Documentation ¶
Index ¶
- Constants
- Variables
- func FindResourcesBasedOnKind(cloudResources []*CloudResource) (map[string]struct{}, map[string]struct{})
- func GenerateCloudDescription(namespacedName string) (string, error)
- func GetControllerAddressGroupPrefix() string
- func GetControllerAppliedToPrefix() string
- func IsNepheControllerCreatedSG(cloudSgName string) (string, bool, bool)
- func SetAppliedToGroup(ruleAppliedTo []string, policyAppliedTo []string, r Rule)
- func SetCloudResourcePrefix(CloudResourcePrefix string)
- func SplitCloudRulesByDirection(rules []*CloudRule) ([]*CloudRule, []*CloudRule)
- type CloudResource
- type CloudResourceID
- type CloudResourceType
- type CloudRule
- type CloudRuleDescription
- type CloudSecurityGroupAPI
- type EgressRule
- type IngressRule
- type Rule
- type SynchronizationContent
Constants ¶
const ( // Used to create a rule description. Name = "Name" Namespace = "Ns" )
Variables ¶
var ( ControllerPrefix string ControllerAddressGroupPrefix string ControllerAppliedToPrefix string )
var ( CloudResourceTypeVM = CloudResourceType(reflect.TypeOf(runtimev1alpha1.VirtualMachine{}).Name()) CloudResourceTypeNIC = CloudResourceType(reflect.TypeOf(runtimev1alpha1.NetworkInterface{}).Name()) )
var ProtocolNameNumMap = map[string]int{
"icmp": 1,
"igmp": 2,
"tcp": 6,
"udp": 17,
"icmpv6": 58,
}
Functions ¶
func FindResourcesBasedOnKind ¶
func FindResourcesBasedOnKind(cloudResources []*CloudResource) (map[string]struct{}, map[string]struct{})
func GenerateCloudDescription ¶
GenerateCloudDescription generates a CloudRuleDescription object and converts to string.
func GetControllerAddressGroupPrefix ¶
func GetControllerAddressGroupPrefix() string
func GetControllerAppliedToPrefix ¶
func GetControllerAppliedToPrefix() string
func IsNepheControllerCreatedSG ¶
IsNepheControllerCreatedSG checks an SG is created by nephe and returns if it's an AppliedToGroup/AddressGroup sg and the sg name.
func SetAppliedToGroup ¶
SetAppliedToGroup set appliedToGroup on ingress or egress rule from rule or policy level.
func SetCloudResourcePrefix ¶
func SetCloudResourcePrefix(CloudResourcePrefix string)
func SplitCloudRulesByDirection ¶
SplitCloudRulesByDirection splits the given CloudRule slice into two, one for ingress rules and one for egress rules.
Types ¶
type CloudResource ¶
type CloudResource struct { Type CloudResourceType CloudResourceID // TODO: Rename AccountID to AccountNameSpacedName. AccountID string CloudProvider string }
CloudResource uniquely identify a cloud resource.
func (*CloudResource) String ¶
func (c *CloudResource) String() string
type CloudResourceID ¶
func (*CloudResourceID) GetCloudName ¶
func (c *CloudResourceID) GetCloudName(membershipOnly bool) string
func (*CloudResourceID) String ¶
func (c *CloudResourceID) String() string
type CloudResourceType ¶
type CloudResourceType string
CloudResourceType specifies the type of cloud resource.
type CloudRule ¶
type CloudRuleDescription ¶
func ExtractCloudDescription ¶
func ExtractCloudDescription(description *string) (*CloudRuleDescription, bool)
ExtractCloudDescription converts a string to a CloudRuleDescription object.
func (*CloudRuleDescription) String ¶
func (r *CloudRuleDescription) String() string
type CloudSecurityGroupAPI ¶
type CloudSecurityGroupAPI interface { // CreateSecurityGroup request to create SecurityGroup name. // membershipOnly is true if the SecurityGroup is used for membership tracking, not // applying ingress/egress rules. // Caller expects to wait on returned channel for status CreateSecurityGroup(name *CloudResource, membershipOnly bool) <-chan error // UpdateSecurityGroupRules updates SecurityGroup name's ingress/egress rules in entirety. // SecurityGroup name must already been created. SecurityGroups referred to in ingressRules and // egressRules must have been already created. UpdateSecurityGroupRules(name *CloudResource, addRules, rmRules []*CloudRule) <-chan error // UpdateSecurityGroupMembers updates SecurityGroup name with members. // SecurityGroup name must already have been created. // For appliedSecurityGroup, UpdateSecurityGroupMembers is called only if SG has // rules configured. UpdateSecurityGroupMembers(name *CloudResource, members []*CloudResource, membershipOnly bool) <-chan error // DeleteSecurityGroup deletes SecurityGroup name. // SecurityGroup name must already been created, is empty. DeleteSecurityGroup(name *CloudResource, membershipOnly bool) <-chan error // GetSecurityGroupSyncChan returns a channel that networkPolicy controller waits on to retrieve complete SGs // configured by cloud plug-in. // Usage patterns: // 1. Controller calls it at initialization to obtains the channel. // 2. Controller waits on channel returned in 1, and expects that when channel wakes up it return the entire SGs configured. // 3. Plug-in shall wake up the channel initially after sync up with the cloud; and then periodically. // 4. Controller, upon receive entire SGs set, proceed to reconcile between K8s configuration and cloud configuration. // This API ensures cloud plug-in stays stateless. // - Correct SGs accidentally changed by customers via cloud API/console directly. GetSecurityGroupSyncChan() <-chan SynchronizationContent }
CloudSecurityGroupAPI declares interface to program cloud security groups.
var ( // CloudSecurityGroup is global entry point to configure cloud specific security group. CloudSecurityGroup CloudSecurityGroupAPI )
type EgressRule ¶
type EgressRule struct { ToPort *int ToDstIP []*net.IPNet ToSecurityGroups []*CloudResourceID Protocol *int AppliedToGroup map[string]struct{} }
EgressRule specifies one egress rule of cloud SecurityGroup.
type IngressRule ¶
type IngressRule struct { FromPort *int FromSrcIP []*net.IPNet FromSecurityGroups []*CloudResourceID Protocol *int AppliedToGroup map[string]struct{} }
IngressRule specifies one ingress rule of cloud SecurityGroup.
type SynchronizationContent ¶
type SynchronizationContent struct { Resource CloudResource MembershipOnly bool Members []CloudResource MembersWithOtherSGAttached []CloudResource IngressRules []CloudRule EgressRules []CloudRule }
SynchronizationContent returns a SecurityGroup content in cloud.