securitygroup

package
v1.31.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 18, 2024 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	SecurityRuleNamePrefix = "k8s-azure-lb"
	SecurityRuleNameSep    = "_"
)
View Source 
const (
	MaxSecurityRulesPerGroup              = 1_000
	MaxSecurityRuleSourceIPsPerGroup      = 4_000
	MaxSecurityRuleDestinationIPsPerGroup = 4_000
)

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#azure-resource-manager-virtual-networking-limits

View Source 
const (
	ServiceTagInternet = "Internet"
)

Variables

View Source 
var (
	ErrInvalidSecurityGroup                                = fmt.Errorf("invalid SecurityGroup object")
	ErrSecurityRulePriorityExhausted                       = fmt.Errorf("security rule priority exhausted")
	ErrSecurityRuleSourceAddressesNotFromSameIPFamily      = fmt.Errorf("security rule source addresses must be from the same IP family")
	ErrSecurityRuleDestinationAddressesNotFromSameIPFamily = fmt.Errorf("security rule destination addresses must be from the same IP family")
	ErrSecurityRuleSourceAndDestinationNotFromSameIPFamily = fmt.Errorf("security rule source addresses and destination addresses must be from the same IP family")
)

Functions

func GenerateAllowSecurityRuleName 

func GenerateAllowSecurityRuleName(
	protocol network.SecurityRuleProtocol,
	ipFamily iputil.Family,
	srcPrefixes []string,
	dstPorts []int32,
) string

GenerateAllowSecurityRuleName returns the AllowInbound rule name based on the given rule properties.

func GenerateDenyAllSecurityRuleName 

func GenerateDenyAllSecurityRuleName(ipFamily iputil.Family) string

GenerateDenyAllSecurityRuleName returns the DenyInbound rule name based on the given rule properties.

func ListDestinationPortRanges added in v1.29.5 

func ListDestinationPortRanges(r *network.SecurityRule) ([]int32, error)

func ListDestinationPrefixes added in v1.29.5 

func ListDestinationPrefixes(r *network.SecurityRule) []string

func ListSourcePrefixes added in v1.29.5 

func ListSourcePrefixes(r *network.SecurityRule) []string

func NormalizeDestinationPortRanges 

func NormalizeDestinationPortRanges(dstPorts []int32) []string

NormalizeDestinationPortRanges normalizes the given destination port ranges.

func NormalizeSecurityRuleAddressPrefixes 

func NormalizeSecurityRuleAddressPrefixes(vs []string) []string

NormalizeSecurityRuleAddressPrefixes normalizes the given rule address prefixes.

func ProtocolFromKubernetes added in v1.29.8 

func ProtocolFromKubernetes(p v1.Protocol) (network.SecurityRuleProtocol, error)

func SetDestinationPrefixes added in v1.29.7 

func SetDestinationPrefixes(r *network.SecurityRule, prefixes []string)

Types

type RuleHelper 

type RuleHelper struct {
	// contains filtered or unexported fields
}

RuleHelper manages security rules within a security group.

func NewSecurityGroupHelper 

func NewSecurityGroupHelper(logger logr.Logger, sg *network.SecurityGroup) (*RuleHelper, error)

func (*RuleHelper) AddRuleForAllowedIPRanges 

func (helper *RuleHelper) AddRuleForAllowedIPRanges(
	ipRanges []netip.Prefix,
	protocol network.SecurityRuleProtocol,
	dstAddresses []netip.Addr,
	dstPorts []int32,
) error

AddRuleForAllowedIPRanges adds a rule for traffic from certain IP ranges.

func (*RuleHelper) AddRuleForAllowedServiceTag 

func (helper *RuleHelper) AddRuleForAllowedServiceTag(
	serviceTag string,
	protocol network.SecurityRuleProtocol,
	dstAddresses []netip.Addr,
	dstPorts []int32,
) error

AddRuleForAllowedServiceTag adds a rule for traffic from a certain service tag.

func (*RuleHelper) AddRuleForDenyAll 

func (helper *RuleHelper) AddRuleForDenyAll(dstAddresses []netip.Addr) error

AddRuleForDenyAll adds a rule to deny all traffic from the given destination addresses. NOTE: This rule is to limit the traffic inside the VNet. The traffic out of the VNet is already limited by rule `DenyAllInBound`.

func (*RuleHelper) RemoveDestinationFromRules added in v1.29.5 

func (helper *RuleHelper) RemoveDestinationFromRules(
	protocol network.SecurityRuleProtocol,
	dstPrefixes []string,
	retainDstPorts []int32,
) error

RemoveDestinationFromRules removes the given destination addresses from rules that match the given protocol and ports is in the retainDstPorts list. It may add a new rule if the original rule needs to be split.

func (*RuleHelper) SecurityGroup 

func (helper *RuleHelper) SecurityGroup() (*network.SecurityGroup, bool, error)

SecurityGroup returns the underlying SecurityGroup object and a bool indicating whether any changes were made to the RuleHelper.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.