netpol

package
v1.29.9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 11, 2024 License: Apache-2.0 Imports: 26 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddNamespaceLabel added in v1.26.0 

func AddNamespaceLabel(ctx context.Context, k8s *kubeManager, name string, key string, val string)

AddNamespaceLabels adds a new label to a namespace

func AddPodLabels 

func AddPodLabels(ctx context.Context, k8s *kubeManager, namespace string, name string, newPodLabels map[string]string)

AddPodLabels adds new labels to a running pod

func CreatePolicy 

func CreatePolicy(ctx context.Context, k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

CreatePolicy creates a policy in the given namespace

func DeleteNamespaceLabel added in v1.26.0 

func DeleteNamespaceLabel(ctx context.Context, k8s *kubeManager, name string, key string)

DeleteNamespaceLabel deletes a label from a namespace (if present)

func GenNetworkPolicy added in v1.22.0 

func GenNetworkPolicy(fn ...SetFunc) *networkingv1.NetworkPolicy

func GenNetworkPolicyWithNameAndPodMatchLabel added in v1.22.0 

func GenNetworkPolicyWithNameAndPodMatchLabel(name string, targetLabels map[string]string, otherFunc ...SetFunc) *networkingv1.NetworkPolicy

func GenNetworkPolicyWithNameAndPodSelector added in v1.22.0 

func GenNetworkPolicyWithNameAndPodSelector(name string, targetSelector metav1.LabelSelector, otherFunc ...SetFunc) *networkingv1.NetworkPolicy

func ProbePodToPodConnectivity 

func ProbePodToPodConnectivity(prober Prober, allPods []TestPod, dnsDomain string, testCase *TestCase)

ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`

func ResetPodLabels 

func ResetPodLabels(ctx context.Context, k8s *kubeManager, namespace string, name string)

ResetPodLabels resets the labels for a deployment's template

func UpdatePolicy 

func UpdatePolicy(ctx context.Context, k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

UpdatePolicy updates a networkpolicy

func ValidateOrFail 

func ValidateOrFail(k8s *kubeManager, testCase *TestCase)

ValidateOrFail validates connectivity

Types

type Container 

type Container struct {
	Port     int32
	Protocol v1.Protocol
}

Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details

func (*Container) Name 

func (c *Container) Name() string

Name returns the container name

func (*Container) PortName 

func (c *Container) PortName() string

PortName returns the container port name

func (*Container) Spec 

func (c *Container) Spec() v1.Container

Spec returns the kube container spec

type Model 

type Model struct {
	Namespaces []*Namespace
	PodNames   []string
	Ports      []int32
	Protocols  []v1.Protocol
}

Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth

func NewModel 

func NewModel(namespaceBaseNames []string, podNames []string, ports []int32, protocols []v1.Protocol) *Model

NewModel instantiates a model based on: - namespaceBaseNames - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.

func NewWindowsModel added in v1.22.0 

func NewWindowsModel(namespaceBaseNames []string, podNames []string, ports []int32) *Model

NewWindowsModel returns a model specific to windows testing.

type Namespace 

type Namespace struct {
	BaseName string
	Pods     []*Pod
}

Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details

type Peer 

type Peer struct {
	Namespace string
	Pod       string
}

Peer is used for matching pods by either or both of the pod's namespace and name.

func (*Peer) Matches 

func (p *Peer) Matches(pod PodString) bool

Matches checks whether the Peer matches the PodString: - an empty namespace means the namespace will always match - otherwise, the namespace must match the PodString's namespace - same goes for Pod: empty matches everything, otherwise must match exactly

type Pod 

type Pod struct {
	Name       string
	Containers []*Container
}

Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details

func (*Pod) ContainerSpecs 

func (p *Pod) ContainerSpecs() []v1.Container

ContainerSpecs builds kubernetes container specs for the pod

func (*Pod) KubePod 

func (p *Pod) KubePod(namespace string) *v1.Pod

KubePod returns the kube pod (will add label selectors for windows if needed).

func (*Pod) Labels added in v1.26.0 

func (p *Pod) Labels() map[string]string

Labels returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors

func (*Pod) QualifiedServiceAddress 

func (p *Pod) QualifiedServiceAddress(namespace string, dnsDomain string) string

QualifiedServiceAddress returns the address that can be used to access the service

func (*Pod) Service 

func (p *Pod) Service(namespace string) *v1.Service

Service returns a kube service spec

func (*Pod) ServiceName 

func (p *Pod) ServiceName(namespace string) string

ServiceName returns the unqualified service name

type PodString 

type PodString string

PodString represents a namespace 'x' + pod 'a' as "x/a".

func NewPodString 

func NewPodString(namespace string, podName string) PodString

NewPodString instantiates a PodString from the given namespace and name.

