securitygroup

package

v1.30.1 Latest Latest Go to latest Published: May 1, 2024 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/kubernetes-sigs/cloud-provider-azure

Links

Open Source Insights

Documentation ¶

Index ¶

Constants
Variables
func GenerateAllowSecurityRuleName(protocol network.SecurityRuleProtocol, ipFamily iputil.Family, ...) string
func GenerateDenyAllSecurityRuleName(ipFamily iputil.Family) string
func ListDestinationPortRanges(r *network.SecurityRule) ([]int32, error)
func ListDestinationPrefixes(r *network.SecurityRule) []string
func ListSourcePrefixes(r *network.SecurityRule) []string
func NormalizeDestinationPortRanges(dstPorts []int32) []string
func NormalizeSecurityRuleAddressPrefixes(vs []string) []string
type RuleHelper
- func NewSecurityGroupHelper(sg *network.SecurityGroup) (*RuleHelper, error)

Constants ¶

View Source

const (
	SecurityRuleNamePrefix = "k8s-azure-lb"
	SecurityRuleNameSep    = "_"
)

View Source

const (
	MaxSecurityRulesPerGroup              = 1_000
	MaxSecurityRuleSourceIPsPerGroup      = 4_000
	MaxSecurityRuleDestinationIPsPerGroup = 4_000
)

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#azure-resource-manager-virtual-networking-limits

View Source

const (
	ServiceTagInternet = "Internet"
)

Variables ¶

View Source

var (
	ErrInvalidSecurityGroup                                = fmt.Errorf("invalid SecurityGroup object")
	ErrSecurityRulePriorityExhausted                       = fmt.Errorf("security rule priority exhausted")
	ErrSecurityRuleSourceAddressesNotFromSameIPFamily      = fmt.Errorf("security rule source addresses must be from the same IP family")
	ErrSecurityRuleDestinationAddressesNotFromSameIPFamily = fmt.Errorf("security rule destination addresses must be from the same IP family")
	ErrSecurityRuleSourceAndDestinationNotFromSameIPFamily = fmt.Errorf("security rule source addresses and destination addresses must be from the same IP family")
)

Functions ¶

func GenerateAllowSecurityRuleName ¶

func GenerateAllowSecurityRuleName(
	protocol network.SecurityRuleProtocol,
	ipFamily iputil.Family,
	srcPrefixes []string,
	dstPorts []int32,
) string

GenerateAllowSecurityRuleName returns the AllowInbound rule name based on the given rule properties.

func GenerateDenyAllSecurityRuleName ¶

func GenerateDenyAllSecurityRuleName(ipFamily iputil.Family) string

GenerateDenyAllSecurityRuleName returns the DenyInbound rule name based on the given rule properties.

func ListDestinationPortRanges ¶ added in v1.30.1

func ListDestinationPortRanges(r *network.SecurityRule) ([]int32, error)

func ListDestinationPrefixes ¶ added in v1.30.1

func ListDestinationPrefixes(r *network.SecurityRule) []string

func ListSourcePrefixes ¶ added in v1.30.1

func ListSourcePrefixes(r *network.SecurityRule) []string

func NormalizeDestinationPortRanges ¶

func NormalizeDestinationPortRanges(dstPorts []int32) []string

NormalizeDestinationPortRanges normalizes the given destination port ranges.

func NormalizeSecurityRuleAddressPrefixes ¶

func NormalizeSecurityRuleAddressPrefixes(vs []string) []string

NormalizeSecurityRuleAddressPrefixes normalizes the given rule address prefixes.

Types ¶

type RuleHelper ¶

type RuleHelper struct {
	// contains filtered or unexported fields
}

RuleHelper manages security rules within a security group.

func NewSecurityGroupHelper ¶

func NewSecurityGroupHelper(sg *network.SecurityGroup) (*RuleHelper, error)

func (*RuleHelper) AddRuleForAllowedIPRanges ¶

func (helper *RuleHelper) AddRuleForAllowedIPRanges(
	ipRanges []netip.Prefix,
	protocol network.SecurityRuleProtocol,
	dstAddresses []netip.Addr,
	dstPorts []int32,
) error

AddRuleForAllowedIPRanges adds a rule for traffic from certain IP ranges.

func (*RuleHelper) AddRuleForAllowedServiceTag ¶

func (helper *RuleHelper) AddRuleForAllowedServiceTag(
	serviceTag string,
	protocol network.SecurityRuleProtocol,
	dstAddresses []netip.Addr,
	dstPorts []int32,
) error

AddRuleForAllowedServiceTag adds a rule for traffic from a certain service tag.

func (*RuleHelper) AddRuleForDenyAll ¶

func (helper *RuleHelper) AddRuleForDenyAll(dstAddresses []netip.Addr) error

AddRuleForDenyAll adds a rule to deny all traffic from the given destination addresses. NOTE: This rule is to limit the traffic inside the VNet. The traffic out of the VNet is already limited by rule `DenyAllInBound`.

func (*RuleHelper) RemoveDestinationFromRules ¶ added in v1.30.1

func (helper *RuleHelper) RemoveDestinationFromRules(
	protocol network.SecurityRuleProtocol,
	dstPrefixes []string,
	retainDstPorts []int32,
) error

RemoveDestinationFromRules removes the given destination addresses from rules that match the given protocol and ports is in the retainDstPorts list. It may add a new rule if the original rule needs to be split.

func (*RuleHelper) RemoveDestinationPrefixesFromRules ¶

func (helper *RuleHelper) RemoveDestinationPrefixesFromRules(prefixes []string)

RemoveDestinationPrefixesFromRules removes the given destination addresses from all rules.

func (*RuleHelper) SecurityGroup ¶

func (helper *RuleHelper) SecurityGroup() (*network.SecurityGroup, bool, error)

SecurityGroup returns the underlying SecurityGroup object and a bool indicating whether any changes were made to the RuleHelper.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL