Version: v0.0.0-...-36f1a77 Latest Latest

This package is not in the latest version of its module.

Go to latest
Published: Nov 1, 2016 License: GPL-2.0 Imports: 0 Imported by: 0



Package policy describes a generic interface for retrieving policies. Different implementations are possible for environments such as Kubernetes, Mesos or other custom environments. An implementation has to provide a method for retrieving policy based on the metadata associated with the container and deleting the policy when the container dies. It is up to the implementation to decide how to generate the policy. The package also defines the basic data structure for communicating policy information. The implementations are responsible for providing all the necessary data.



View Source
const (
	// Equal is the equal operator
	Equal = "="
	// NotEqual is the not equal operator
	NotEqual = "=!"
	// KeyExists is the key=* operator
	KeyExists = "*"
	// KeyNotExists means that the key doesnt exist in the incoming tags
	KeyNotExists = "!*"
View Source
const (
	// Accept is the accept action
	Accept = 0x1
	// Log intstructs the data to log informat
	Log = 0x2
	// Encrypt instructs data to be encrypted
	Encrypt = 0x4
View Source
const (
	// AllowAll allows everything for the specific PU.
	AllowAll = 0x1
	// Police filters on the PU based on the PolicyRules.
	Police = 0x2


This section is empty.


This section is empty.


type FlowAction

type FlowAction int

FlowAction is the action that can be applied to a flow.

type IPRule

type IPRule struct {
	Address  string
	Port     string
	Protocol string

IPRule holds ingress IP table rules to external services

type KeyValueOperator

type KeyValueOperator struct {
	Key      string
	Value    []string
	Operator Operator

KeyValueOperator describes an individual matching rule

type Operator

type Operator string

Operator defines the operation between your key and value.

type PUAction

type PUAction int

PUAction defines the action types that applies for a specific PU as a whole.

type PUInfo

type PUInfo struct {
	// ContextID is the ID of the container that the policy applies to
	ContextID string
	// Policy is an instantiation of the container policy
	Policy *PUPolicy
	// RunTime captures all data that are captured from the container
	Runtime *PURuntime

PUInfo captures all policy information related to a connection

func NewPUInfo

func NewPUInfo(contextID string) *PUInfo

NewPUInfo instantiates a new ContainerPolicy

func PUInfoFromPolicyAndRuntime

func PUInfoFromPolicyAndRuntime(contextID string, policyInfo *PUPolicy, runtimeInfo *PURuntime) *PUInfo

PUInfoFromPolicyAndRuntime generates a ContainerInfo Struct from an existing RuntimeInfo and PolicyInfo

type PUPolicy

type PUPolicy struct {
	// ManagementID is provided for the policy implementations as a means of
	// holding a policy identifier related to the implementation
	ManagementID string
	//TriremeAction defines what level of policy should be applied to that container.
	TriremeAction PUAction
	// IngressACLs is the list of ACLs to be applied when the container talks
	// to IP Addresses outside the data center
	IngressACLs []IPRule
	// EgressACLs is the list of ACLs to be applied from IP Addresses outside
	// the data center
	EgressACLs []IPRule
	// PolicyTags are the tags that will be sent on the wire and used for policing.
	PolicyTags TagsMap
	// Rules is the set of rules that implement the label matching.
	Rules []TagSelector
	// Extensions is an interface to a data structure that allows the policy supervisor
	// to pass additional instructions to a plugin. Plugin and policy must be
	// coordinated to implement the interface
	Extensions interface{}

PUPolicy captures all policy information related ot the container

func NewPUPolicy

func NewPUPolicy() *PUPolicy

NewPUPolicy generates a new ContainerPolicyInfo

type PURuntime

type PURuntime struct {
	// contains filtered or unexported fields

PURuntime holds all data related to the status of the container run time

func NewPURuntime

func NewPURuntime() *PURuntime

NewPURuntime Generate a new RuntimeInfo

func (*PURuntime) DefaultIPAddress

func (r *PURuntime) DefaultIPAddress() (string, bool)

DefaultIPAddress returns the default IP address for the processing unit

func (*PURuntime) IPAddresses

func (r *PURuntime) IPAddresses() map[string]string

IPAddresses returns all the IP addresses for the processing unit

func (*PURuntime) Name

func (r *PURuntime) Name() string

Name returns the PID

func (*PURuntime) Pid

func (r *PURuntime) Pid() int

Pid returns the PID

func (*PURuntime) SetIPAddresses

func (r *PURuntime) SetIPAddresses(ipa map[string]string)

SetIPAddresses sets up all the IP addresses for the processing unit

func (*PURuntime) SetName

func (r *PURuntime) SetName(name string)

SetName sets the Name

func (*PURuntime) SetPid

func (r *PURuntime) SetPid(pid int)

SetPid sets the PID

func (*PURuntime) SetTags

func (r *PURuntime) SetTags(tags TagsMap)

SetTags sets tags for the processing unit

func (*PURuntime) Tag

func (r *PURuntime) Tag(key string) (string, bool)

Tag returns a specific tag for the processing unit

func (*PURuntime) Tags

func (r *PURuntime) Tags() TagsMap

Tags returns tags for the processing unit

type RuntimeReader

type RuntimeReader interface {

	// Pid returns the Pid of the Runtime.
	Pid() int

	// Name returns the process name of the Runtime.
	Name() string

	// Tag retuns the value of the given tag.
	Tag(string) (string, bool)

	// Tags returns the list of the tags.
	Tags() TagsMap

	// DefaultIPAddress retutns the default IP address.
	DefaultIPAddress() (string, bool)

	// IPAddresses returns all the IP addresses.
	IPAddresses() map[string]string

A RuntimeReader allows to get the specific parameters stored in the Runtime

type TagSelector

type TagSelector struct {
	Clause []KeyValueOperator
	Action FlowAction

TagSelector info describes a tag selector key Operator value

type TagsMap

type TagsMap map[string]string

A TagsMap is a map of Key:Values used as tags.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
t or T : Toggle theme light dark auto
y or Y : Canonical URL