, value bool)

SetAllTo sets all values where to = 'to'

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL