Documentation
¶
Index ¶
Constants ¶
const ( // ACLNamePrefix is used to tag ACLs created for the implementation of K8s policies. ACLNamePrefix = "contiv-policy-" // ReflectiveACLName is the name of the *reflective* ACL (full name prefixed with // ACLNamePrefix). Reflective ACL is used to allow responses of accepted sessions // regardless of installed policies on the way back. ReflectiveACLName = "REFLECTION" )
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type ContivConf ¶
type ContivConf interface {
// GetMainInterfaceName returns the logical name of the VPP physical interface
// to use for connecting the node with the cluster.
// If empty, a loopback interface should be configured instead.
GetMainInterfaceName() string
// GetOtherVPPInterfaces returns configuration to apply for non-main physical
// VPP interfaces.
GetOtherVPPInterfaces() contivconf.OtherInterfaces
}
ContivConf interface lists methods from ContivConf plugin which are needed by ACL Renderer.
type Deps ¶
type Deps struct {
Log logging.Logger
LogFactory logging.LoggerFactory /* optional */
IPNet ipnet.API /* for GetIfName() */
ContivConf ContivConf
UpdateTxnFactory func() (txn controller.UpdateOperations)
ResyncTxnFactory func() (txn controller.ResyncOperations)
}
Deps lists dependencies of Renderer.
type PodInterfaces ¶
PodInterfaces is a map used to remember interface of each (configured) pod.
type Renderer ¶
type Renderer struct {
Deps
// contains filtered or unexported fields
}
Renderer renders Contiv Rules into VPP ACLs. ACLs are installed into VPP by the aclplugin from vpp-agent. The configuration changes are transported into aclplugin via localclient.
func (*Renderer) NewTxn ¶
NewTxn starts a new transaction. The rendering executes only after Commit() is called. Rollback is not yet supported however. If <resync> is enabled, the supplied configuration will completely replace the existing one. Otherwise, the change is performed incrementally, i.e. interfaces not mentioned in the transaction are left unaffected.
type RendererTxn ¶
RendererTxn represents a single transaction of Renderer.
func (*RendererTxn) Commit ¶
func (art *RendererTxn) Commit() error
Commit proceeds with the rendering. A minimalistic set of changes is calculated using RendererCache and applied as one transaction via the localclient.
func (*RendererTxn) Render ¶
func (art *RendererTxn) Render(pod podmodel.ID, podIP *net.IPNet, ingress []*renderer.ContivRule, egress []*renderer.ContivRule, removed bool) renderer.Txn
Render applies the set of ingress & egress rules for a given pod. The existing rules are replaced. Te actual change is performed only after the commit.
Source Files