Documentation ¶
Index ¶
- Constants
- Variables
- func APICanModify(e *Endpoint) error
- func FilterEPDir(dirFiles []os.FileInfo) []string
- func ParseExternalRegenerationMetadata(ctx context.Context, c context.CancelFunc, ...) *regenerationContext
- func ReadEPsFromDirNames(owner regeneration.Owner, basePath string, eptsDirNames []string) map[uint16]*Endpoint
- type DeleteConfig
- type Endpoint
- func (e *Endpoint) Allows(id identityPkg.NumericIdentity) bool
- func (e *Endpoint) ApplyPolicyMapChanges(proxyWaitGroup *completion.WaitGroup) error
- func (e *Endpoint) BPFConfigMapPath() string
- func (e *Endpoint) BPFIpvlanMapPath() string
- func (e *Endpoint) BuilderSetStateLocked(toState, reason string) bool
- func (e *Endpoint) CallsMapPathLocked() string
- func (e *Endpoint) CloseBPFProgramChannel()
- func (e *Endpoint) ConntrackLocal() bool
- func (e *Endpoint) ConntrackLocalLocked() bool
- func (e *Endpoint) ConntrackName() string
- func (e *Endpoint) DeleteBPFProgramLocked() error
- func (e *Endpoint) DeleteMapsLocked() []error
- func (e *Endpoint) DirectoryPath() string
- func (e *Endpoint) FailedDirectoryPath() string
- func (e *Endpoint) ForcePolicyCompute()
- func (e *Endpoint) FormatGlobalEndpointID() string
- func (e *Endpoint) GetBPFKeys() []*lxcmap.EndpointKey
- func (e *Endpoint) GetBPFValue() (*lxcmap.EndpointInfo, error)
- func (e *Endpoint) GetCIDRPrefixLengths() (s6, s4 []int)
- func (e *Endpoint) GetCiliumEndpointStatus() *cilium_v2.EndpointStatus
- func (e *Endpoint) GetContainerID() string
- func (e *Endpoint) GetDockerNetworkID() string
- func (e *Endpoint) GetEgressPolicyEnabledLocked() bool
- func (e *Endpoint) GetHealthModel() *models.EndpointHealth
- func (e *Endpoint) GetID() uint64
- func (e *Endpoint) GetID16() uint16
- func (e *Endpoint) GetIPv4Address() string
- func (e *Endpoint) GetIPv6Address() string
- func (e *Endpoint) GetIdentity() identityPkg.NumericIdentity
- func (e *Endpoint) GetIdentityLocked() identityPkg.NumericIdentity
- func (e *Endpoint) GetIngressPolicyEnabledLocked() bool
- func (e *Endpoint) GetK8sNamespace() string
- func (e *Endpoint) GetK8sNamespaceAndPodNameLocked() string
- func (e *Endpoint) GetK8sPodLabels() pkgLabels.Labels
- func (e *Endpoint) GetK8sPodName() string
- func (e *Endpoint) GetLabels() []string
- func (e *Endpoint) GetLabelsSHA() string
- func (e *Endpoint) GetModel() *models.Endpoint
- func (e *Endpoint) GetModelRLocked() *models.Endpoint
- func (e *Endpoint) GetNodeMAC() mac.MAC
- func (e *Endpoint) GetOpLabels() []string
- func (e *Endpoint) GetOptions() *option.IntOptions
- func (e *Endpoint) GetPolicyModel() *models.EndpointPolicyStatus
- func (e *Endpoint) GetSecurityIdentity() *identityPkg.Identity
- func (e *Endpoint) GetShortContainerID() string
- func (e *Endpoint) GetState() string
- func (e *Endpoint) GetStateLocked() string
- func (e *Endpoint) HasBPFProgram() bool
- func (e *Endpoint) HasIpvlanDataPath() bool
- func (e *Endpoint) HasLabels(l pkgLabels.Labels) bool
- func (e *Endpoint) HasSidecarProxy() bool
- func (e *Endpoint) HumanStringLocked() string
- func (e *Endpoint) IPs() []net.IP
- func (e *Endpoint) IPv4Address() addressing.CiliumIPv4
- func (e *Endpoint) IPv6Address() addressing.CiliumIPv6
- func (e *Endpoint) InsertEvent()
- func (e *Endpoint) IsDatapathMapPinnedLocked() bool
- func (e *Endpoint) IsDisconnecting() bool
- func (e *Endpoint) IsInit() bool
- func (e *Endpoint) K8sNamespaceAndPodNameIsSet() bool
- func (e *Endpoint) LeaveLocked(proxyWaitGroup *completion.WaitGroup, conf DeleteConfig) []error
- func (e *Endpoint) LockAlive() error
- func (e *Endpoint) LogDisconnectedMutexAction(err error, context string)
- func (e *Endpoint) LogStatus(typ StatusType, code StatusCode, msg string)
- func (e *Endpoint) LogStatusOK(typ StatusType, msg string)
- func (e *Endpoint) LogStatusOKLocked(typ StatusType, msg string)
- func (e *Endpoint) Logger(subsystem string) *logrus.Entry
- func (e *Endpoint) LookupRedirectPort(l4Filter *policy.L4Filter) uint16
- func (e *Endpoint) ModifyIdentityLabels(addLabels, delLabels pkgLabels.Labels) error
- func (e *Endpoint) NextDirectoryPath() string
- func (e *Endpoint) OnProxyPolicyUpdate(revision uint64)
- func (e *Endpoint) PinDatapathMap() error
- func (e *Endpoint) PolicyMapPathLocked() string
- func (e *Endpoint) PolicyRevisionBumpEvent(rev uint64)
- func (e *Endpoint) ProxyID(l4 *policy.L4Filter) string
- func (e *Endpoint) RLockAlive() error
- func (e *Endpoint) RUnlock()
- func (e *Endpoint) Regenerate(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
- func (e *Endpoint) RegenerateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
- func (e *Endpoint) RegenerateWait(reason string) error
- func (e *Endpoint) RequireARPPassthrough() bool
- func (e *Endpoint) RequireEgressProg() bool
- func (e *Endpoint) RequireEndpointRoute() bool
- func (e *Endpoint) RequireRouting() (required bool)
- func (e *Endpoint) RunMetadataResolver(resolveMetadata MetadataResolverCB)
- func (e *Endpoint) SetContainerID(id string)
- func (e *Endpoint) SetContainerName(name string)
- func (e *Endpoint) SetDatapathMapIDAndPinMapLocked(id int) error
- func (e *Endpoint) SetDefaultOpts(opts *option.IntOptions)
- func (e *Endpoint) SetDesiredEgressPolicyEnabled(egress bool)
- func (e *Endpoint) SetDesiredEgressPolicyEnabledLocked(egress bool)
- func (e *Endpoint) SetDesiredIngressPolicyEnabled(ingress bool)
- func (e *Endpoint) SetDesiredIngressPolicyEnabledLocked(ingress bool)
- func (e *Endpoint) SetDockerEndpointID(id string)
- func (e *Endpoint) SetDockerNetworkID(id string)
- func (e *Endpoint) SetIdentity(identity *identityPkg.Identity, newEndpoint bool)
- func (e *Endpoint) SetK8sNamespace(name string)
- func (e *Endpoint) SetK8sPodName(name string)
- func (e *Endpoint) SetNodeMACLocked(m mac.MAC)
- func (e *Endpoint) SetPolicyRevision(rev uint64)
- func (e *Endpoint) SetState(toState, reason string) bool
- func (e *Endpoint) SetStateLocked(toState, reason string) bool
- func (e *Endpoint) SkipStateClean()
- func (e *Endpoint) StartRegenerationFailureHandler()
- func (e *Endpoint) StateDirectoryPath() string
- func (e *Endpoint) String() string
- func (e *Endpoint) StringID() string
- func (e *Endpoint) SyncEndpointHeaderFile() error
- func (e *Endpoint) UnconditionalLock()
- func (e *Endpoint) UnconditionalRLock()
- func (e *Endpoint) Unlock()
- func (e *Endpoint) Update(cfg *models.EndpointConfigurationSpec) error
- func (e *Endpoint) UpdateController(name string, params controller.ControllerParams) *controller.Controller
- func (e *Endpoint) UpdateLabels(ctx context.Context, identityLabels, infoLabels pkgLabels.Labels, ...)
- func (e *Endpoint) UpdateLogger(fields map[string]interface{})
- func (e *Endpoint) UpdateProxyStatistics(l4Protocol string, port uint16, ingress, request bool, ...)
- func (e *Endpoint) WaitForPolicyRevision(ctx context.Context, rev uint64, done func(ts time.Time)) <-chan struct{}
- func (e *Endpoint) WaitForProxyCompletions(proxyWaitGroup *completion.WaitGroup) error
- type EndpointRegenerationEvent
- type EndpointRegenerationResult
- type EndpointRevisionBumpEvent
- type EndpointStatus
- type MetadataResolverCB
- type Status
- type StatusCode
- type StatusResponse
- type StatusType
- type UpdateCompilationError
- type UpdateStateChangeError
- type UpdateValidationError
Constants ¶
const ( // StateCreating is used to set the endpoint is being created. StateCreating = string(models.EndpointStateCreating) // StateWaitingForIdentity is used to set if the endpoint is waiting // for an identity from the KVStore. StateWaitingForIdentity = string(models.EndpointStateWaitingForIdentity) // StateReady specifies if the endpoint is ready to be used. StateReady = string(models.EndpointStateReady) // StateWaitingToRegenerate specifies when the endpoint needs to be regenerated, but regeneration has not started yet. StateWaitingToRegenerate = string(models.EndpointStateWaitingToRegenerate) // StateRegenerating specifies when the endpoint is being regenerated. StateRegenerating = string(models.EndpointStateRegenerating) // StateDisconnecting indicates that the endpoint is being disconnected StateDisconnecting = string(models.EndpointStateDisconnecting) // StateDisconnected is used to set the endpoint is disconnected. StateDisconnected = string(models.EndpointStateDisconnected) // StateRestoring is used to set the endpoint is being restored. StateRestoring = string(models.EndpointStateRestoring) // StateInvalid is used when an endpoint failed during creation due to // invalid data. StateInvalid = string(models.EndpointStateInvalid) // IpvlanMapName specifies the tail call map for EP on egress used with ipvlan. IpvlanMapName = "cilium_lxc_ipve_" // HealthCEPPrefix is the prefix used to name the cilium health endpoints' CEP HealthCEPPrefix = "cilium-health-" )
const ( // EndpointGenerationTimeout specifies timeout for proxy completion context EndpointGenerationTimeout = 330 * time.Second )
Variables ¶
var (
EndpointMutableOptionLibrary = option.GetEndpointMutableOptionLibrary()
)
var ( // ErrNotAlive is an error which indicates that the endpoint should not be // rlocked because it is currently being removed. ErrNotAlive = errors.New("rlock failed: endpoint is in the process of being removed") )
var (
Subsystem = "endpoint"
)
Functions ¶
func APICanModify ¶
APICanModify determines whether API requests from a user are allowed to modify this endpoint.
func FilterEPDir ¶
FilterEPDir returns a list of directories' names that possible belong to an endpoint.
func ParseExternalRegenerationMetadata ¶
func ParseExternalRegenerationMetadata(ctx context.Context, c context.CancelFunc, e *regeneration.ExternalRegenerationMetadata) *regenerationContext
func ReadEPsFromDirNames ¶
func ReadEPsFromDirNames(owner regeneration.Owner, basePath string, eptsDirNames []string) map[uint16]*Endpoint
ReadEPsFromDirNames returns a mapping of endpoint ID to endpoint of endpoints from a list of directory names that can possible contain an endpoint.
Types ¶
type DeleteConfig ¶
DeleteConfig is the endpoint deletion configuration
type Endpoint ¶
type Endpoint struct { // ID of the endpoint, unique in the scope of the node ID uint16 // ContainerName is the name given to the endpoint by the container runtime ContainerName string // ContainerID is the container ID that docker has assigned to the endpoint // Note: The JSON tag was kept for backward compatibility. ContainerID string `json:"dockerID,omitempty"` // DockerNetworkID is the network ID of the libnetwork network if the // endpoint is a docker managed container which uses libnetwork DockerNetworkID string // DockerEndpointID is the Docker network endpoint ID if managed by // libnetwork DockerEndpointID string // Corresponding BPF map identifier for tail call map of ipvlan datapath DatapathMapID int // IfName is the name of the host facing interface (veth pair) which // connects into the endpoint IfName string // IfIndex is the interface index of the host face interface (veth pair) IfIndex int // OpLabels is the endpoint's label configuration // // FIXME: Rename this field to Labels OpLabels pkgLabels.OpLabels // LXCMAC is the MAC address of the endpoint // // FIXME: Rename this field to MAC LXCMAC mac.MAC // Container MAC address. // IPv6 is the IPv6 address of the endpoint IPv6 addressing.CiliumIPv6 // IPv4 is the IPv4 address of the endpoint IPv4 addressing.CiliumIPv4 // NodeMAC is the MAC of the node (agent). The MAC is different for every endpoint. NodeMAC mac.MAC // SecurityIdentity is the security identity of this endpoint. This is computed from // the endpoint's labels. SecurityIdentity *identityPkg.Identity `json:"SecLabel"` // PolicyMap is the policy related state of the datapath including // reference to all policy related BPF PolicyMap *policymap.PolicyMap `json:"-"` // Options determine the datapath configuration of the endpoint. Options *option.IntOptions // Status are the last n state transitions this endpoint went through Status *EndpointStatus `json:"-"` // DNSHistory is the collection of still-valid DNS responses intercepted for // this endpoint. DNSHistory *fqdn.DNSCache // K8sPodName is the Kubernetes pod name of the endpoint K8sPodName string // K8sNamespace is the Kubernetes namespace of the endpoint K8sNamespace string // BuildMutex synchronizes builds of individual endpoints and locks out // deletion during builds // // FIXME: Mark private once endpoint deletion can be moved into // `pkg/endpoint` BuildMutex lock.Mutex `json:"-"` EventQueue *eventqueue.EventQueue `json:"-"` // DatapathConfiguration is the endpoint's datapath configuration as // passed in via the plugin that created the endpoint, e.g. the CNI // plugin which performed the plumbing will enable certain datapath // features according to the mode selected. DatapathConfiguration models.EndpointDatapathConfiguration // contains filtered or unexported fields }
Endpoint represents a container or similar which can be individually addresses on L3 with its own IP addresses. This structured is managed by the endpoint manager in pkg/endpointmanager.
