resolver

package
v0.0.0-...-d3eceb9 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 31, 2017 License: Apache-2.0 Imports: 15 Imported by: 0

Documentation

Overview

Package resolver resolves each Container to a specific Trireme policy based on Kubernetes Policy definitions.

Index

Constants

View Source 
const KubernetesContainerName = "@usr:io.kubernetes.container.name"

KubernetesContainerName is the label used by Docker for the K8S container name.

View Source 
const KubernetesInfraContainerName = "POD"

KubernetesInfraContainerName is the name of the infra POD.

View Source 
const KubernetesNetworkPolicyAnnotationID = "net.beta.kubernetes.io/network-policy"

KubernetesNetworkPolicyAnnotationID is the string used as an annotation key to define if a namespace should have the networkpolicy framework enabled.

View Source 
const KubernetesPodName = "@usr:io.kubernetes.pod.name"

KubernetesPodName is the label used by Docker for the K8S pod name.

View Source 
const KubernetesPodNamespace = "@usr:io.kubernetes.pod.namespace"

KubernetesPodNamespace is the label used by Docker for the K8S namespace.

Variables

This section is empty.

Functions

This section is empty.

Types

type IngressIsolationPolicy 

type IngressIsolationPolicy string

IngressIsolationPolicy type 

const (
	// DefaultDeny Deny all ingress traffic to pods in this namespace. Ingress means
	// any incoming traffic to pods, whether that be from other pods within this namespace
	// or any source outside of this namespace.
	DefaultDeny IngressIsolationPolicy = "DefaultDeny"
)

type KubernetesPolicy 

type KubernetesPolicy struct {
	KubernetesClient *kubernetes.Client
	// contains filtered or unexported fields
}

KubernetesPolicy represents a Trireme Policer for Kubernetes. It implements the Trireme Resolver interface and implements the policies defined by Kubernetes NetworkPolicy API.

func NewKubernetesPolicy 

func NewKubernetesPolicy(kubeconfig string, nodename string, triremeNetworks []string) (*KubernetesPolicy, error)

NewKubernetesPolicy creates a new policy engine for the Trireme package

func (*KubernetesPolicy) HandlePUEvent 

func (k *KubernetesPolicy) HandlePUEvent(contextID string, eventType monitor.Event)

HandlePUEvent is called by Trireme for notification that a specific PU got an event.

func (*KubernetesPolicy) ResolvePolicy 

func (k *KubernetesPolicy) ResolvePolicy(contextID string, runtimeGetter policy.RuntimeReader) (*policy.PUPolicy, error)

ResolvePolicy generates the Policy for the target PU. The policy for the PU will be based on the defined Kubernetes NetworkPolicies on the Pod to which the PU belongs.

func (*KubernetesPolicy) Run 

func (k *KubernetesPolicy) Run()

Run starts the KubernetesPolicer by watching for Namespace Changes. Run is blocking. Use go

func (*KubernetesPolicy) SetPolicyUpdater 

func (k *KubernetesPolicy) SetPolicyUpdater(policyUpdater trireme.PolicyUpdater) error

SetPolicyUpdater registers the interface used for updating Policies explicitely.

func (*KubernetesPolicy) Stop 

func (k *KubernetesPolicy) Stop()

Stop Stops all the channels

type NamespaceIngressPolicy 

type NamespaceIngressPolicy struct {
	// The isolation policy to apply to pods in this namespace.
	// Currently this field only supports "DefaultDeny", but could
	// be extended to support other policies in the future.  When set to DefaultDeny,
	// pods in this namespace are denied ingress traffic by default.  When not defined,
	// the cluster default ingress isolation policy is applied (currently allow all).
	Isolation *IngressIsolationPolicy `json:"isolation,omitempty"`
}

NamespaceIngressPolicy Configuration for ingress to pods within this namespace. For now, this only supports specifying an isolation policy.

type NamespaceNetworkPolicy 

type NamespaceNetworkPolicy struct {
	// Ingress configuration for this namespace.  This config is
	// applied to all pods within this namespace. For now, only
	// ingress is supported.  This field is optional - if not
	// defined, then the cluster default for ingress is applied.
	Ingress *NamespaceIngressPolicy `json:"ingress,omitempty"`
}

NamespaceNetworkPolicy type

type NamespaceSpec 

type NamespaceSpec struct {
	// This is a pointer so that it can be left undefined.
	NetworkPolicy *NamespaceNetworkPolicy `json:"networkPolicy,omitempty"`
}

NamespaceSpec Standard NamespaceSpec object, modified to include a new NamespaceNetworkPolicy field.

type NamespaceWatcher 

type NamespaceWatcher struct {
	// contains filtered or unexported fields
}

NamespaceWatcher implements the policy for a specific Namespace

func NewNamespaceWatcher 

func NewNamespaceWatcher(namespace string, podStore kubecache.Store, podController kubecache.Controller, podControllerStop chan struct{},
	policyStore kubecache.Store, policyController kubecache.Controller, policyControllerStop chan struct{}) *NamespaceWatcher

NewNamespaceWatcher initialize a new NamespaceWatcher that watches the Pod and Networkpolicy events on the specific namespace passed in parameter.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.