loadbalancer

package
v1.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 8, 2025 License: Apache-2.0 Imports: 13 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source
var (
	ErrSetBothLoadBalancerSourceRangesAndAllowedIPRanges = fmt.Errorf(
		"cannot set both spec.LoadBalancerSourceRanges and service annotation %s", consts.ServiceAnnotationAllowedIPRanges,
	)
)

Functions

func AdditionalPublicIPs added in v1.29.0

func AdditionalPublicIPs(svc *v1.Service) ([]netip.Addr, error)

func AllowedIPRanges

func AllowedIPRanges(svc *v1.Service) ([]netip.Prefix, []string, error)

AllowedIPRanges returns the allowed IP ranges configured by user through AKS custom annotations: service.beta.kubernetes.io/azure-allowed-ip-ranges and service.beta.kubernetes.io/load-balancer-source-ranges

func AllowedServiceTags

func AllowedServiceTags(svc *v1.Service) []string

AllowedServiceTags returns the allowed service tags configured by user through AKS custom annotation.

func EventMessageOfConflictLoadBalancerSourceRangesAndAllowedIPRanges added in v1.32.0

func EventMessageOfConflictLoadBalancerSourceRangesAndAllowedIPRanges() string

func EventMessageOfInvalidAllowedIPRanges added in v1.32.0

func EventMessageOfInvalidAllowedIPRanges(allowedIPRanges []string) string

func EventMessageOfInvalidSourceRanges added in v1.32.0

func EventMessageOfInvalidSourceRanges(sourceRanges []string) string

func IsInternal

func IsInternal(svc *v1.Service) bool

IsInternal returns true if the given service is internal load balancer.

func SecurityRuleDestinationPortsByProtocol added in v1.29.8

func SecurityRuleDestinationPortsByProtocol(svc *v1.Service) (map[armnetwork.SecurityRuleProtocol][]int32, error)

SecurityRuleDestinationPortsByProtocol returns the service ports grouped by SecurityGroup protocol.

func SourceRanges

func SourceRanges(svc *v1.Service) ([]netip.Prefix, []string, error)

SourceRanges returns the allowed IP ranges configured by user through `spec.LoadBalancerSourceRanges`.

Types

type AccessControl

type AccessControl struct {

	// immutable pre-compute states.
	SourceRanges       []netip.Prefix
	AllowedIPRanges    []netip.Prefix
	AllowedServiceTags []string
	// contains filtered or unexported fields
}

func NewAccessControl

func NewAccessControl(logger logr.Logger, svc *v1.Service, sg *armnetwork.SecurityGroup, opts ...AccessControlOption) (*AccessControl, error)

func (*AccessControl) AllowedIPv4Ranges added in v1.29.0

func (ac *AccessControl) AllowedIPv4Ranges() []netip.Prefix

AllowedIPv4Ranges returns the IPv4 ranges that are allowed to access the LoadBalancer.

func (*AccessControl) AllowedIPv6Ranges added in v1.29.0

func (ac *AccessControl) AllowedIPv6Ranges() []netip.Prefix

AllowedIPv6Ranges returns the IPv6 ranges that are allowed to access the LoadBalancer.

func (*AccessControl) CleanSecurityGroup added in v1.29.0

func (ac *AccessControl) CleanSecurityGroup(
	dstIPv4Addresses, dstIPv6Addresses []netip.Addr,
	retainPortRanges map[armnetwork.SecurityRuleProtocol][]int32,
) error

CleanSecurityGroup removes the given IP addresses from the SecurityGroup.

func (*AccessControl) DenyAllExceptSourceRanges added in v1.29.0

func (ac *AccessControl) DenyAllExceptSourceRanges() bool

DenyAllExceptSourceRanges returns true if it needs to block any VNet traffic not on the allow list. By default, NSG allow traffic from the VNet.

func (*AccessControl) IsAllowFromInternet

func (ac *AccessControl) IsAllowFromInternet() bool

IsAllowFromInternet returns true if the given service is allowed to be accessed from internet. To be specific, 1. For all types of LB, it returns false if the given service is specified with `service tags` or `not allowed all IP ranges`, including invalid IP ranges. 2. For internal LB, it returns true iff the given service is explicitly specified with `allowed all IP ranges`. Refer: https://github.com/kubernetes-sigs/cloud-provider-azure/issues/698

func (*AccessControl) PatchSecurityGroup added in v1.29.0

func (ac *AccessControl) PatchSecurityGroup(dstIPv4Addresses, dstIPv6Addresses []netip.Addr) error

PatchSecurityGroup checks and adds rules for the given destination IP addresses.

func (*AccessControl) SecurityGroup added in v1.29.0

func (ac *AccessControl) SecurityGroup() (*armnetwork.SecurityGroup, bool, error)

SecurityGroup returns the SecurityGroup object with patched rules and indicates if the rules had been changed. There are mainly two operations to alter the SecurityGroup: 1. `PatchSecurityGroup`: Add rules for the given destination IP addresses. 2. `CleanSecurityGroup`: Remove the given destination IP addresses from all rules. It would return unchanged SecurityGroup and `false` if the operations undo each other.

type AccessControlOption added in v1.29.0

type AccessControlOption func(*accessControlOptions)

func WithEventEmitter added in v1.32.0

func WithEventEmitter(emitter K8sEventEmitter) AccessControlOption

type ErrAnnotationValue added in v1.29.0

type ErrAnnotationValue struct {
	AnnotationKey   string
	AnnotationValue string
	Inner           error
}

func NewErrAnnotationValue added in v1.29.0

func NewErrAnnotationValue(key, value string, inner error) *ErrAnnotationValue

func (*ErrAnnotationValue) Error added in v1.29.0

func (err *ErrAnnotationValue) Error() string

type K8sEventEmitter added in v1.32.0

type K8sEventEmitter func(obj runtime.Object, eventType, reason, message string)

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL