policies

package
v1.4.15 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Nov 15, 2021 License: MIT Imports: 15 Imported by: 0

Documentation

Index

Constants

View Source
const (
	// Ingress when packet is entering a container
	Ingress Direction = "IN"
	// Egress when packet is leaving a container
	Egress Direction = "OUT"
	// Both applies to both directions
	Both Direction = "BOTH"

	// Allowed is accept in linux
	Allowed Verdict = "ALLOW"
	// Dropped is denying a flow
	Dropped Verdict = "DROP"

	// TCP Protocol
	TCP Protocol = "tcp"
	// UDP Protocol
	UDP Protocol = "udp"
	// SCTP Protocol
	SCTP Protocol = "sctp"
	// ICMP Protocol
	ICMP Protocol = "icmp"
	// AnyProtocol can be used for all other protocols
	AnyProtocol Protocol = "all"
)

Variables

View Source
var (
	// TestNetworkPolicies for testing
	TestNetworkPolicies = []*NPMNetworkPolicy{
		{
			Name: "test1",
			PodSelectorIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestKVNSList.Metadata},
			},
			ACLs: testACLs,
		},
		{
			Name: "test2",
			PodSelectorIPSets: []*ipsets.TranslatedIPSet{
				{Metadata: ipsets.TestKVNSList.Metadata},
				{Metadata: ipsets.TestKeyPodSet.Metadata},
			},
			ACLs: []*ACLPolicy{
				testACLs[0],
			},
		},
		{
			Name: "test3",
			ACLs: []*ACLPolicy{
				testACLs[3],
			},
		},
	}
)

Functions

func GetAddPolicyTestCalls

func GetAddPolicyTestCalls(_ *NPMNetworkPolicy) []testutils.TestCmd

func GetInitializeTestCalls added in v1.4.15

func GetInitializeTestCalls() []testutils.TestCmd

func GetRemovePolicyTestCalls

func GetRemovePolicyTestCalls(policy *NPMNetworkPolicy) []testutils.TestCmd

func GetResetTestCalls added in v1.4.15

func GetResetTestCalls() []testutils.TestCmd

Types

type ACLPolicy

type ACLPolicy struct {
	// PolicyID is the rules name with a given network policy
	// PolicyID will be same for all ACLs in a Network Policy
	// it will be "azure-acl-NetPolNS-netPolName"
	PolicyID string
	// Comment is the string attached to rule to identity its representation
	Comment string
	// SrcList source IPSets condition setinfos
	SrcList []SetInfo
	// DstList destination IPSets condition setinfos
	DstList []SetInfo
	// Target defines a target in iptables for linux. i,e, Mark, Accept, Drop
	// in windows, this is either ALLOW or DENY
	Target Verdict
	// Direction defines the flow of traffic
	Direction Direction
	// DstPorts holds the destination port information
	// TODO(jungukcho): It may be better to use pointer to differentiate default value.
	DstPorts Ports
	// Protocol is the value of traffic protocol
	Protocol Protocol
}

ACLPolicy equivalent to a single iptable rule in linux or a single HNS rule in windows

func NewACLPolicy

func NewACLPolicy(policyNS, policyName string, target Verdict, direction Direction) *ACLPolicy

type Direction

type Direction string

type MatchType

type MatchType int8
const (
	SrcMatch    MatchType = 0
	DstMatch    MatchType = 1
	DstDstMatch MatchType = 3
)

Possible MatchTypes. MatchTypes with 2 locations (e.g. DstDst) are for ip and port respectively.

type NPMNetworkPolicy

type NPMNetworkPolicy struct {
	Name      string
	NameSpace string
	// TODO(jungukcho)
	// ipsets.IPSetMetadata is common data in both PodSelectorIPSets and PodSelectorList.
	// So, they can be one datastructure holding all information without redundancy.
	// PodSelectorIPSets holds all the IPSets generated from Pod Selector
	PodSelectorIPSets []*ipsets.TranslatedIPSet
	// PodSelectorList holds target pod information to avoid duplicatoin in SrcList and DstList fields in ACLs
	PodSelectorList []SetInfo
	// RuleIPSets holds all IPSets generated from policy's rules
	// and not from pod selector IPSets
	RuleIPSets []*ipsets.TranslatedIPSet
	ACLs       []*ACLPolicy
	// podIP is key and endpoint ID as value
	// Will be populated by dataplane and policy manager
	PodEndpoints map[string]string
}

type PolicyManager

type PolicyManager struct {
	// contains filtered or unexported fields
}

func NewPolicyManager

func NewPolicyManager(ioShim *common.IOShim) *PolicyManager

func (*PolicyManager) AddPolicy added in v1.4.13

func (pMgr *PolicyManager) AddPolicy(policy *NPMNetworkPolicy, endpointList map[string]string) error

func (*PolicyManager) GetPolicy

func (pMgr *PolicyManager) GetPolicy(name string) (*NPMNetworkPolicy, bool)

func (*PolicyManager) Initialize added in v1.4.15

func (pMgr *PolicyManager) Initialize() error

func (*PolicyManager) PolicyExists

func (pMgr *PolicyManager) PolicyExists(name string) bool

func (*PolicyManager) ReconcileChains added in v1.4.15

func (pMgr *PolicyManager) ReconcileChains(stopChannel <-chan struct{})

ReconcileChains periodically creates the jump rule from FORWARD chain to AZURE-NPM chain (if it d.n.e) and makes sure it's after the jumps to KUBE-FORWARD & KUBE-SERVICES chains (if they exist).

func (*PolicyManager) RemovePolicy

func (pMgr *PolicyManager) RemovePolicy(name string, endpointList map[string]string) error

func (*PolicyManager) Reset added in v1.4.15

func (pMgr *PolicyManager) Reset() error

type PolicyMap

type PolicyMap struct {
	// contains filtered or unexported fields
}

type Ports

type Ports struct {
	Port    int32
	EndPort int32
}

type Protocol

type Protocol string

type SetInfo

type SetInfo struct {
	IPSet     *ipsets.IPSetMetadata
	Included  bool
	MatchType MatchType
}

SetInfo helps capture additional details in a matchSet. Included flag captures the negative or positive match. Included is true when match set does not have "!". Included is false when match set have "!". MatchType captures match direction flags. For example match set in linux:

! azure-npm-123 src

"!" this indicates a negative match (Included is false) of an azure-npm-123 MatchType is "src"

func NewSetInfo

func NewSetInfo(name string, setType ipsets.SetType, included bool, matchType MatchType) SetInfo

Ports represents a range of ports. To specify one port, set Port and EndPort to the same value. uint16 is used since there are 2^16 - 1 TCP/UDP ports (0 is invalid) and 2^16 SCTP ports. ICMP is connectionless and doesn't use ports. NewSetInfo creates SetInfo.

type Verdict

type Verdict string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL