loadbalancer

package
v1.30.5 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Aug 8, 2024 License: Apache-2.0 Imports: 12 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrSetBothLoadBalancerSourceRangesAndAllowedIPRanges = fmt.Errorf(
		"cannot set both spec.LoadBalancerSourceRanges and service annotation %s", consts.ServiceAnnotationAllowedIPRanges,
	)
)

Functions

func AdditionalPublicIPs added in v1.29.0

func AdditionalPublicIPs(svc *v1.Service) ([]netip.Addr, error)

func AllowedIPRanges

func AllowedIPRanges(svc *v1.Service) ([]netip.Prefix, []string, error)

AllowedIPRanges returns the allowed IP ranges configured by user through AKS custom annotations: service.beta.kubernetes.io/azure-allowed-ip-ranges and service.beta.kubernetes.io/load-balancer-source-ranges

func AllowedServiceTags

func AllowedServiceTags(svc *v1.Service) ([]string, error)

AllowedServiceTags returns the allowed service tags configured by user through AKS custom annotation.

func IsInternal

func IsInternal(svc *v1.Service) bool

IsInternal returns true if the given service is internal load balancer.

func SecurityRuleDestinationPortsByProtocol added in v1.29.8

func SecurityRuleDestinationPortsByProtocol(svc *v1.Service) (map[network.SecurityRuleProtocol][]int32, error)

SecurityRuleDestinationPortsByProtocol returns the service ports grouped by SecurityGroup protocol.

func SourceRanges

func SourceRanges(svc *v1.Service) ([]netip.Prefix, []string, error)

SourceRanges returns the allowed IP ranges configured by user through `spec.LoadBalancerSourceRanges`.

Types

type AccessControl

type AccessControl struct {

	// immutable pre-compute states.
	SourceRanges       []netip.Prefix
	AllowedIPRanges    []netip.Prefix
	InvalidRanges      []string
	AllowedServiceTags []string
	// contains filtered or unexported fields
}

func NewAccessControl

func NewAccessControl(logger logr.Logger, svc *v1.Service, sg *network.SecurityGroup, opts ...AccessControlOption) (*AccessControl, error)

func (*AccessControl) AllowedIPv4Ranges added in v1.29.0

func (ac *AccessControl) AllowedIPv4Ranges() []netip.Prefix

AllowedIPv4Ranges returns the IPv4 ranges that are allowed to access the LoadBalancer.

func (*AccessControl) AllowedIPv6Ranges added in v1.29.0

func (ac *AccessControl) AllowedIPv6Ranges() []netip.Prefix

AllowedIPv6Ranges returns the IPv6 ranges that are allowed to access the LoadBalancer.

func (*AccessControl) CleanSecurityGroup added in v1.29.0

func (ac *AccessControl) CleanSecurityGroup(
	dstIPv4Addresses, dstIPv6Addresses []netip.Addr,
	retainPortRanges map[network.SecurityRuleProtocol][]int32,
) error

CleanSecurityGroup removes the given IP addresses from the SecurityGroup.

func (*AccessControl) DenyAllExceptSourceRanges added in v1.29.0

func (ac *AccessControl) DenyAllExceptSourceRanges() bool

DenyAllExceptSourceRanges returns true if it needs to block any VNet traffic not on the allow list. By default, NSG allow traffic from the VNet.

func (*AccessControl) IsAllowFromInternet

func (ac *AccessControl) IsAllowFromInternet() bool

IsAllowFromInternet returns true if the given service is allowed to be accessed from internet. To be specific, 1. For all types of LB, it returns false if the given service is specified with `service tags` or `not allowed all IP ranges`, including invalid IP ranges. 2. For internal LB, it returns true iff the given service is explicitly specified with `allowed all IP ranges`. Refer: https://github.com/kubernetes-sigs/cloud-provider-azure/issues/698

func (*AccessControl) PatchSecurityGroup added in v1.29.0

func (ac *AccessControl) PatchSecurityGroup(dstIPv4Addresses, dstIPv6Addresses []netip.Addr) error

PatchSecurityGroup checks and adds rules for the given destination IP addresses.

func (*AccessControl) SecurityGroup added in v1.29.0

func (ac *AccessControl) SecurityGroup() (*network.SecurityGroup, bool, error)

SecurityGroup returns the SecurityGroup object with patched rules and indicates if the rules had been changed. There are mainly two operations to alter the SecurityGroup: 1. `PatchSecurityGroup`: Add rules for the given destination IP addresses. 2. `CleanSecurityGroup`: Remove the given destination IP addresses from all rules. It would return unchanged SecurityGroup and `false` if the operations undo each other.

type AccessControlOption added in v1.29.0

type AccessControlOption func(*accessControlOptions)

func SkipAnnotationValidation added in v1.29.0

func SkipAnnotationValidation() AccessControlOption

type ErrAnnotationValue added in v1.29.0

type ErrAnnotationValue struct {
	AnnotationKey   string
	AnnotationValue string
	Inner           error
}

func NewErrAnnotationValue added in v1.29.0

func NewErrAnnotationValue(key, value string, inner error) *ErrAnnotationValue

func (*ErrAnnotationValue) Error added in v1.29.0

func (err *ErrAnnotationValue) Error() string

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL