networkpolicy

package
v1.15.2 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jun 21, 2024 License: Apache-2.0 Imports: 68 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type AuditLogger added in v1.14.0

type AuditLogger struct {
	// contains filtered or unexported fields
}

AuditLogger is used for network policy audit logging. Includes a lumberjack logger and a map used for log deduplication.

func (*AuditLogger) LogDedupPacket added in v1.14.0

func (l *AuditLogger) LogDedupPacket(ob *logInfo)

LogDedupPacket logs information in ob based on disposition and duplication conditions.

type AuditLoggerOptions added in v1.14.0

type AuditLoggerOptions struct {
	MaxSize    int
	MaxBackups int
	MaxAge     int
	Compress   bool
}

type CompletedRule

type CompletedRule struct {

	// Source GroupMembers of this rule, can't coexist with ToAddresses.
	FromAddresses v1beta.GroupMemberSet
	// Destination GroupMembers of this rule, can't coexist with FromAddresses.
	ToAddresses v1beta.GroupMemberSet
	// Target GroupMembers of this rule.
	TargetMembers v1beta.GroupMemberSet
	// Vlan ID allocated for this rule if this rule is for L7 NetworkPolicy.
	L7RuleVlanID *uint32
	// contains filtered or unexported fields
}

CompletedRule contains IPAddresses and Pods flattened from AddressGroups and AppliedToGroups. It's the struct used by reconciler.

func (CompletedRule) Less added in v1.7.0

func (r CompletedRule) Less(r2 *rule) bool

func (*CompletedRule) String

func (r *CompletedRule) String() string

String returns the string representation of the CompletedRule.

type Controller

type Controller struct {
	// contains filtered or unexported fields
}

Controller is responsible for watching Antrea AddressGroups, AppliedToGroups, and NetworkPolicies, feeding them to ruleCache, getting dirty rules from ruleCache, invoking reconcilers to reconcile them.

        a.Feed AddressGroups,AppliedToGroups
             and NetworkPolicies
|-----------|    <--------    |----------- |  c. Reconcile dirty rules |----------- |
| ruleCache |                 | Controller |     ------------>         | reconciler |
| ----------|    -------->    |----------- |                           |----------- |
            b. Notify dirty rules

func NewNetworkPolicyController

func NewNetworkPolicyController(antreaClientGetter agent.AntreaClientProvider,
	ofClient openflow.Client,
	routeClient route.Interface,
	ifaceStore interfacestore.InterfaceStore,
	fs afero.Fs,
	nodeName string,
	podUpdateSubscriber channel.Subscriber,
	externalEntityUpdateSubscriber channel.Subscriber,
	groupCounters []proxytypes.GroupCounter,
	groupIDUpdates <-chan string,
	antreaPolicyEnabled bool,
	l7NetworkPolicyEnabled bool,
	nodeNetworkPolicyEnabled bool,
	antreaProxyEnabled bool,
	statusManagerEnabled bool,
	multicastEnabled bool,
	loggerOptions *AuditLoggerOptions,
	asyncRuleDeleteInterval time.Duration,
	dnsServerOverride string,
	nodeType config.NodeType,
	v4Enabled bool,
	v6Enabled bool,
	gwPort, tunPort uint32,
	nodeConfig *config.NodeConfig,
	podNetworkWait *utilwait.Group,
	l7Reconciler *l7engine.Reconciler) (*Controller, error)

NewNetworkPolicyController returns a new *Controller.

func (*Controller) GetAddressGroupNum

func (c *Controller) GetAddressGroupNum() int

func (*Controller) GetAddressGroups

func (c *Controller) GetAddressGroups() []v1beta2.AddressGroup

func (*Controller) GetAppliedNetworkPolicies

func (c *Controller) GetAppliedNetworkPolicies(pod, namespace string, npFilter *querier.NetworkPolicyQueryFilter) []v1beta2.NetworkPolicy

GetAppliedNetworkPolicies returns the NetworkPolicies applied to the Pod and match the filter.

func (*Controller) GetAppliedToGroupNum

func (c *Controller) GetAppliedToGroupNum() int

func (*Controller) GetAppliedToGroups

func (c *Controller) GetAppliedToGroups() []v1beta2.AppliedToGroup

func (*Controller) GetControllerConnectionStatus

func (c *Controller) GetControllerConnectionStatus() bool

func (*Controller) GetIGMPNPRuleInfo added in v1.8.0

func (c *Controller) GetIGMPNPRuleInfo(podName, podNamespace string, groupAddress net.IP, igmpType uint8) (*types.IGMPNPRuleInfo, error)

