Documentation ¶
Index ¶
- Variables
- func AdditionalPublicIPs(svc *v1.Service) ([]netip.Addr, error)
- func AllowedIPRanges(svc *v1.Service) ([]netip.Prefix, []string, error)
- func AllowedServiceTags(svc *v1.Service) ([]string, error)
- func IsInternal(svc *v1.Service) bool
- func SecurityRuleDestinationPortsByProtocol(svc *v1.Service) (map[network.SecurityRuleProtocol][]int32, error)
- func SourceRanges(svc *v1.Service) ([]netip.Prefix, []string, error)
- type AccessControl
- func (ac *AccessControl) AllowedIPv4Ranges() []netip.Prefix
- func (ac *AccessControl) AllowedIPv6Ranges() []netip.Prefix
- func (ac *AccessControl) CleanSecurityGroup(dstIPv4Addresses, dstIPv6Addresses []netip.Addr, ...) error
- func (ac *AccessControl) DenyAllExceptSourceRanges() bool
- func (ac *AccessControl) IsAllowFromInternet() bool
- func (ac *AccessControl) PatchSecurityGroup(dstIPv4Addresses, dstIPv6Addresses []netip.Addr) error
- func (ac *AccessControl) SecurityGroup() (*network.SecurityGroup, bool, error)
- type AccessControlOption
- type ErrAnnotationValue
Constants ¶
This section is empty.
Variables ¶
var ( ErrSetBothLoadBalancerSourceRangesAndAllowedIPRanges = fmt.Errorf( "cannot set both spec.LoadBalancerSourceRanges and service annotation %s", consts.ServiceAnnotationAllowedIPRanges, ) )
Functions ¶
func AdditionalPublicIPs ¶ added in v1.29.0
func AllowedIPRanges ¶
AllowedIPRanges returns the allowed IP ranges configured by user through AKS custom annotations: service.beta.kubernetes.io/azure-allowed-ip-ranges and service.beta.kubernetes.io/load-balancer-source-ranges
func AllowedServiceTags ¶
AllowedServiceTags returns the allowed service tags configured by user through AKS custom annotation.
func IsInternal ¶
IsInternal returns true if the given service is internal load balancer.
func SecurityRuleDestinationPortsByProtocol ¶ added in v1.29.8
func SecurityRuleDestinationPortsByProtocol(svc *v1.Service) (map[network.SecurityRuleProtocol][]int32, error)
SecurityRuleDestinationPortsByProtocol returns the service ports grouped by SecurityGroup protocol.
Types ¶
type AccessControl ¶
type AccessControl struct { // immutable pre-compute states. SourceRanges []netip.Prefix AllowedIPRanges []netip.Prefix InvalidRanges []string AllowedServiceTags []string // contains filtered or unexported fields }
func NewAccessControl ¶
func NewAccessControl(logger logr.Logger, svc *v1.Service, sg *network.SecurityGroup, opts ...AccessControlOption) (*AccessControl, error)
func (*AccessControl) AllowedIPv4Ranges ¶ added in v1.29.0
func (ac *AccessControl) AllowedIPv4Ranges() []netip.Prefix
AllowedIPv4Ranges returns the IPv4 ranges that are allowed to access the LoadBalancer.
func (*AccessControl) AllowedIPv6Ranges ¶ added in v1.29.0
func (ac *AccessControl) AllowedIPv6Ranges() []netip.Prefix
AllowedIPv6Ranges returns the IPv6 ranges that are allowed to access the LoadBalancer.
func (*AccessControl) CleanSecurityGroup ¶ added in v1.29.0
func (ac *AccessControl) CleanSecurityGroup( dstIPv4Addresses, dstIPv6Addresses []netip.Addr, retainPortRanges map[network.SecurityRuleProtocol][]int32, ) error
CleanSecurityGroup removes the given IP addresses from the SecurityGroup.
func (*AccessControl) DenyAllExceptSourceRanges ¶ added in v1.29.0
func (ac *AccessControl) DenyAllExceptSourceRanges() bool
DenyAllExceptSourceRanges returns true if it needs to block any VNet traffic not on the allow list. By default, NSG allow traffic from the VNet.
func (*AccessControl) IsAllowFromInternet ¶
func (ac *AccessControl) IsAllowFromInternet() bool
IsAllowFromInternet returns true if the given service is allowed to be accessed from internet. To be specific, 1. For all types of LB, it returns false if the given service is specified with `service tags` or `not allowed all IP ranges`, including invalid IP ranges. 2. For internal LB, it returns true iff the given service is explicitly specified with `allowed all IP ranges`. Refer: https://github.com/kubernetes-sigs/cloud-provider-azure/issues/698
func (*AccessControl) PatchSecurityGroup ¶ added in v1.29.0
func (ac *AccessControl) PatchSecurityGroup(dstIPv4Addresses, dstIPv6Addresses []netip.Addr) error
PatchSecurityGroup checks and adds rules for the given destination IP addresses.
func (*AccessControl) SecurityGroup ¶ added in v1.29.0
func (ac *AccessControl) SecurityGroup() (*network.SecurityGroup, bool, error)
SecurityGroup returns the SecurityGroup object with patched rules and indicates if the rules had been changed. There are mainly two operations to alter the SecurityGroup: 1. `PatchSecurityGroup`: Add rules for the given destination IP addresses. 2. `CleanSecurityGroup`: Remove the given destination IP addresses from all rules. It would return unchanged SecurityGroup and `false` if the operations undo each other.
type AccessControlOption ¶ added in v1.29.0
type AccessControlOption func(*accessControlOptions)
func SkipAnnotationValidation ¶ added in v1.29.0
func SkipAnnotationValidation() AccessControlOption
type ErrAnnotationValue ¶ added in v1.29.0
func NewErrAnnotationValue ¶ added in v1.29.0
func NewErrAnnotationValue(key, value string, inner error) *ErrAnnotationValue
func (*ErrAnnotationValue) Error ¶ added in v1.29.0
func (err *ErrAnnotationValue) Error() string