Documentation ¶
Overview ¶
Package v1alpha1 contains API Schema definitions for the internal v1alpha1 API group +kubebuilder:object:generate=true +groupName=security.everoute.io
Index ¶
- Variables
- func Kind(kind string) schema.GroupKind
- func Resource(resource string) schema.GroupResource
- type ApplyToPeer
- type DefaultRuleType
- type Endpoint
- type EndpointList
- type EndpointReference
- type EndpointSpec
- type EndpointStatus
- type EndpointType
- type GlobalDefaultAction
- type GlobalPolicy
- type GlobalPolicyList
- type GlobalPolicySpec
- type NamedPort
- type NamespacedName
- type PolicyMode
- type PortType
- type Protocol
- type Rule
- type SecurityPolicy
- type SecurityPolicyList
- type SecurityPolicyPeer
- type SecurityPolicyPort
- type SecurityPolicySpec
Constants ¶
This section is empty.
Variables ¶
var ( // GroupVersion is group version used to register these objects SchemeGroupVersion = schema.GroupVersion{Group: "security.everoute.io", Version: "v1alpha1"} // SchemeBuilder is used to add go types to the GroupVersionKind scheme SchemeBuilder = &scheme.Builder{GroupVersion: SchemeGroupVersion} // AddToScheme adds the types in this group-version to the given scheme. AddToScheme = SchemeBuilder.AddToScheme )
Functions ¶
func Resource ¶
func Resource(resource string) schema.GroupResource
Resource takes an unqualified resource and returns a Group qualified GroupResource
Types ¶
type ApplyToPeer ¶
type ApplyToPeer struct { // Endpoint defines policy on a specific Endpoint. // // If Endpoint is set, then the SecurityPolicy would apply to the endpoint // in the SecurityPolicy Namespace. If Endpoint doesnot exist OR has empty // IPAddr, the ApplyToPeer would be ignored. // If this field is set then neither of the other fields can be. // +optional Endpoint *string `json:"endpoint,omitempty"` // EndpointSelector selects endpoints. This field follows extend label // selector semantics; if present but empty, it selects all endpoints. // // If EndpointSelector is set, then the SecurityPolicy would apply to the // endpoints matching EndpointSelector in the SecurityPolicy Namespace. // If this field is set then neither of the other fields can be. // +optional EndpointSelector *labels.Selector `json:"endpointSelector,omitempty"` }
ApplyToPeer describes sets of endpoints which this SecurityPolicy object applies At least one field (Endpoint or EndpointSelector) should be set.
func (*ApplyToPeer) DeepCopy ¶
func (in *ApplyToPeer) DeepCopy() *ApplyToPeer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ApplyToPeer.
func (*ApplyToPeer) DeepCopyInto ¶
func (in *ApplyToPeer) DeepCopyInto(out *ApplyToPeer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type DefaultRuleType ¶
type DefaultRuleType string
DefaultRuleType defines default rule type inSecurityPolicy. +kubebuilder:validation:Enum=drop;allow;none
const ( // DefaultRuleDrop will generate default drop for SecurityPolicy. DefaultRuleDrop DefaultRuleType = "drop" // DefaultRuleAllow will generate default allow for SecurityPolicy. DefaultRuleAllow DefaultRuleType = "allow" // DefaultRuleNone will not generate default rule for SecurityPolicy. DefaultRuleNone DefaultRuleType = "none" )
type Endpoint ¶
type Endpoint struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Spec contains description of the endpoint Spec EndpointSpec `json:"spec"` // Status is the current state of the Endpoint Status EndpointStatus `json:"status,omitempty"` }
Endpoint is a network communication entity. It's provided by the endpoint provider, it could be a virtual network interface, a pod, an ovs port or other entities.
func (*Endpoint) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Endpoint.
func (*Endpoint) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Endpoint) DeepCopyObject ¶
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type EndpointList ¶
type EndpointList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []Endpoint `json:"items"` }
EndpointList contains a list of Endpoint
func (*EndpointList) DeepCopy ¶
func (in *EndpointList) DeepCopy() *EndpointList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointList.
func (*EndpointList) DeepCopyInto ¶
func (in *EndpointList) DeepCopyInto(out *EndpointList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*EndpointList) DeepCopyObject ¶
func (in *EndpointList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type EndpointReference ¶
type EndpointReference struct { // ExternalIDName of an endpoint. ExternalIDName string `json:"externalIDName"` // ExternalIDValue of an endpoint. ExternalIDValue string `json:"externalIDValue"` }
EndpointReference uniquely identifies an endpoint
func (*EndpointReference) DeepCopy ¶
func (in *EndpointReference) DeepCopy() *EndpointReference
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointReference.
func (*EndpointReference) DeepCopyInto ¶
func (in *EndpointReference) DeepCopyInto(out *EndpointReference)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EndpointSpec ¶
type EndpointSpec struct { // VID describe the endpoint in which VLAN VID uint32 `json:"vid"` // ExtendLabels contains extend labels of endpoint. Each key in the labels // could have multiple values, but at least one should be specified. // The ExtendLabels could be selected by selector in SecurityPolicy or EndpointGroup. // +optional ExtendLabels map[string][]string `json:"extendLabels,omitempty"` // Reference of an endpoint, also the external_id of an ovs interface. // We map between endpoint and ovs interface use the Reference. Reference EndpointReference `json:"reference"` // Type of this Endpoint // +kubebuilder:default="dynamic" Type EndpointType `json:"type,omitempty"` // StrictMac is a ip filter switch // true: filter ip which src mac does not equal interface mac // false: no action StrictMac bool `json:"strictMac,omitempty"` Ports []NamedPort `json:"ports,omitempty"` }
EndpointSpec provides the specification of an Endpoint
func (*EndpointSpec) DeepCopy ¶
func (in *EndpointSpec) DeepCopy() *EndpointSpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointSpec.
func (*EndpointSpec) DeepCopyInto ¶
func (in *EndpointSpec) DeepCopyInto(out *EndpointSpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EndpointStatus ¶
type EndpointStatus struct { // IPs of an endpoint, can be IPV4 or IPV6. IPs []types.IPAddress `json:"ips,omitempty"` // MacAddress of an endpoint. MacAddress string `json:"macAddress,omitempty"` // Agents where this endpoint is currently located Agents []string `json:"agents,omitempty"` }
EndpointStatus describe the current state of the Endpoint
func (*EndpointStatus) DeepCopy ¶
func (in *EndpointStatus) DeepCopy() *EndpointStatus
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointStatus.
func (*EndpointStatus) DeepCopyInto ¶
func (in *EndpointStatus) DeepCopyInto(out *EndpointStatus)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type EndpointType ¶
type EndpointType string
EndpointType defines network protocols supported for SecurityPolicy. +kubebuilder:validation:Enum=dynamic;static;static-ip
const ( // EndpointDynamic update endpoint status with agentInfo. EndpointDynamic EndpointType = "dynamic" // EndpointStatic will not update endpoint status from agentInfo. EndpointStatic EndpointType = "static" // EndpointStaticIP will update endpoint status from agentInfo except ip. EndpointStaticIP EndpointType = "static-ip" )
type GlobalDefaultAction ¶
type GlobalDefaultAction string
GlobalDefaultAction defines actions supported for GlobalPolicy. +kubebuilder:validation:Enum=Allow;Drop
const ( // GlobalDefaultActionAllow default allow all traffics between Endpoints. GlobalDefaultActionAllow GlobalDefaultAction = "Allow" // GlobalDefaultActionDrop default drop all traffics between Endpoints. GlobalDefaultActionDrop GlobalDefaultAction = "Drop" )
type GlobalPolicy ¶
type GlobalPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Specification of the desired behavior for this GlobalPolicy. // +optional Spec GlobalPolicySpec `json:"spec,omitempty"` }
GlobalPolicy allow defines default action of traffics and global ip whitelist. Only one GlobalPolicy can exist on kubernetes.
func (*GlobalPolicy) DeepCopy ¶
func (in *GlobalPolicy) DeepCopy() *GlobalPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalPolicy.
func (*GlobalPolicy) DeepCopyInto ¶
func (in *GlobalPolicy) DeepCopyInto(out *GlobalPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GlobalPolicy) DeepCopyObject ¶
func (in *GlobalPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GlobalPolicyList ¶
type GlobalPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []GlobalPolicy `json:"items"` }
func (*GlobalPolicyList) DeepCopy ¶
func (in *GlobalPolicyList) DeepCopy() *GlobalPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalPolicyList.
func (*GlobalPolicyList) DeepCopyInto ¶
func (in *GlobalPolicyList) DeepCopyInto(out *GlobalPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*GlobalPolicyList) DeepCopyObject ¶
func (in *GlobalPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type GlobalPolicySpec ¶
type GlobalPolicySpec struct { // DefaultAction defines global traffic action // +optional // +kubebuilder:default="Allow" DefaultAction GlobalDefaultAction `json:"defaultAction,omitempty"` // GlobalPolicy enforcement mode // +kubebuilder:default=work GlobalPolicyEnforcementMode PolicyMode `json:"globalPolicyEnforcementMode,omitempty"` }
GlobalPolicySpec provides the specification of a GlobalPolicy
func (*GlobalPolicySpec) DeepCopy ¶
func (in *GlobalPolicySpec) DeepCopy() *GlobalPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new GlobalPolicySpec.
func (*GlobalPolicySpec) DeepCopyInto ¶
func (in *GlobalPolicySpec) DeepCopyInto(out *GlobalPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NamedPort ¶
type NamedPort struct { // Port represents the Port number. Port int32 `json:"port,omitempty" protobuf:"varint,1,opt,name=port"` // Name represents the associated name with this Port number. Name string `json:"name,omitempty" protobuf:"bytes,2,opt,name=name"` // Protocol for port. Must be UDP, TCP TODO not icmp webhook Protocol Protocol `json:"protocol,omitempty" protobuf:"bytes,3,opt,name=protocol"` }
NamedPort represents a Port with a name on Pod.
func (*NamedPort) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamedPort.
func (*NamedPort) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type NamespacedName ¶
type NamespacedName struct { // Name is unique within a namespace to reference a resource. Name string `json:"name"` // Namespace defines the space within which the resource name must be unique. Namespace string `json:"namespace"` }
NamespacedName contains information to specify an object.
func (*NamespacedName) DeepCopy ¶
func (in *NamespacedName) DeepCopy() *NamespacedName
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new NamespacedName.
func (*NamespacedName) DeepCopyInto ¶
func (in *NamespacedName) DeepCopyInto(out *NamespacedName)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (NamespacedName) String ¶
func (n NamespacedName) String() string
String returns the general purpose string representation
type PolicyMode ¶
type PolicyMode string
const ( WorkMode PolicyMode = "work" MonitorMode PolicyMode = "monitor" )
func (PolicyMode) String ¶
func (p PolicyMode) String() string
type PortType ¶
type PortType string
PortType defaines the PortRange is real port numbers or port names which needed resolve. If it is empty, equal to "number". +kubebuilder:validation:Enum=number;name
type Protocol ¶
type Protocol string
Protocol defines network protocols supported for SecurityPolicy. +kubebuilder:validation:Enum=TCP;UDP;ICMP;IPIP;VRRP
const ( // ProtocolTCP is the TCP protocol. ProtocolTCP Protocol = "TCP" // ProtocolUDP is the UDP protocol. ProtocolUDP Protocol = "UDP" // ProtocolICMP is the ICMP protocol. ProtocolICMP Protocol = "ICMP" // ProtocolIPIP is the IPIP protocol. ProtocolIPIP Protocol = "IPIP" // ProtocolVRRP is the VRRP protocol. ProtocolVRRP Protocol = "VRRP" )
type Rule ¶
type Rule struct { // Name must be unique within the policy and conforms RFC 1123. Name string `json:"name"` // List of ports which should be made accessible on the endpoints selected for this // rule. Each item in this list is combined using a logical OR. If this field is // empty or missing, this rule matches all ports (traffic not restricted by port). // If this field is present and contains at least one item, then this rule allows // traffic only if the traffic matches at least one port in the list. // +optional Ports []SecurityPolicyPort `json:"ports,omitempty"` // List of sources which should be able to access the endpoints selected for this rule. // Items in this list are combined using a logical OR operation. If this field is // empty or missing, this rule matches all sources (traffic not restricted by // source). If this field is present and contains at least one item, this rule // allows traffic only if the traffic matches at least one item in the from list. // This field only works when rule is ingress. // +optional From []SecurityPolicyPeer `json:"from,omitempty"` // List of destinations for outgoing traffic of endpoints selected for this rule. // Items in this list are combined using a logical OR operation. If this field is // empty or missing, this rule matches all destinations (traffic not restricted by // destination). If this field is present and contains at least one item, this rule // allows traffic only if the traffic matches at least one item in the to list. // This field only works when rule is egress. // +optional To []SecurityPolicyPeer `json:"to,omitempty"` }
Rule describes a particular set of traffic that is allowed from/to the endpoints matched by a SecurityPolicySpec's AppliedTo.
func (*Rule) DeepCopy ¶
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
func (*Rule) DeepCopyInto ¶
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecurityPolicy ¶
type SecurityPolicy struct { metav1.TypeMeta `json:",inline"` metav1.ObjectMeta `json:"metadata,omitempty"` // Specification of the desired behavior for this SecurityPolicy. Spec SecurityPolicySpec `json:"spec"` }
SecurityPolicy describes what network traffic is allowed for a set of Endpoint. Follow NetworkPolicy https://github.com/kubernetes/api/blob/v0.22.1/networking/v1/types.go#L29.
func (*SecurityPolicy) DeepCopy ¶
func (in *SecurityPolicy) DeepCopy() *SecurityPolicy
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityPolicy.
func (*SecurityPolicy) DeepCopyInto ¶
func (in *SecurityPolicy) DeepCopyInto(out *SecurityPolicy)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityPolicy) DeepCopyObject ¶
func (in *SecurityPolicy) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
func (*SecurityPolicy) IsEnable ¶
func (p *SecurityPolicy) IsEnable() (ingressEnabled bool, egressEnabled bool)
IsEnable returns whether SecurityPolicy ingress and egress should enable
type SecurityPolicyList ¶
type SecurityPolicyList struct { metav1.TypeMeta `json:",inline"` metav1.ListMeta `json:"metadata,omitempty"` Items []SecurityPolicy `json:"items"` }
SecurityPolicyList contains a list of SecurityPolicy
func (*SecurityPolicyList) DeepCopy ¶
func (in *SecurityPolicyList) DeepCopy() *SecurityPolicyList
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityPolicyList.
func (*SecurityPolicyList) DeepCopyInto ¶
func (in *SecurityPolicyList) DeepCopyInto(out *SecurityPolicyList)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*SecurityPolicyList) DeepCopyObject ¶
func (in *SecurityPolicyList) DeepCopyObject() runtime.Object
DeepCopyObject is an autogenerated deepcopy function, copying the receiver, creating a new runtime.Object.
type SecurityPolicyPeer ¶
type SecurityPolicyPeer struct { // DisableSymmetric if set true, won't generate symmetric rules for the peer even if // SymmetricMode of policy set true, the default value is false // +optional DisableSymmetric bool `json:"disableSymmetric,omitempty"` // IPBlock defines policy on a particular IPBlock. If this field is set then // neither of the other fields can be. // +optional IPBlock *networkingv1.IPBlock `json:"ipBlock,omitempty"` // Endpoint defines policy on a specific Endpoint. If this field is set then // neither of the other fields can be. // +optional Endpoint *NamespacedName `json:"endpoint,omitempty"` // EndpointSelector selects endpoints. This field follows extend label // selector semantics; if present but empty, it selects all endpoints. // // If NamespaceSelector is also set, then the Rule would select the endpoints // matching EndpointSelector in the Namespaces selected by NamespaceSelector. // Otherwise, it selects the Endpoints matching EndpointSelector in the policy's own Namespace. // +optional EndpointSelector *labels.Selector `json:"endpointSelector,omitempty"` // NamespaceSelector selects namespaces. This field follows standard label // selector semantics; if present but empty, it selects all namespaces. // // If EndpointSelector is also set, then the Rule would select the endpoints // matching EndpointSelector in the Namespaces selected by NamespaceSelector. // Otherwise, it selects all Endpoints in the Namespaces selected by NamespaceSelector. // +optional NamespaceSelector *metav1.LabelSelector `json:"namespaceSelector,omitempty"` }
SecurityPolicyPeer describes a peer to allow traffic to/from. Only certain combinations of fields are allowed
func (*SecurityPolicyPeer) DeepCopy ¶
func (in *SecurityPolicyPeer) DeepCopy() *SecurityPolicyPeer
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityPolicyPeer.
func (*SecurityPolicyPeer) DeepCopyInto ¶
func (in *SecurityPolicyPeer) DeepCopyInto(out *SecurityPolicyPeer)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecurityPolicyPort ¶
type SecurityPolicyPort struct { // The ip protocol which traffic must match. Protocol Protocol `json:"protocol"` // PortRange is a range of port. If you want match all ports, you should set empty. If you // want match single port, you should write like 22. If you want match a range of port, you // should write like 20-80, ports between 20 and 80 (include 20 and 80) will matches. If you // want match multiple ports, you should write like 20,22-24,90. PortRange string `json:"portRange,omitempty"` // only valid when Protocol is not ICMP // Type defines the PortRange is real port numbers or port names which needed resolve. If it is empty, // the effect is equal to "number" for compatibility. // +kubebuilder:default:=number Type PortType `json:"type,omitempty"` }
SecurityPolicyPort describes the port and protocol to match in a rule.
func (*SecurityPolicyPort) DeepCopy ¶
func (in *SecurityPolicyPort) DeepCopy() *SecurityPolicyPort
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityPolicyPort.
func (*SecurityPolicyPort) DeepCopyInto ¶
func (in *SecurityPolicyPort) DeepCopyInto(out *SecurityPolicyPort)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type SecurityPolicySpec ¶
type SecurityPolicySpec struct { // Tier specifies the tier to which this SecurityPolicy belongs to. // In v1alpha1, Tier only support tier0, tier1, tier2, tier-ecp. Tier string `json:"tier"` // Work mode specify the policy enforcement state: monitor or work // +kubebuilder:default=work SecurityPolicyEnforcementMode PolicyMode `json:"securityPolicyEnforcementMode,omitempty"` // SymmetricMode will generate symmetry rules for the policy. // Defaults to false. SymmetricMode bool `json:"symmetricMode,omitempty"` // Selects the endpoints to which this SecurityPolicy object applies. // Empty or nil means select all endpoints. // Notice: if AppliedTo is empty, IngressRule's Ports can't be namedPorts. AppliedTo []ApplyToPeer `json:"appliedTo,omitempty"` // List of ingress rules to be applied to the selected endpoints. If this field // is empty then this SecurityPolicy does not allow any traffic. // +optional IngressRules []Rule `json:"ingressRules,omitempty"` // List of egress rules to be applied to the selected endpoints. If this field // is empty then this SecurityPolicy limits all outgoing traffic. // +optional EgressRules []Rule `json:"egressRules,omitempty"` // DefaultRule will generate default rule for policy // +kubebuilder:default=drop DefaultRule DefaultRuleType `json:"defaultRule,omitempty"` // List of rule types that the Security relates to. // Valid options are "Ingress", "Egress", or "Ingress,Egress". // If this field is not specified, it will default based on the existence of Ingress or Egress rules; // policies that contain an Egress section are assumed to affect Egress, and all policies // (whether or not they contain an Ingress section) are assumed to affect Ingress. // If you want to write an egress-only policy, you must explicitly specify policyTypes [ "Egress" ]. // Likewise, if you want to write a policy that specifies that no egress is allowed, // you must specify a policyTypes value that include "Egress" (since such a policy would not include // an Egress section and would otherwise default to just [ "Ingress" ]). // +optional PolicyTypes []networkingv1.PolicyType `json:"policyTypes,omitempty"` }
SecurityPolicySpec provides the specification of a SecurityPolicy
func (*SecurityPolicySpec) DeepCopy ¶
func (in *SecurityPolicySpec) DeepCopy() *SecurityPolicySpec
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new SecurityPolicySpec.
func (*SecurityPolicySpec) DeepCopyInto ¶
func (in *SecurityPolicySpec) DeepCopyInto(out *SecurityPolicySpec)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.