WARNING - STABLE API This structure is written as JSON to StateDir/{ID}/lxc_config.h to allow to restore endpoints when the agent is being restarted. The restore operation will read the file and re-create all endpoints with all fields which are not marked as private to JSON marshal. Do NOT modify this structure in ways which is not JSON forward compatible.
func NewEndpointFromChangeModel ¶
func NewEndpointFromChangeModel(owner regeneration.Owner, base *models.EndpointChangeRequest) (*Endpoint, error)
NewEndpointFromChangeModel creates a new endpoint from a request
func NewEndpointWithState ¶
func NewEndpointWithState(owner regeneration.Owner, ID uint16, state string) *Endpoint
NewEndpointWithState creates a new endpoint useful for testing purposes
func ParseEndpoint ¶
func ParseEndpoint(owner regeneration.Owner, strEp string) (*Endpoint, error)
ParseEndpoint parses the given strEp which is in the form of: common.CiliumCHeaderPrefix + common.Version + ":" + endpointBase64 Note that the parse'd endpoint's identity is only partially restored. The caller must call `SetIdentity()` to make the returned endpoint's identity useful.
func (*Endpoint) Allows ¶
func (e *Endpoint) Allows(id identityPkg.NumericIdentity) bool
Allows is only used for unit testing
func (*Endpoint) ApplyPolicyMapChanges ¶
func (e *Endpoint) ApplyPolicyMapChanges(proxyWaitGroup *completion.WaitGroup) error
ApplyPolicyMapChanges updates the Endpoint's PolicyMap with the changes that have accumulated for the PolicyMap via various outside events (e.g., identities added / deleted). 'proxyWaitGroup' may not be nil.
func (*Endpoint) BPFConfigMapPath ¶
BPFConfigMapPath returns the path to the BPF config map of endpoint.
func (*Endpoint) BPFIpvlanMapPath ¶
BPFIpvlanMapPath returns the path to the ipvlan tail call map of an endpoint.
func (*Endpoint) BuilderSetStateLocked ¶
BuilderSetStateLocked modifies the endpoint's state endpoint.Mutex must be held endpoint BuildMutex must be held!
func (*Endpoint) CallsMapPathLocked ¶
CallsMapPathLocked returns the path to cilium tail calls map of an endpoint.
func (*Endpoint) CloseBPFProgramChannel ¶
func (e *Endpoint) CloseBPFProgramChannel()
CloseBPFProgramChannel closes the channel that signals whether the endpoint has had its BPF program compiled. If the channel is already closed, this is a no-op.
func (*Endpoint) ConntrackLocal ¶
ConntrackLocal determines whether this endpoint is currently using a local table to handle connection tracking (true), or the global table (false).
func (*Endpoint) ConntrackLocalLocked ¶
ConntrackLocalLocked is the same as ConntrackLocal, but assumes that the endpoint is already locked for reading.
func (*Endpoint) ConntrackName ¶
ConntrackName returns the name suffix for the endpoint-specific bpf conntrack map, which is a 5-digit endpoint ID, or "global" when the global map should be used. Must be called with the endpoint locked.
func (*Endpoint) DeleteBPFProgramLocked ¶
DeleteBPFProgramLocked delete the BPF program associated with the endpoint's veth interface.
func (*Endpoint) DeleteMapsLocked ¶
DeleteMapsLocked releases references to all BPF maps associated with this endpoint.
For each error that occurs while releasing these references, an error is added to the resulting error slice which is returned.
Returns nil on success.
func (*Endpoint) DirectoryPath ¶
DirectoryPath returns the directory name for this endpoint bpf program.
func (*Endpoint) FailedDirectoryPath ¶
FailedDirectoryPath returns the directory name for this endpoint bpf program failed builds.
func (*Endpoint) ForcePolicyCompute ¶
func (e *Endpoint) ForcePolicyCompute()
ForcePolicyCompute marks the endpoint for forced bpf regeneration.
func (*Endpoint) FormatGlobalEndpointID ¶
FormatGlobalEndpointID returns the global ID of endpoint in the format / <global ID Prefix>:<cluster name>:<node name>:<endpoint ID> as a string.
func (*Endpoint) GetBPFKeys ¶
func (e *Endpoint) GetBPFKeys() []*lxcmap.EndpointKey
GetBPFKeys returns all keys which should represent this endpoint in the BPF endpoints map
func (*Endpoint) GetBPFValue ¶
func (e *Endpoint) GetBPFValue() (*lxcmap.EndpointInfo, error)
GetBPFValue returns the value which should represent this endpoint in the BPF endpoints map
func (*Endpoint) GetCIDRPrefixLengths ¶
GetCIDRPrefixLengths returns the sorted list of unique prefix lengths used for CIDR policy or IPcache lookup from this endpoint.
func (*Endpoint) GetCiliumEndpointStatus ¶
func (e *Endpoint) GetCiliumEndpointStatus() *cilium_v2.EndpointStatus
GetCiliumEndpointStatus creates a cilium_v2.EndpointStatus of an endpoint. See cilium_v2.EndpointStatus for a detailed explanation of each field.
func (*Endpoint) GetContainerID ¶
GetContainerID returns the endpoint's container ID
func (*Endpoint) GetDockerNetworkID ¶
GetDockerNetworkID returns the endpoint's Docker Endpoint ID
func (*Endpoint) GetEgressPolicyEnabledLocked ¶
GetEgressPolicyEnabledLocked returns whether egress policy enforcement is enabled for endpoint or not. The endpoint's mutex must be held.
func (*Endpoint) GetHealthModel ¶
func (e *Endpoint) GetHealthModel() *models.EndpointHealth
GetHealthModel returns the endpoint's health object.
func (*Endpoint) GetIPv4Address ¶
GetIPv4Address returns the IPv4 address of the endpoint as a string
func (*Endpoint) GetIPv6Address ¶
GetIPv6Address returns the IPv6 address of the endpoint as a string
func (*Endpoint) GetIdentity ¶
func (e *Endpoint) GetIdentity() identityPkg.NumericIdentity
GetIdentity returns the numeric security identity of the endpoint
func (*Endpoint) GetIdentityLocked ¶
func (e *Endpoint) GetIdentityLocked() identityPkg.NumericIdentity
GetIdentityLocked is identical to GetIdentity() but assumes that a.mutex is already held. This function is obsolete and should no longer be used.
func (*Endpoint) GetIngressPolicyEnabledLocked ¶
GetIngressPolicyEnabledLocked returns whether ingress policy enforcement is enabled for endpoint or not. The endpoint's mutex must be held.
func (*Endpoint) GetK8sNamespace ¶
GetK8sNamespace returns the name of the pod if the endpoint represents a Kubernetes pod
func (*Endpoint) GetK8sNamespaceAndPodNameLocked ¶
GetK8sNamespaceAndPodNameLocked returns the namespace and pod name. This function requires e.Mutex to be held.
func (*Endpoint) GetK8sPodLabels ¶
GetK8sPodLabels returns all labels that exist in the endpoint and were derived from k8s pod.
func (*Endpoint) GetK8sPodName ¶
GetK8sPodName returns the name of the pod if the endpoint represents a Kubernetes pod
func (*Endpoint) GetLabelsSHA ¶
GetLabelsSHA returns the SHA of labels
func (*Endpoint) GetModelRLocked ¶
GetModelRLocked returns the API model of endpoint e. e.mutex must be RLocked.
func (*Endpoint) GetNodeMAC ¶
GetNodeMAC returns the MAC address of the node from this endpoint's perspective.
func (*Endpoint) GetOpLabels ¶
GetOpLabels returns the labels as slice
func (*Endpoint) GetOptions ¶
func (e *Endpoint) GetOptions() *option.IntOptions
GetOptions returns the datapath configuration options of the endpoint.
func (*Endpoint) GetPolicyModel ¶
func (e *Endpoint) GetPolicyModel() *models.EndpointPolicyStatus
GetPolicyModel returns the endpoint's policy as an API model.
Must be called with e.Mutex locked.
func (*Endpoint) GetSecurityIdentity ¶
func (e *Endpoint) GetSecurityIdentity() *identityPkg.Identity
GetSecurityIdentity returns the security identity of the endpoint. It assumes the endpoint's mutex is held.
func (*Endpoint) GetShortContainerID ¶
GetShortContainerID returns the endpoint's shortened container ID
func (*Endpoint) GetState ¶
GetState returns the endpoint's state endpoint.Mutex may only be.RLockAlive()ed
func (*Endpoint) GetStateLocked ¶
GetState returns the endpoint's state endpoint.Mutex may only be.RLockAlive()ed
func (*Endpoint) HasBPFProgram ¶
HasBPFProgram returns whether a BPF program has been generated for this endpoint.
func (*Endpoint) HasIpvlanDataPath ¶
HasIpvlanDataPath returns whether the daemon is running in ipvlan mode.
func (*Endpoint) HasLabels ¶
HasLabels returns whether endpoint e contains all labels l. Will return 'false' if any label in l is not in the endpoint's labels.
func (*Endpoint) HasSidecarProxy ¶
func (*Endpoint) HumanStringLocked ¶
HumanStringLocked returns the endpoint's most human readable identifier as string
func (*Endpoint) IPv4Address ¶
func (e *Endpoint) IPv4Address() addressing.CiliumIPv4
IPv4Address returns the IPv4 address of the endpoint
func (*Endpoint) IPv6Address ¶
func (e *Endpoint) IPv6Address() addressing.CiliumIPv6
IPv6Address returns the IPv6 address of the endpoint
func (*Endpoint) InsertEvent ¶
func (e *Endpoint) InsertEvent()
InsertEvent is called when the endpoint is inserted into the endpoint manager.
func (*Endpoint) IsDatapathMapPinnedLocked ¶
IsDatapathMapPinnedLocked returns whether the endpoint's datapath map has been pinned
func (*Endpoint) IsDisconnecting ¶
IsDisconnecting returns true if the endpoint is being disconnected or already disconnected
This function must be called after re-acquiring the endpoint mutex to verify that the endpoint has not been removed in the meantime.
endpoint.mutex must be held in read mode at least
func (*Endpoint) IsInit ¶
IsInit returns true if the endpoint still hasn't received identity labels, i.e. has the special identity with label reserved:init.
func (*Endpoint) K8sNamespaceAndPodNameIsSet ¶
K8sNamespaceAndPodNameIsSet returns true if the pod name is set
func (*Endpoint) LeaveLocked ¶
func (e *Endpoint) LeaveLocked(proxyWaitGroup *completion.WaitGroup, conf DeleteConfig) []error
LeaveLocked removes the endpoint's directory from the system. Must be called with Endpoint's mutex AND BuildMutex locked.
Note: LeaveLocked() is called indirectly from endpoint restore logic for endpoints which failed to be restored. Any cleanup routine of LeaveLocked() which depends on kvstore connectivity must be protected by a flag in DeleteConfig and the restore logic must opt-out of it.
func (*Endpoint) LockAlive ¶
LockAlive returns error if endpoint was removed, locks underlying mutex otherwise
func (*Endpoint) LogDisconnectedMutexAction ¶
LogDisconnectedMutexAction gets the logger and logs given error with context
func (*Endpoint) LogStatus ¶
func (e *Endpoint) LogStatus(typ StatusType, code StatusCode, msg string)
func (*Endpoint) LogStatusOK ¶
func (e *Endpoint) LogStatusOK(typ StatusType, msg string)
func (*Endpoint) LogStatusOKLocked ¶
func (e *Endpoint) LogStatusOKLocked(typ StatusType, msg string)
LogStatusOKLocked will log an OK message of the given status type with the given msg string. must be called with endpoint.Mutex held
func (*Endpoint) Logger ¶
Logger returns a logrus object with EndpointID, ContainerID and the Endpoint revision fields. The caller must specify their subsystem.
func (*Endpoint) LookupRedirectPort ¶
lookupRedirectPort returns the redirect L4 proxy port for the given L4 policy map key, in host byte order. Returns 0 if not found or the filter doesn't require a redirect. Must be called with Endpoint.Mutex held.
func (*Endpoint) ModifyIdentityLabels ¶
ModifyIdentityLabels changes the custom and orchestration identity labels of an endpoint. Labels can be added or deleted. If a label change is performed, the endpoint will receive a new identity and will be regenerated. Both of these operations will happen in the background.
func (*Endpoint) NextDirectoryPath ¶
NextDirectoryPath returns the directory name for this endpoint bpf program next bpf builds.
func (*Endpoint) OnProxyPolicyUpdate ¶
OnProxyPolicyUpdate is a callback used to update the Endpoint's proxyPolicyRevision when the specified revision has been applied in the proxy.
func (*Endpoint) PinDatapathMap ¶
PinDatapathMap retrieves a file descriptor from the map ID from the API call and pins the corresponding map into the BPF file system.
func (*Endpoint) PolicyMapPathLocked ¶
PolicyMapPathLocked returns the path to the policy map of endpoint.
func (*Endpoint) PolicyRevisionBumpEvent ¶
PolicyRevisionBumpEvent queues an event for the given endpoint to set its realized policy revision to rev. This may block depending on if events have been queued up for the given endpoint. It blocks until the event has succeeded, or if the event has been cancelled.
func (*Endpoint) RLockAlive ¶
RLockAlive returns error if endpoint was removed, read locks underlying mutex otherwise
func (*Endpoint) Regenerate ¶
func (e *Endpoint) Regenerate(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
Regenerate forces the regeneration of endpoint programs & policy Should only be called with e.state == StateWaitingToRegenerate or with e.state == StateWaitingForIdentity
func (*Endpoint) RegenerateIfAlive ¶
func (e *Endpoint) RegenerateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
RegenerateIfAlive queue a regeneration of this endpoint into the build queue of the endpoint and returns a channel that is closed when the regeneration of the endpoint is complete. The channel returns:
- false if the regeneration failed
- true if the regeneration succeed
- nothing and the channel is closed if the regeneration did not happen
func (*Endpoint) RegenerateWait ¶
RegenerateWait should only be called when endpoint's state has successfully been changed to "waiting-to-regenerate"
func (*Endpoint) RequireARPPassthrough ¶
RequireARPPassthrough returns true if the datapath must implement ARP passthrough for this endpoint
func (*Endpoint) RequireEgressProg ¶
RequireEgressProg returns true if the endpoint requires bpf_lxc with esction "to-container" to be attached at egress on the host facing veth pair
func (*Endpoint) RequireEndpointRoute ¶
RequireEndpointRoute returns if the endpoint wants a per endpoint route
func (*Endpoint) RequireRouting ¶
RequireRouting returns true if the endpoint requires BPF routing to be enabled, when disabled, routing is delegated to Linux routing
func (*Endpoint) RunMetadataResolver ¶
func (e *Endpoint) RunMetadataResolver(resolveMetadata MetadataResolverCB)
RunMetadataResolver starts a controller associated with the received endpoint which will periodically attempt to resolve the metadata for the endpoint and update the endpoint with the related. It stops resolving after either the first successful metadata resolution or when the endpoint is removed.