func (PodString) Namespace 

func (pod PodString) Namespace() string

Namespace extracts the namespace

func (PodString) PodName 

func (pod PodString) PodName() string

PodName extracts the pod name

func (PodString) String 

func (pod PodString) String() string

String converts back to a string

type ProbeJob 

type ProbeJob struct {
	PodFrom            TestPod
	PodTo              TestPod
	PodToServiceIP     string
	ToPort             int
	ToPodDNSDomain     string
	Protocol           v1.Protocol
	ExpectConnectivity bool
}

ProbeJob packages the data for the input of a pod->pod connectivity probe

type ProbeJobResults 

type ProbeJobResults struct {
	Job         *ProbeJob
	IsConnected bool
	Err         error
	Command     string
}

ProbeJobResults packages the data for the results of a pod->pod connectivity probe

type Prober added in v1.22.0 

type Prober interface {
	// contains filtered or unexported methods
}

decouple us from k8smanager.go

type Reachability 

type Reachability struct {
	Expected   *TruthTable
	Observed   *TruthTable
	PodStrings []PodString
}

Reachability packages the data for a cluster-wide connectivity probe

func NewReachability 

func NewReachability(podStrings []PodString, defaultExpectation bool) *Reachability

NewReachability instantiates a reachability

func (*Reachability) AllowLoopback 

func (r *Reachability) AllowLoopback()

AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.

func (*Reachability) Expect 

func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)

Expect sets the expected value for a single observation

func (*Reachability) ExpectAllEgress 

func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)

ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)

func (*Reachability) ExpectAllIngress 

func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)

ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)

func (*Reachability) ExpectPeer 

func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)

ExpectPeer sets expected values using Peer matchers

func (*Reachability) Observe 

func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)

Observe records a single connectivity observation

func (*Reachability) PrintSummary 

func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)

PrintSummary prints the summary

func (*Reachability) Summary 

func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)

Summary produces a useful summary of expected and observed data

type SetFunc added in v1.22.0 

type SetFunc func(policy *networkingv1.NetworkPolicy)

func SetGenerateName added in v1.22.0 

func SetGenerateName(name string) SetFunc

func SetObjectMetaLabel added in v1.22.0 

func SetObjectMetaLabel(targetLabels map[string]string) SetFunc

func SetObjectMetaName added in v1.22.0 

func SetObjectMetaName(name string) SetFunc

func SetSpecEgressRules added in v1.22.0 

func SetSpecEgressRules(rules ...networkingv1.NetworkPolicyEgressRule) SetFunc

func SetSpecIngressRules added in v1.22.0 

func SetSpecIngressRules(rules ...networkingv1.NetworkPolicyIngressRule) SetFunc

func SetSpecPodSelector added in v1.22.0 

func SetSpecPodSelector(targetSelector metav1.LabelSelector) SetFunc

func SetSpecPodSelectorMatchLabels added in v1.22.0 

func SetSpecPodSelectorMatchLabels(targetLabels map[string]string) SetFunc

type TestCase 

type TestCase struct {
	ToPort       int
	Protocol     v1.Protocol
	Reachability *Reachability
}

TestCase describes the data for a netpol test

type TestPod added in v1.26.0 

type TestPod struct {
	Namespace     string
	Name          string
	ContainerName string
	ServiceIP     string
}

TestPod represents an actual running pod. For each Pod defined by the model, there will be a corresponding TestPod. TestPod includes some runtime info (namespace name, service IP) which is not available in the model.

func (TestPod) PodString added in v1.26.0 

func (pod TestPod) PodString() PodString

type TruthTable 

type TruthTable struct {
	Froms []string
	Tos   []string

	Values map[string]map[string]bool
	// contains filtered or unexported fields
}

TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair

func NewTruthTable 

func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable

NewTruthTable creates a new truth table with froms and tos

func NewTruthTableFromItems 

func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable

NewTruthTableFromItems creates a new truth table with items

func (*TruthTable) Compare 

func (tt *TruthTable) Compare(other *TruthTable) *TruthTable

Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.

func (*TruthTable) Get 

func (tt *TruthTable) Get(from string, to string) bool

Get gets the specified value

func (*TruthTable) IsComplete 

func (tt *TruthTable) IsComplete() bool

IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.

func (*TruthTable) PrettyPrint 

func (tt *TruthTable) PrettyPrint(indent string) string

PrettyPrint produces a nice visual representation.

func (*TruthTable) Set 

func (tt *TruthTable) Set(from string, to string, value bool)

Set sets the value for from->to

func (*TruthTable) SetAllFrom 

func (tt *TruthTable) SetAllFrom(from string, value bool)

SetAllFrom sets all values where from = 'from'

func (*TruthTable) SetAllTo 

func (tt *TruthTable) SetAllTo(to string, value bool)

SetAllTo sets all values where to = 'to'

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.