securitygroup

package
v1.32.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Documentation

Overview

Package securitygroup is a generated GoMock package.

Index

Constants

View Source 
const (
	SecurityRuleNamePrefix = "k8s-azure-lb"
	SecurityRuleNameSep    = "_"
)
View Source 
const (
	MaxSecurityRulesPerGroup              = 1_000
	MaxSecurityRuleSourceIPsPerGroup      = 4_000
	MaxSecurityRuleDestinationIPsPerGroup = 4_000
)

Refer: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/azure-subscription-service-limits?toc=%2Fazure%2Fvirtual-network%2Ftoc.json#azure-resource-manager-virtual-networking-limits

View Source 
const (
	ServiceTagInternet = "Internet"
)

Variables

View Source 
var (
	ErrInvalidSecurityGroup                                = fmt.Errorf("invalid SecurityGroup object")
	ErrSecurityRulePriorityExhausted                       = fmt.Errorf("security rule priority exhausted")
	ErrSecurityRuleSourceAddressesNotFromSameIPFamily      = fmt.Errorf("security rule source addresses must be from the same IP family")
	ErrSecurityRuleDestinationAddressesNotFromSameIPFamily = fmt.Errorf("security rule destination addresses must be from the same IP family")
	ErrSecurityRuleSourceAndDestinationNotFromSameIPFamily = fmt.Errorf("security rule source addresses and destination addresses must be from the same IP family")
)

Functions

func GenerateAllowSecurityRuleName 

func GenerateAllowSecurityRuleName(
	protocol armnetwork.SecurityRuleProtocol,
	ipFamily iputil.Family,
	srcPrefixes []string,
	dstPorts []int32,
) string

GenerateAllowSecurityRuleName returns the AllowInbound rule name based on the given rule properties.

func GenerateDenyAllSecurityRuleName 

func GenerateDenyAllSecurityRuleName(ipFamily iputil.Family) string

GenerateDenyAllSecurityRuleName returns the DenyInbound rule name based on the given rule properties.

func ListDestinationPortRanges 

func ListDestinationPortRanges(r *armnetwork.SecurityRule) ([]int32, error)

func ListDestinationPrefixes 

func ListDestinationPrefixes(r *armnetwork.SecurityRule) []string

func ListSourcePrefixes 

func ListSourcePrefixes(r *armnetwork.SecurityRule) []string

func NormalizeDestinationPortRanges 

func NormalizeDestinationPortRanges(dstPorts []int32) []string

NormalizeDestinationPortRanges normalizes the given destination port ranges.

func NormalizeSecurityRuleAddressPrefixes 

func NormalizeSecurityRuleAddressPrefixes(vs []string) []string

NormalizeSecurityRuleAddressPrefixes normalizes the given rule address prefixes.

func ProtocolFromKubernetes 

func ProtocolFromKubernetes(p v1.Protocol) (armnetwork.SecurityRuleProtocol, error)

func SetDestinationPrefixes 

func SetDestinationPrefixes(r *armnetwork.SecurityRule, prefixes []string)

Types

type MockRepository 

type MockRepository struct {
	// contains filtered or unexported fields
}

MockRepository is a mock of Repository interface.

func NewMockRepository 

func NewMockRepository(ctrl *gomock.Controller) *MockRepository

NewMockRepository creates a new mock instance.

func (*MockRepository) CreateOrUpdateSecurityGroup 

func (m *MockRepository) CreateOrUpdateSecurityGroup(ctx context.Context, sg *armnetwork.SecurityGroup) error

CreateOrUpdateSecurityGroup mocks base method.

func (*MockRepository) EXPECT 

func (m *MockRepository) EXPECT() *MockRepositoryMockRecorder

EXPECT returns an object that allows the caller to indicate expected use.

func (*MockRepository) GetSecurityGroup 

func (m *MockRepository) GetSecurityGroup(ctx context.Context) (*armnetwork.SecurityGroup, error)

GetSecurityGroup mocks base method.

type MockRepositoryMockRecorder 

type MockRepositoryMockRecorder struct {
	// contains filtered or unexported fields
}

MockRepositoryMockRecorder is the mock recorder for MockRepository.

func (*MockRepositoryMockRecorder) CreateOrUpdateSecurityGroup 

func (mr *MockRepositoryMockRecorder) CreateOrUpdateSecurityGroup(ctx, sg any) *gomock.Call

CreateOrUpdateSecurityGroup indicates an expected call of CreateOrUpdateSecurityGroup.

func (*MockRepositoryMockRecorder) GetSecurityGroup 

func (mr *MockRepositoryMockRecorder) GetSecurityGroup(ctx any) *gomock.Call

GetSecurityGroup indicates an expected call of GetSecurityGroup.

type Repository 

type Repository interface {
	GetSecurityGroup(ctx context.Context) (*armnetwork.SecurityGroup, error)
	CreateOrUpdateSecurityGroup(ctx context.Context, sg *armnetwork.SecurityGroup) error
}

func NewSecurityGroupRepo 

func NewSecurityGroupRepo(securityGroupResourceGroup string, securityGroupName string, nsgCacheTTLInSeconds int, disableAPICallCache bool, securityGroupClient securitygroupclient.Interface) (Repository, error)

type RuleHelper 

type RuleHelper struct {
	// contains filtered or unexported fields
}

RuleHelper manages security rules within a security group.

func NewSecurityGroupHelper 

func NewSecurityGroupHelper(logger logr.Logger, sg *armnetwork.SecurityGroup) (*RuleHelper, error)

func (*RuleHelper) AddRuleForAllowedIPRanges 

func (helper *RuleHelper) AddRuleForAllowedIPRanges(
	ipRanges []netip.Prefix,
	protocol armnetwork.SecurityRuleProtocol,
	dstAddresses []netip.Addr,
	dstPorts []int32,
) error

AddRuleForAllowedIPRanges adds a rule for traffic from certain IP ranges.

func (*RuleHelper) AddRuleForAllowedServiceTag 

func (helper *RuleHelper) AddRuleForAllowedServiceTag(
	serviceTag string,
	protocol armnetwork.SecurityRuleProtocol,
	dstAddresses []netip.Addr,
	dstPorts []int32,
) error

AddRuleForAllowedServiceTag adds a rule for traffic from a certain service tag.

func (*RuleHelper) AddRuleForDenyAll 

func (helper *RuleHelper) AddRuleForDenyAll(dstAddresses []netip.Addr) error

AddRuleForDenyAll adds a rule to deny all traffic from the given destination addresses. NOTE: This rule is to limit the traffic inside the VNet. The traffic out of the VNet is already limited by rule `DenyAllInBound`.

func (*RuleHelper) RemoveDestinationFromRules 

func (helper *RuleHelper) RemoveDestinationFromRules(
	protocol armnetwork.SecurityRuleProtocol,
	dstPrefixes []string,
	retainDstPorts []int32,
) error

RemoveDestinationFromRules removes the given destination addresses from rules that match the given protocol and ports is in the retainDstPorts list. It may add a new rule if the original rule needs to be split.

func (*RuleHelper) SecurityGroup 

func (helper *RuleHelper) SecurityGroup() (*armnetwork.SecurityGroup, bool, error)

SecurityGroup returns the underlying SecurityGroup object and a bool indicating whether any changes were made to the RuleHelper.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.