GetIGMPNPRuleInfo looks up the IGMP NetworkPolicy rule that matches the given Pod and groupAddress, and returns the rule information if found.

func (*Controller) GetNetworkPolicies

func (c *Controller) GetNetworkPolicies(npFilter *querier.NetworkPolicyQueryFilter) []v1beta2.NetworkPolicy

GetNetworkPolicies returns the requested NetworkPolicies. This func will return all NetworkPolicies that can match all provided attributes in NetworkPolicyQueryFilter. These not provided attributes in NetworkPolicyQueryFilter means match all.

func (*Controller) GetNetworkPolicyByRuleFlowID

func (c *Controller) GetNetworkPolicyByRuleFlowID(ruleFlowID uint32) *v1beta2.NetworkPolicyReference

func (*Controller) GetNetworkPolicyNum

func (c *Controller) GetNetworkPolicyNum() int

func (*Controller) GetRuleByFlowID

func (c *Controller) GetRuleByFlowID(ruleFlowID uint32) *types.PolicyRule

func (*Controller) HandlePacketIn

func (c *Controller) HandlePacketIn(pktIn *ofctrl.PacketIn) error

HandlePacketIn is the packetIn handler registered to openflow by Antrea network policy agent controller. It performs the appropriate operations based on which bits are set in the "custom reasons" field of the packet received from OVS.

func (*Controller) Run

func (c *Controller) Run(stopCh <-chan struct{})

Run begins watching and processing Antrea AddressGroups, AppliedToGroups and NetworkPolicies, and spawns workers that reconciles NetworkPolicy rules. Run will not return until stopCh is closed.

func (*Controller) SetDenyConnStore added in v1.5.0

func (c *Controller) SetDenyConnStore(denyConnStore *connections.DenyConnectionStore)

type L7RuleReconciler added in v1.10.0

type L7RuleReconciler interface {
	AddRule(ruleID, policyName string, vlanID uint32, l7Protocols []v1beta2.L7Protocol, enableLogging bool) error
	DeleteRule(ruleID string, vlanID uint32) error
}

type Reconciler

type Reconciler interface {
	// Reconcile reconciles the desired state of the provided CompletedRule
	// with the actual state of Openflow entries.
	Reconcile(rule *CompletedRule) error

	// BatchReconcile reconciles the desired state of the provided CompletedRules
	// with the actual state of Openflow entries in batch. It should only be invoked
	// if all rules are newly added without last realized status.
	BatchReconcile(rules []*CompletedRule) error

	// Forget cleanups the actual state of Openflow entries of the specified ruleID.
	Forget(ruleID string) error

	// GetRuleByFlowID returns the rule from the async rule cache in idAllocator cache.
	GetRuleByFlowID(ruleID uint32) (*types.PolicyRule, bool, error)

	// RunIDAllocatorWorker runs the worker that deletes the rules from the cache
	// in idAllocator.
	RunIDAllocatorWorker(stopCh <-chan struct{})
}

Reconciler is an interface that knows how to reconcile the desired state of CompletedRule with the actual state of Openflow entries.

type StatusController

type StatusController struct {
	// contains filtered or unexported fields
}

StatusController implements StatusManager.

func (*StatusController) DeleteRuleRealization

func (c *StatusController) DeleteRuleRealization(ruleID string)

func (*StatusController) Resync

func (c *StatusController) Resync(policyID types.UID)

func (*StatusController) Run

func (c *StatusController) Run(stopCh <-chan struct{})

func (*StatusController) SetRuleRealization

func (c *StatusController) SetRuleRealization(ruleID string, policyID types.UID)

type StatusManager

type StatusManager interface {
	// SetRuleRealization updates the actual status for the given NetworkPolicy rule.
	SetRuleRealization(ruleID string, policyID types.UID)
	// DeleteRuleRealization deletes the actual status for the given NetworkPolicy rule.
	DeleteRuleRealization(ruleID string)
	// Resync triggers syncing status with the antrea-controller for the given NetworkPolicy.
	Resync(policyID types.UID)
	// Start the status sync loop.
	Run(stopCh <-chan struct{})
}

StatusManager keeps track of the realized NetworkPolicy rules. It syncs the status of a NetworkPolicy to the antrea-controller once it is realized. A policy is considered realized when all of its desired rules have been realized and all of its undesired rules have been removed. For each new policy, SetRuleRealization is supposed to be called for each of its desired rules while DeleteRuleRealization is supposed to be called for the removed rules.

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL