types

package
v0.0.0-...-8216aeb Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Aug 28, 2016 License: Apache-2.0 Imports: 22 Imported by: 0

Documentation

Overview

Copyright 2016 Authors of Cilium

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const (
	OptionNAT46               = "NAT46"
	OptionPolicy              = "Policy"
	OptionDropNotify          = "DropNotification"
	OptionConntrack           = "Conntrack"
	OptionConntrackAccounting = "ConntrackAccounting"
	OptionDebug               = "Debug"
	OptionAllowToHost         = "AllowToHost"
	OptionAllowToWorld        = "AllowToWorld"
	OptionLearnTraffic        = "LearnTraffic"
)
View Source 
const (
	ID_NAME_ALL   = "all"
	ID_NAME_HOST  = "host"
	ID_NAME_WORLD = "world"
)
View Source 
const (
	// LPCfgFileVersion represents the version of a Label Prefix Configuration File
	LPCfgFileVersion = 1
)

Variables

View Source 
var (
	OptionSpecNAT46 = Option{
		Define:      "ENABLE_NAT46",
		Description: "Enable automatic NAT46 translation",
	}

	OptionSpecPolicy = Option{
		Define:      "POLICY_ENFORCEMENT",
		Description: "Enable policy enforcement",
	}

	OptionSpecDropNotify = Option{
		Define:      "DROP_NOTIFY",
		Description: "Enable drop notifications",
	}

	OptionSpecConntrack = Option{
		Define:      "CONNTRACK",
		Description: "Enable stateful connection tracking",
	}

	OptionSpecConntrackAccounting = Option{
		Define:      "CONNTRACK_ACCOUNTING",
		Description: "Enable per flow (conntrack) statistics",
	}

	OptionSpecDebug = Option{
		Define:      "DEBUG",
		Description: "Enable debugging trace statements",
	}

	OptionSpecAllowToHost = Option{
		Define:      "ALLOW_TO_HOST",
		Immutable:   true,
		Description: "Allow all traffic to local host",
	}

	OptionSpecAllowToWorld = Option{
		Define:      "ALLOW_TO_WORLD",
		Immutable:   true,
		Description: "Allow all traffic to outside world",
	}

	OptionSpecLearnTraffic = Option{
		Define:      "LEARN_TRAFFIC",
		Description: "Learn and add labels to the list of allowed labels",
	}

	EndpointOptionLibrary = OptionLibrary{
		OptionNAT46:               &OptionSpecNAT46,
		OptionPolicy:              &OptionSpecPolicy,
		OptionDropNotify:          &OptionSpecDropNotify,
		OptionConntrack:           &OptionSpecConntrack,
		OptionConntrackAccounting: &OptionSpecConntrackAccounting,
		OptionDebug:               &OptionSpecDebug,
		OptionAllowToHost:         &OptionSpecAllowToHost,
		OptionAllowToWorld:        &OptionSpecAllowToWorld,
		OptionLearnTraffic:        &OptionSpecLearnTraffic,
	}
)
View Source 
var (
	ResDec = map[string]ReservedID{
		ID_NAME_HOST:  ID_HOST,
		ID_NAME_WORLD: ID_WORLD,
	}
	ResEnc = map[ReservedID]string{
		ID_HOST:  ID_NAME_HOST,
		ID_WORLD: ID_NAME_WORLD,
	}
)

Functions

func FilterEPDir 

func FilterEPDir(dirFiles []os.FileInfo) []string

FilterEPDir returns a list of directories' names that possible belong to an endpoint.

func OptionChanged 

func OptionChanged(key string, value bool, data interface{})

func OrderEndpointAsc 

func OrderEndpointAsc(eps []Endpoint)

OrderEndpointAsc orders the slice of Endpoint in ascending ID order.

func ParseBase64ToEndpoint 

func ParseBase64ToEndpoint(str string, ep *Endpoint) error

ParseBase64ToEndpoint parses the endpoint stored in the given base64 string.

func ParseOption 

func ParseOption(arg string, lib *OptionLibrary) (string, bool, error)

func SplitPolicyNodePath 

func SplitPolicyNodePath(fullPath string) (string, string)

Types

type AllowRule 

type AllowRule struct {
	Action ConsumableDecision `json:"action,omitempty"`
	Label  Label              `json:"label"`
}

func (*AllowRule) Allows 

func (a *AllowRule) Allows(ctx *SearchContext) ConsumableDecision

func (*AllowRule) UnmarshalJSON 

func (a *AllowRule) UnmarshalJSON(data []byte) error

type BoolOptions 

type BoolOptions struct {
	Opts    OptionMap      `json:"map"`
	Library *OptionLibrary `json:"-"`
}

func NewBoolOptions 

func NewBoolOptions(lib *OptionLibrary) *BoolOptions

func (*BoolOptions) Apply 

func (o *BoolOptions) Apply(n OptionMap, changed ChangedFunc, data interface{}) int

func (*BoolOptions) DeepCopy 

func (bo *BoolOptions) DeepCopy() *BoolOptions

func (*BoolOptions) Delete 

func (o *BoolOptions) Delete(key string)

func (*BoolOptions) Dump 

func (o *BoolOptions) Dump()

func (*BoolOptions) GetFmtList 

func (o *BoolOptions) GetFmtList() string

func (*BoolOptions) GetFmtOpt 

func (o *BoolOptions) GetFmtOpt(name string) string

GetFmtOpt returns #define name if option exists and is set to true in endpoint's Opts map or #undef name if option does not exist or exists but is set to false

func (*BoolOptions) InheritDefault 

func (o *BoolOptions) InheritDefault(parent *BoolOptions, key string)

func (*BoolOptions) IsEnabled 

func (o *BoolOptions) IsEnabled(key string) bool

func (*BoolOptions) Set 

func (o *BoolOptions) Set(key string, value bool)

func (*BoolOptions) SetIfUnset 

func (o *BoolOptions) SetIfUnset(key string, value bool)

func (*BoolOptions) Validate 

func (o *BoolOptions) Validate(n OptionMap) error

type ChangedFunc 

type ChangedFunc func(key string, value bool, data interface{})

type Consumable 

type Consumable struct {
	ID           uint32                       `json:"id"`
	Iteration    int                          `json:"-"`
	Labels       *SecCtxLabel                 `json:"labels"`
	LabelList    []Label                      `json:"-"`
	Maps         map[int]*policymap.PolicyMap `json:"-"`
	Consumers    map[string]*Consumer         `json:"consumers"`
	ReverseRules map[uint32]*Consumer         `json:"-"`
}

func GetConsumable 

func GetConsumable(id uint32, labels *SecCtxLabel) *Consumable

func LookupConsumable 

func LookupConsumable(id uint32) *Consumable

func (*Consumable) AddMap 

func (c *Consumable) AddMap(m *policymap.PolicyMap)

func (*Consumable) AllowConsumer 

func (c *Consumable) AllowConsumer(id uint32) *Consumer

func (*Consumable) AllowConsumerAndReverse 

func (c *Consumable) AllowConsumerAndReverse(id uint32)

func (*Consumable) Allows 

func (c *Consumable) Allows(id uint32) bool

func (*Consumable) BanConsumer 

func (c *Consumable) BanConsumer(id uint32)

func (*Consumable) Consumer 

func (c *Consumable) Consumer(id uint32) *Consumer

func (*Consumable) DeepCopy 

func (c *Consumable) DeepCopy() *Consumable

func (*Consumable) Delete 

func (c *Consumable) