Affected by GO-2024-2656 and 2 other vulnerabilities

GO-2024-2656: Unencrypted traffic between nodes with IPsec in github.com/cilium/cilium

GO-2024-2666: Insecure IPsec transparent encryption in github.com/cilium/cilium

GO-2024-3072: Policy bypass for Host Firewall policy due to race condition in Cilium agent in github.com/cilium/cilium

model

package

v1.13.0-rc5 Latest Latest Go to latest Published: Jan 24, 2023 License: Apache-2.0 Imports: 4 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/cilium/cilium

Documentation ¶

Overview ¶

Package model contains a data model for translations from upstream Kubernetes resources to Cilium Kubernetes resources.

Initially, used for Ingress to CiliumEnvoyConfig translation to enable shared load balancing, but will be used for other things in the future (such as Gateway API support).

Index ¶

func AddressOf[T any](v T) *T
func ComputeHosts(routeHostnames []string, listenerHostname *string) []string
type Backend
type BackendPort
- func (be *BackendPort) GetPort() string
type DirectResponse
type FullyQualifiedResource
- func AddSource(sourceList []FullyQualifiedResource, source FullyQualifiedResource) []FullyQualifiedResource
type HTTPListener
type HTTPRequestHeaderFilter
type HTTPRoute
- func (r *HTTPRoute) GetMatchKey() string
type Header
type KeyValueMatch
- func (kv KeyValueMatch) String() string
type Model
type StringMatch
- func (sm StringMatch) String() string
type TLSSecret

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func AddressOf ¶

func AddressOf[T any](v T) *T

func ComputeHosts ¶

func ComputeHosts(routeHostnames []string, listenerHostname *string) []string

ComputeHosts returns a list of the intersecting hostnames between the route and the listener. The below function is inspired from https://github.com/envoyproxy/gateway/blob/main/internal/gatewayapi/helpers.go. Special thanks to Envoy team.

Types ¶

type Backend ¶

type Backend struct {
	// Name of the Service.
	Name string `json:"name,omitempty"`
	// Namespace of the Service.
	Namespace string `json:"namespace,omitempty"`
	// Port contains the details of the port on the Service to connect to
	// If unset, the same port as the top-level Listener will be used.
	Port *BackendPort `json:"port,omitempty"`

	// Weight specifies the percentage of traffic to send to this backend.
	// This is computed as weight/(sum of all weights in backends) * 100.
	Weight *int32 `json:"weight,omitempty"`
}

Backend holds a Kubernetes Service that points to a backend for traffic.

type BackendPort ¶

type BackendPort struct {
	// Port holds the numeric port to connect to.
	Port uint32 `json:"port,omitempty"`
	// Name holds a string which will be used to connect to the port with a
	// matching spec.ports[].name in the target Service.
	Name string `json:"name,omitempty"`
}

BackendPort holds the details of what port on the Service to connect to. Only one of Port or Name can be set.

func (*BackendPort) GetPort ¶

func (be *BackendPort) GetPort() string

GetPort return the string representation of the port (either the port number or the port name)

type DirectResponse ¶

type DirectResponse struct {
	StatusCode int    `json:"status_code,omitempty"`
	Body       string `json:"payload,omitempty"`
}

DirectResponse holds configuration for a direct response.

type FullyQualifiedResource ¶

type FullyQualifiedResource struct {
	Name      string `json:"name,omitempty"`
	Namespace string `json:"namespace,omitempty"`
	Group     string `json:"group,omitempty"`
	Version   string `json:"version,omitempty"`
	Kind      string `json:"kind,omitempty"`
	UID       string `json:"uuid,omitempty"`
}

FullyQualifiedResource stores the full details of a Kubernetes resource, including the Group, Version, and Kind. Namespace must be set to the empty string for cluster-scoped resources.

func AddSource ¶

func AddSource(sourceList []FullyQualifiedResource, source FullyQualifiedResource) []FullyQualifiedResource

type HTTPListener ¶

type HTTPListener struct {
	// Name of the HTTPListener
	Name string `json:"name,omitempty"`
	// Sources is a slice of fully qualified resources this HTTPListener is sourced
	// from.
	Sources []FullyQualifiedResource `json:"sources,omitempty"`
	// IPAddress that the listener should listen on.
	// The string must be parseable as an IP address.
	Address string `json:"address,omitempty"`
	// Port on which the service can be expected to be accessed by clients.
	Port uint32 `json:"port,omitempty"`
	// Hostname that the listener should match.
	// Wildcards are supported in prefix or suffix forms, or the special wildcard `*`.
	// An empty list means that the Listener should match all hostnames.
	Hostname string `json:"hostname,omitempty"`
	// TLS Certificate information. If omitted, then the listener is a cleartext HTTP listener.
	TLS []TLSSecret `json:"tls,omitempty"`
	// Routes associated with HTTP traffic to the service.
	// An empty list means that traffic will not be routed.
	Routes []HTTPRoute `json:"routes,omitempty"`
}

