Documentation
¶
Index ¶
- Constants
- Variables
- func GenerateAllowSecurityRuleName(protocol network.SecurityRuleProtocol, ipFamily iputil.Family, ...) string
- func GenerateDenyAllSecurityRuleName(ipFamily iputil.Family) string
- func NormalizeDestinationPortRanges(dstPorts []int32) []string
- func NormalizeSecurityRuleAddressPrefixes(vs []string) []string
- type RuleHelper
- func (helper *RuleHelper) AddRuleForAllowedIPRanges(ipRanges []netip.Prefix, protocol network.SecurityRuleProtocol, ...) error
- func (helper *RuleHelper) AddRuleForAllowedServiceTag(serviceTag string, protocol network.SecurityRuleProtocol, ...) error
- func (helper *RuleHelper) AddRuleForDenyAll(dstAddresses []netip.Addr) error
- func (helper *RuleHelper) RemoveDestinationPrefixesFromRules(prefixes []string)
- func (helper *RuleHelper) SecurityGroup() (*network.SecurityGroup, bool, error)
Constants ¶
const ( SecurityRuleNamePrefix = "k8s-azure-lb" SecurityRuleNameSep = "_" )
const ( MaxSecurityRulesPerGroup = 1_000 MaxSecurityRuleSourceIPsPerGroup = 4_000 MaxSecurityRuleDestinationIPsPerGroup = 4_000 )
const (
ServiceTagInternet = "Internet"
)
Variables ¶
var ( ErrInvalidSecurityGroup = fmt.Errorf("invalid SecurityGroup object") ErrSecurityRulePriorityExhausted = fmt.Errorf("security rule priority exhausted") ErrSecurityRuleSourceAddressesNotFromSameIPFamily = fmt.Errorf("security rule source addresses must be from the same IP family") ErrSecurityRuleDestinationAddressesNotFromSameIPFamily = fmt.Errorf("security rule destination addresses must be from the same IP family") ErrSecurityRuleSourceAndDestinationNotFromSameIPFamily = fmt.Errorf("security rule source addresses and destination addresses must be from the same IP family") )
Functions ¶
func GenerateAllowSecurityRuleName ¶
func GenerateAllowSecurityRuleName( protocol network.SecurityRuleProtocol, ipFamily iputil.Family, srcPrefixes []string, dstPorts []int32, ) string
GenerateAllowSecurityRuleName returns the AllowInbound rule name based on the given rule properties.
func GenerateDenyAllSecurityRuleName ¶
GenerateDenyAllSecurityRuleName returns the DenyInbound rule name based on the given rule properties.
func NormalizeDestinationPortRanges ¶
NormalizeDestinationPortRanges normalizes the given destination port ranges.
func NormalizeSecurityRuleAddressPrefixes ¶
NormalizeSecurityRuleAddressPrefixes normalizes the given rule address prefixes.
Types ¶
type RuleHelper ¶
type RuleHelper struct {
// contains filtered or unexported fields
}
RuleHelper manages security rules within a security group.
func NewSecurityGroupHelper ¶
func NewSecurityGroupHelper(sg *network.SecurityGroup) (*RuleHelper, error)
func (*RuleHelper) AddRuleForAllowedIPRanges ¶
func (helper *RuleHelper) AddRuleForAllowedIPRanges( ipRanges []netip.Prefix, protocol network.SecurityRuleProtocol, dstAddresses []netip.Addr, dstPorts []int32, ) error
AddRuleForAllowedIPRanges adds a rule for traffic from certain IP ranges.
func (*RuleHelper) AddRuleForAllowedServiceTag ¶
func (helper *RuleHelper) AddRuleForAllowedServiceTag( serviceTag string, protocol network.SecurityRuleProtocol, dstAddresses []netip.Addr, dstPorts []int32, ) error
AddRuleForAllowedServiceTag adds a rule for traffic from a certain service tag.
func (*RuleHelper) AddRuleForDenyAll ¶
func (helper *RuleHelper) AddRuleForDenyAll(dstAddresses []netip.Addr) error
AddRuleForDenyAll adds a rule to deny all traffic from the given destination addresses. NOTE: This rule is to limit the traffic inside the VNet. The traffic out of the VNet is already limited by rule `DenyAllInBound`.
func (*RuleHelper) RemoveDestinationPrefixesFromRules ¶
func (helper *RuleHelper) RemoveDestinationPrefixesFromRules(prefixes []string)
RemoveDestinationPrefixesFromRules removes the given destination addresses from all rules.
func (*RuleHelper) SecurityGroup ¶
func (helper *RuleHelper) SecurityGroup() (*network.SecurityGroup, bool, error)
SecurityGroup returns the underlying SecurityGroup object and a bool indicating whether any changes were made to the RuleHelper.
Source Files