This assumes that after the initial successful resolution, other mechanisms will handle updates (such as pkg/k8s/watchers informers).
func (*Endpoint) SetContainerID ¶
SetContainerID modifies the endpoint's container ID
func (*Endpoint) SetContainerName ¶
SetContainerName modifies the endpoint's container name
func (*Endpoint) SetDatapathMapIDAndPinMapLocked ¶
SetDatapathMapIDAndPinMapLocked modifies the endpoint's datapath map ID
func (*Endpoint) SetDefaultOpts ¶
func (e *Endpoint) SetDefaultOpts(opts *option.IntOptions)
SetDefaultOpts initializes the endpoint Options and configures the specified options.
func (*Endpoint) SetDesiredEgressPolicyEnabled ¶
SetDesiredEgressPolicyEnabled sets Endpoint's egress policy enforcement configuration to the specified value. The endpoint's mutex must not be held.
func (*Endpoint) SetDesiredEgressPolicyEnabledLocked ¶
SetDesiredEgressPolicyEnabledLocked sets Endpoint's egress policy enforcement configuration to the specified value. The endpoint's mutex must be held.
func (*Endpoint) SetDesiredIngressPolicyEnabled ¶
SetDesiredIngressPolicyEnabled sets Endpoint's ingress policy enforcement configuration to the specified value. The endpoint's mutex must not be held.
func (*Endpoint) SetDesiredIngressPolicyEnabledLocked ¶
SetDesiredIngressPolicyEnabledLocked sets Endpoint's ingress policy enforcement configuration to the specified value. The endpoint's mutex must be held.
func (*Endpoint) SetDockerEndpointID ¶
SetDockerEndpointID modifies the endpoint's Docker Endpoint ID
func (*Endpoint) SetDockerNetworkID ¶
SetDockerNetworkID modifies the endpoint's Docker Endpoint ID
func (*Endpoint) SetIdentity ¶
func (e *Endpoint) SetIdentity(identity *identityPkg.Identity, newEndpoint bool)
SetIdentity resets endpoint's policy identity to 'id'. Caller triggers policy regeneration if needed. Called with e.Mutex Locked
func (*Endpoint) SetK8sNamespace ¶
SetK8sNamespace modifies the endpoint's pod name
func (*Endpoint) SetK8sPodName ¶
SetK8sPodName modifies the endpoint's pod name
func (*Endpoint) SetNodeMACLocked ¶
SetNodeMACLocked updates the node MAC inside the endpoint.
func (*Endpoint) SetPolicyRevision ¶
SetPolicyRevision sets the endpoint's policy revision with the given revision.
func (*Endpoint) SetState ¶
SetState modifies the endpoint's state Returns true only if endpoints state was changed as requested
func (*Endpoint) SetStateLocked ¶
SetStateLocked modifies the endpoint's state endpoint.Mutex must be held Returns true only if endpoints state was changed as requested
func (*Endpoint) SkipStateClean ¶
func (e *Endpoint) SkipStateClean()
SkipStateClean can be called on a endpoint before its first build to skip the cleaning of state such as the conntrack table. This is useful when an endpoint is being restored from state and the datapath state should not be claned.
The endpoint lock must NOT be held.
func (*Endpoint) StartRegenerationFailureHandler ¶
func (e *Endpoint) StartRegenerationFailureHandler()
StartRegenerationFailureHandler is a wrapper of startRegenerationFailureHandler, this function was created for the backports of an upstream commit.
func (*Endpoint) StateDirectoryPath ¶
StateDirectoryPath returns the directory name for this endpoint bpf program.
func (*Endpoint) SyncEndpointHeaderFile ¶
SyncEndpointHeaderFile it bumps the current DNS History information for the endpoint in the lxc_config.h file.
func (*Endpoint) UnconditionalLock ¶
func (e *Endpoint) UnconditionalLock()
UnconditionalLock should be used only for locking endpoint for - setting its state to StateDisconnected or StateInvalid - handling regular Lock errors - reporting endpoint status (like in LogStatus method) Use Lock in all other cases
func (*Endpoint) UnconditionalRLock ¶
func (e *Endpoint) UnconditionalRLock()
UnconditionalRLock should be used only for reporting endpoint state
func (*Endpoint) Update ¶
func (e *Endpoint) Update(cfg *models.EndpointConfigurationSpec) error
Update modifies the endpoint options and *always* tries to regenerate the endpoint's program. Returns an error if the provided options are not valid, if there was an issue triggering policy updates for the given endpoint, or if endpoint regeneration was unable to be triggered. Note that the LabelConfiguration in the EndpointConfigurationSpec is *not* consumed here.
func (*Endpoint) UpdateController ¶
func (e *Endpoint) UpdateController(name string, params controller.ControllerParams) *controller.Controller
UpdateController updates the controller with the specified name with the provided list of parameters in endpoint's list of controllers.
func (*Endpoint) UpdateLabels ¶
func (e *Endpoint) UpdateLabels(ctx context.Context, identityLabels, infoLabels pkgLabels.Labels, blocking bool)
UpdateLabels is called to update the labels of an endpoint. Calls to this function do not necessarily mean that the labels actually changed. The container runtime layer will periodically synchronize labels.
If a net label changed was performed, the endpoint will receive a new identity and will be regenerated. Both of these operations will happen in the background.
func (*Endpoint) UpdateLogger ¶
UpdateLogger creates a logger instance specific to this endpoint. It will create a custom Debug logger for this endpoint when the option on it is set. If fields is not nil only the those specific fields will be updated in the endpoint's logger, otherwise a full update of those fields is executed. Note: You must hold Endpoint.Mutex for reading if fields is nil.
func (*Endpoint) UpdateProxyStatistics ¶
func (e *Endpoint) UpdateProxyStatistics(l4Protocol string, port uint16, ingress, request bool, verdict accesslog.FlowVerdict)
UpdateProxyStatistics updates the Endpoint's proxy statistics to account for a new observed flow with the given characteristics.
func (*Endpoint) WaitForPolicyRevision ¶
func (e *Endpoint) WaitForPolicyRevision(ctx context.Context, rev uint64, done func(ts time.Time)) <-chan struct{}
WaitForPolicyRevision returns a channel that is closed when one or more of the following conditions have met:
- the endpoint is disconnected state
- the endpoint's policy revision reaches the wanted revision
When the done callback is non-nil it will be called just before the channel is closed.
func (*Endpoint) WaitForProxyCompletions ¶
func (e *Endpoint) WaitForProxyCompletions(proxyWaitGroup *completion.WaitGroup) error
WaitForProxyCompletions blocks until all proxy changes have been completed. Called with BuildMutex held.
type EndpointRegenerationEvent ¶
type EndpointRegenerationEvent struct {
// contains filtered or unexported fields
}
EndpointRegenerationEvent contains all fields necessary to regenerate an endpoint.
func (*EndpointRegenerationEvent) Handle ¶
func (ev *EndpointRegenerationEvent) Handle(res chan interface{})
Handle handles the regeneration event for the endpoint.
type EndpointRegenerationResult ¶
type EndpointRegenerationResult struct {
// contains filtered or unexported fields
}
EndpointRegenerationResult contains the results of an endpoint regeneration.
type EndpointRevisionBumpEvent ¶
type EndpointRevisionBumpEvent struct { Rev uint64 // contains filtered or unexported fields }
EndpointRevisionBumpEvent contains all fields necessary to bump the policy revision of a given endpoint.
func (*EndpointRevisionBumpEvent) Handle ¶
func (ev *EndpointRevisionBumpEvent) Handle(res chan interface{})
Handle handles the revision bump event for the Endpoint.
type EndpointStatus ¶
type EndpointStatus struct { // CurrentStatuses is the last status of a given priority. CurrentStatuses componentStatus `json:"current-status,omitempty"` // Contains the last maxLogs messages for this endpoint. Log statusLog `json:"log,omitempty"` // Index is the index in the statusLog, is used to keep track the next // available position to write a new log message. Index int `json:"index"` // contains filtered or unexported fields }
EndpointStatus represents the endpoint status.
func NewEndpointStatus ¶
func NewEndpointStatus() *EndpointStatus
func (*EndpointStatus) CurrentStatus ¶
func (e *EndpointStatus) CurrentStatus() StatusCode
func (*EndpointStatus) GetModel ¶
func (e *EndpointStatus) GetModel() []*models.EndpointStatusChange
func (*EndpointStatus) String ¶
func (e *EndpointStatus) String() string
type MetadataResolverCB ¶
type MetadataResolverCB func(*Endpoint) (identityLabels labels.Labels, infoLabels labels.Labels, err error)
MetadataResolverCB provides an implementation for resolving the endpoint metadata for an endpoint such as the associated labels and annotations.
type Status ¶
type Status struct { Code StatusCode `json:"code"` Msg string `json:"msg"` Type StatusType `json:"status-type"` State string `json:"state"` }
type StatusCode ¶
type StatusCode int
const ( OK StatusCode = 0 Warning StatusCode = -1 Failure StatusCode = -2 Disabled StatusCode = -3 )
func (StatusCode) ColorString ¶
func (sc StatusCode) ColorString() string
func (StatusCode) String ¶
func (sc StatusCode) String() string
type StatusResponse ¶
type StatusType ¶
type StatusType int
StatusType represents the type for the given status, higher the value, higher the priority.
const ( BPF StatusType = 200 Policy StatusType = 100 Other StatusType = 0 )
type UpdateCompilationError ¶
type UpdateCompilationError struct {
// contains filtered or unexported fields
}
func (UpdateCompilationError) Error ¶
func (e UpdateCompilationError) Error() string
type UpdateStateChangeError ¶
type UpdateStateChangeError struct {
// contains filtered or unexported fields
}
UpdateStateChangeError is an error that indicates that updating the state of an endpoint was unsuccessful. Implements error interface.
func (UpdateStateChangeError) Error ¶
func (e UpdateStateChangeError) Error() string
type UpdateValidationError ¶
type UpdateValidationError struct {
// contains filtered or unexported fields
}
func (UpdateValidationError) Error ¶
func (e UpdateValidationError) Error() string
Source Files ¶
Directories ¶
Path | Synopsis |
---|---|
Package connector is responsible for the datapath specific plumbing to connect an endpoint to the network
|
Package connector is responsible for the datapath specific plumbing to connect an endpoint to the network |