policytypes

Documentation

Index

• type ConnectionRequest
• type ConnectionResponse
• type ConnectivityPolicy
  • func (cps *ConnectivityPolicy) Decide(src, dest WorkloadAttrs) (PolicyDecision, error)
  • func (cps *ConnectivityPolicy) Matches(src, dest WorkloadAttrs) (bool, error)
  • func (cps *ConnectivityPolicy) Validate() error
• type Direction
• type PolicyAction
• type PolicyDecision
• type WorkloadAttrs
• type WorkloadSetOrSelector
• type WorkloadSetOrSelectorList

Types

type ConnectionRequest

type ConnectionRequest struct {
	SrcWorkloadAttrs WorkloadAttrs
	DstSvcName       string
	DstSvcNamespace  string

	Direction Direction
}

ConnectionRequest encapsulates all the information needed to decide on a given incoming/outgoing connection.

type ConnectionResponse

type ConnectionResponse struct {
	Action  PolicyAction
	DstPeer string
}

ConnectionResponse encapsulates the returned decision on a given incoming incoming/outgoing connection.

type ConnectivityPolicy

type ConnectivityPolicy struct {
	Name       string                    `json:"name"`
	Privileged bool                      `json:"privileged"`
	Action     PolicyAction              `json:"action"`
	From       WorkloadSetOrSelectorList `json:"from"`
	To         WorkloadSetOrSelectorList `json:"to"`
}

ConnectivityPolicy defines whether a group of potential connections should be allowed or denied. If multiple ConnectivityPolicies match a given connection, privileged policies take precedence over non-privileged, and within each tier deny policies take precedence over allow policies.

func (*ConnectivityPolicy) Decide

func (cps *ConnectivityPolicy) Decide(src, dest WorkloadAttrs) (PolicyDecision, error)

Decide returns the receiver policy's decision on a given connection. If the policy matches the connection, a decision based on its Action is returned. Otherwise, it returns an "undecided" value.

func (*ConnectivityPolicy) Matches

func (cps *ConnectivityPolicy) Matches(src, dest WorkloadAttrs) (bool, error)

Matches checks if a connection from a source with given labels to a destination with given labels, matches a ConnectivityPolicy.

func (*ConnectivityPolicy) Validate

func (cps *ConnectivityPolicy) Validate() error

Validate returns an error if the given ConnectivityPolicy is invalid. Otherwise, returns nil.

type Direction

type Direction int

Direction indicates whether a given request is for an incoming or an outgoing connection.

const (
	Incoming Direction = iota
	Outgoing
)

type PolicyAction

type PolicyAction string

PolicyAction specifies whether a ConnectivityPolicy allows or denies the connection specified by its 'From' and 'To' fields.

const (
	ActionAllow PolicyAction = "allow"
	ActionDeny  PolicyAction = "deny"
)

type PolicyDecision

type PolicyDecision int

PolicyDecision represents a ConnectivityPolicy decision on a given connection.

const (
	DecisionUndecided PolicyDecision = iota
	DecisionAllow
	DecisionDeny
)

type WorkloadAttrs

type WorkloadAttrs map[string]string

WorkloadAttrs are the actual key-value attributes attached to any given workload.

type WorkloadSetOrSelector

type WorkloadSetOrSelector struct {
	WorkloadSets     []string              `json:"workloadSets,omitempty"`
	WorkloadSelector *metav1.LabelSelector `json:"workloadSelector,omitempty"`
}

WorkloadSetOrSelector describes a set of workloads, based on their attributes (labels) Exactly one of the two fields should be non-empty.

type WorkloadSetOrSelectorList

type WorkloadSetOrSelectorList []WorkloadSetOrSelector

WorkloadSetOrSelectorList is a collection of WorkloadSetOrSelector objects.