HTTPListener holds configuration for any listener that terminates and proxies HTTP including HTTP and HTTPS. Each holds the configuration info for one distinct HTTP listener, by

Hostname
TLS
Address
Port

type HTTPRequestHeaderFilter ¶ added in v1.13.0

type HTTPRequestHeaderFilter struct {
	// HeadersToAdd is a list of headers to add to the request.
	// Existing headers with the same name will be appended to.
	HeadersToAdd []Header `json:"headers_to_add,omitempty"`
	// HeadersToSet is a list of headers to set in the request.
	// Existing headers will be overwritten.
	HeadersToSet []Header `json:"headers_to_set,omitempty"`
	// HeadersToRemove is a list of headers to remove from the request.
	HeadersToRemove []string `json:"headers_to_remove,omitempty"`
}

HTTPRequestHeaderFilter holds configuration for a request header filter.

type HTTPRoute ¶

type HTTPRoute struct {
	Name string `json:"name,omitempty"`
	// Hostnames that the route should match
	Hostnames []string `json:"hostnames,omitempty"`
	// PathMatch specifies that the HTTPRoute should match a path.
	PathMatch StringMatch `json:"path_match,omitempty"`
	// HeadersMatch specifies that the HTTPRoute should match a set of headers.
	HeadersMatch []KeyValueMatch `json:"headers_match,omitempty"`
	// QueryParamsMatch specifies that the HTTPRoute should match a set of query parameters.
	QueryParamsMatch []KeyValueMatch `json:"query_params_match,omitempty"`
	Method           *string         `json:"method,omitempty"`
	// Backend is the backend handling the requests
	Backends []Backend `json:"backends,omitempty"`
	// DirectResponse instructs the proxy to respond directly to the client.
	DirectResponse *DirectResponse `json:"direct_response,omitempty"`

	// RequestHeaderFilter can be used to add or remove an HTTP
	//header from an HTTP request before it is sent to the upstream target.
	RequestHeaderFilter *HTTPRequestHeaderFilter `json:"filter,omitempty"`
}

HTTPRoute holds all the details needed to route HTTP traffic to a backend.

func (*HTTPRoute) GetMatchKey ¶

func (r *HTTPRoute) GetMatchKey() string

GetMatchKey returns the key to be used for matching the backend.

type Header ¶

type Header struct {
	Name  string
	Value string
}

Header is a key-value pair.

type KeyValueMatch ¶

type KeyValueMatch struct {
	Key   string      `json:"key,omitempty"`
	Match StringMatch `json:"match,omitempty"`
}

func (KeyValueMatch) String ¶

func (kv KeyValueMatch) String() string

type Model ¶

type Model struct {
	HTTP []HTTPListener `json:"http,omitempty"`
}

Model holds an abstracted data model representing the translation of various types of Kubernetes config to Cilium config.

type StringMatch ¶

type StringMatch struct {
	Prefix string `json:"prefix,omitempty"`
	Exact  string `json:"exact,omitempty"`
	Regex  string `json:"regex,omitempty"`
}

StringMatch describes various types of string matching. Only one field may be set. If no fields are set, all paths should match (no path match criteria should be generated for Envoy.)

func (StringMatch) String ¶

func (sm StringMatch) String() string

type TLSSecret ¶

type TLSSecret struct {
	Name      string `json:"name,omitempty"`
	Namespace string `json:"namespace,omitempty"`
}

TLSSecret holds a reference to a secret containing a TLS keypair.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
ingestion Package ingestion holds functions that translate from Kubernetes resources into Listener types for storage in the model.	Package ingestion holds functions that translate from Kubernetes resources into Listener types for storage in the model.
translation Package translation building block for translation from model to CiliumEnvoyConfig, Service, etc.	Package translation building block for translation from model to CiliumEnvoyConfig, Service, etc.
gateway-api
ingress Package ingress contains the translation logic from Ingress to CiliumEnvoyConfig and related resources.	Package ingress contains the translation logic from Ingress to CiliumEnvoyConfig and related resources.

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL