networkpolicy

package
v1.15.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 25, 2024 License: Apache-2.0 Imports: 62 Imported by: 0

Documentation

Overview

Package networkpolicy provides NetworkPolicyController implementation to manage and synchronize the Pods and Namespaces affected by Network Policies and enforce their rules.

Package networkpolicy provides NetworkPolicyController implementation to manage and synchronize the GroupMembers and Namespaces affected by Network Policies and enforce their rules.

Package networkpolicy provides NetworkPolicyController implementation to manage and synchronize the Pods and Namespaces affected by Network Policies and enforce their rules.

Index

Constants

View Source 
const (

	// TierIndex is used to index ClusterNetworkPolicies by Tier names.
	TierIndex = "tier"
	// PriorityIndex is used to index Tiers by their priorities.
	PriorityIndex = "priority"
	// ClusterGroupIndex is used to index ClusterNetworkPolicies by ClusterGroup names.
	ClusterGroupIndex = "clustergroup"
	// GroupIndex is used to index Antrea NetworkPolicies by Group names.
	GroupIndex = "group"

	// EnableNPLoggingAnnotationKey can be added to Namespace to enable logging K8s NP.
	EnableNPLoggingAnnotationKey = "networkpolicy.antrea.io/enable-logging"

	HasPerNamespaceRule = "true"
)

Variables

View Source 
var (

	// DefaultTierPriority maintains the priority for the system generated default Tier.
	// This is the lowest priority for tiers that will be enforced before K8s NetworkPolicies.
	DefaultTierPriority = int32(250)
	// BaselineTierPriority maintains the priority for the system generated baseline Tier.
	// This is the tier that will be enforced after K8s NetworkPolicies.
	BaselineTierPriority = int32(253)
)

Functions

func ConvertClusterGroupCRD 

func ConvertClusterGroupCRD(Object *unstructured.Unstructured, toVersion string) (*unstructured.Unstructured, metav1.Status)

func GenerateNetworkPolicyCondition added in v1.8.0 

func GenerateNetworkPolicyCondition(err error) []crdv1beta1.NetworkPolicyCondition

GenerateNetworkPolicyCondition generates conditions based on the given error type. Error of nil type means the NetworkPolicyCondition status is True. Supports ErrNetworkPolicyAppliedToUnsupportedGroup error.

func GetAdmissionResponseForErr 

func GetAdmissionResponseForErr(err error) *admv1.AdmissionResponse

GetAdmissionResponseForErr returns an object of type AdmissionResponse with the submitted error message.

func NetworkPolicyStatusEqual added in v1.8.0 

func NetworkPolicyStatusEqual(oldStatus, newStatus crdv1beta1.NetworkPolicyStatus) bool

NetworkPolicyStatusEqual compares two NetworkPolicyStatus objects. It disregards the LastTransitionTime field in the status Conditions.

func NewEndpointQuerier 

func NewEndpointQuerier(networkPolicyController *NetworkPolicyController) *endpointQuerier

NewEndpointQuerier returns a new *endpointQuerier.

Types

type Endpoint 

type Endpoint struct {
	Namespace string   `json:"namespace,omitempty"`
	Name      string   `json:"name,omitempty"`
	Policies  []Policy `json:"policies,omitempty"`
	Rules     []Rule   `json:"rules,omitempty"`
}

type EndpointQuerier 

type EndpointQuerier interface {
	// QueryNetworkPolicies returns the list of NetworkPolicies which apply to the provided Pod,
	// along with the list NetworkPolicies which select the provided Pod in one of their policy
	// rules (ingress or egress).
	QueryNetworkPolicies(namespace string, podName string) (*EndpointQueryResponse, error)
}

EndpointQuerier handles requests for antctl query

type EndpointQueryResponse 

type EndpointQueryResponse struct {
	Endpoints []Endpoint `json:"endpoints,omitempty"`
}

EndpointQueryResponse is the reply struct for anctl endpoint queries

type ErrNetworkPolicyAppliedToUnsupportedGroup added in v1.7.3 

type ErrNetworkPolicyAppliedToUnsupportedGroup struct {
	// contains filtered or unexported fields
}

ErrNetworkPolicyAppliedToUnsupportedGroup is an error response when a Group with Pods in other Namespaces is used as AppliedTo.

func (*ErrNetworkPolicyAppliedToUnsupportedGroup) Error added in v1.7.3 

func (e *ErrNetworkPolicyAppliedToUnsupportedGroup) Error() string

type NetworkPolicyController 

type NetworkPolicyController struct {
	// contains filtered or unexported fields
}

NetworkPolicyController is responsible for synchronizing the Namespaces and Pods affected by a Network Policy.

func NewNetworkPolicyController 

func NewNetworkPolicyController(kubeClient clientset.Interface,
	crdClient versioned.Interface,
	groupingInterface grouping.Interface,
	labelIdentityInterface labelidentity.Interface,
	namespaceInformer coreinformers.NamespaceInformer,
	serviceInformer coreinformers.ServiceInformer,
	networkPolicyInformer networkinginformers.NetworkPolicyInformer,
	nodeInformer coreinformers.NodeInformer,
	acnpInformer crdv1b1informers.ClusterNetworkPolicyInformer,
	annpInformer crdv1b1informers.NetworkPolicyInformer,
	adminNPInformer policyinformers.AdminNetworkPolicyInformer,
	banpInformer policyinformers.BaselineAdminNetworkPolicyInformer,
	tierInformer crdv1b1informers.TierInformer,
	cgInformer crdv1b1informers.ClusterGroupInformer,
	grpInformer crdv1b1informers.GroupInformer,
	addressGroupStore storage.Interface,
	appliedToGroupStore storage.Interface,
	internalNetworkPolicyStore storage.Interface,
	internalGroupStore storage.Interface,
	stretchedNPEnabled bool) *NetworkPolicyController

NewNetworkPolicyController returns a new *NetworkPolicyController.

func (*NetworkPolicyController) GetAddressGroupNum 

func (n *NetworkPolicyController) GetAddressGroupNum() int

func (*NetworkPolicyController) GetAppliedToGroupNum 

func (n *NetworkPolicyController) GetAppliedToGroupNum() int

func (*NetworkPolicyController) GetAssociatedGroups 

func (c *NetworkPolicyController) GetAssociatedGroups(name, namespace string) []antreatypes.Group

GetAssociatedGroups retrieves the internal Groups associated with the entity being queried (Pod or ExternalEntity identified by name and namespace).

func (*NetworkPolicyController) GetAssociatedIPBlockGroups added in v1.12.0 

func (c *NetworkPolicyController) GetAssociatedIPBlockGroups(ip net.IP) []antreatypes.Group

func (*NetworkPolicyController) GetConnectedAgentNum 

func (n *NetworkPolicyController) GetConnectedAgentNum() int

GetConnectedAgentNum gets the number of Agents which are connected to this Controller. Since Agent will watch all the three stores (internalNetworkPolicyStore, appliedToGroupStore, addressGroupStore), the number of watchers of one of these three stores is equal to the number of connected Agents. Here, we uses the number of watchers of appliedToGroupStore to represent the number of connected Agents as internalNetworkPolicyStore is also watched by the StatusController of the process itself.

func (*NetworkPolicyController) GetGroupMembers 

func (c *NetworkPolicyController) GetGroupMembers(name string) (controlplane.GroupMemberSet, []controlplane.IPBlock, error)

GetGroupMembers returns the current members of a ClusterGroup/Group. If the ClusterGroup/Group is defined with IPBlocks, the returned members will be []controlplane.IPBlock. Otherwise, the returned members will be of type controlplane.GroupMemberSet.

func (*NetworkPolicyController) GetNetworkPolicyNum 

func (n *NetworkPolicyController) GetNetworkPolicyNum() int

func (*NetworkPolicyController) InitializeTiers 

func (n *NetworkPolicyController) InitializeTiers()

InitializeTiers initializes the default Tiers created by Antrea on init. It will first attempt to retrieve the Tier by it's name from K8s and if missing, create the CR. InitializeTiers will be called as part of a Post-Start hook of antrea-controller's APIServer.

func (*NetworkPolicyController) Run 

func (n *NetworkPolicyController) Run(stopCh <-chan struct{})

Run begins watching and syncing of a NetworkPolicyController.

type NetworkPolicyMutator 

type NetworkPolicyMutator struct {
	// contains filtered or unexported fields
}

func NewNetworkPolicyMutator 

func NewNetworkPolicyMutator(networkPolicyController *NetworkPolicyController) *NetworkPolicyMutator

NewNetworkPolicyMutator returns a new *NetworkPolicyMutator.

func (*NetworkPolicyMutator) Mutate 

func (m *NetworkPolicyMutator) Mutate(ar *admv1.AdmissionReview) *admv1.AdmissionResponse

Mutate function mutates an Antrea-native policy object

type NetworkPolicyValidator 

type NetworkPolicyValidator struct {
	// contains filtered or unexported fields
}

NetworkPolicyValidator maintains list of validator objects which validate the Antrea-native policy related resources.

func NewNetworkPolicyValidator 

func NewNetworkPolicyValidator(networkPolicyController *NetworkPolicyController) *NetworkPolicyValidator

NewNetworkPolicyValidator returns a new *NetworkPolicyValidator.

func (*NetworkPolicyValidator) RegisterAdminNetworkPolicyValidator added in v1.13.0 

func (v *NetworkPolicyValidator) RegisterAdminNetworkPolicyValidator(a validator)

func (*NetworkPolicyValidator) RegisterAntreaPolicyValidator 

func (v *NetworkPolicyValidator) RegisterAntreaPolicyValidator(a validator)

RegisterAntreaPolicyValidator registers an Antrea-native policy validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) RegisterGroupValidator 

func (v *NetworkPolicyValidator) RegisterGroupValidator(g validator)

RegisterGroupValidator registers a Group validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) RegisterTierValidator 

func (v *NetworkPolicyValidator) RegisterTierValidator(t validator)

RegisterTierValidator registers a Tier validator to the resource registry. A new validator must be registered by calling this function before the Run phase of the APIServer.

func (*NetworkPolicyValidator) Validate 

func (v *NetworkPolicyValidator) Validate(ar *admv1.AdmissionReview) *admv1.AdmissionResponse

Validate function validates a Group, ClusterGroup, Tier or Antrea Policy object

type Policy 

type Policy struct {
	PolicyRef
}

type PolicyRef 

type PolicyRef struct {
	Namespace string    `json:"namespace,omitempty"`
	Name      string    `json:"name,omitempty"`
	UID       types.UID `json:"uid,omitempty"`
}

type Rule 

type Rule struct {
	PolicyRef
	Direction cpv1beta.Direction `json:"direction,omitempty"`
	RuleIndex int                `json:"ruleindex,omitempty"`
}

type StatusController 

type StatusController struct {
	// contains filtered or unexported fields
}

StatusController is responsible for synchronizing the status of Antrea ClusterNetworkPolicy and Antrea NetworkPolicy.

func NewStatusController 

func NewStatusController(antreaClient antreaclientset.Interface, internalNetworkPolicyStore storage.Interface, acnpInformer crdinformers.ClusterNetworkPolicyInformer, annpInformer crdinformers.NetworkPolicyInformer) *StatusController

func (*StatusController) Run 

func (c *StatusController) Run(stopCh <-chan struct{})

Run begins watching and syncing of a StatusController.

func (*StatusController) UpdateStatus 

func (c *StatusController) UpdateStatus(status *controlplane.NetworkPolicyStatus) error

Source Files

View all Source files

Directories

Path Synopsis
Code generated by MockGen.
 Code generated by MockGen.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.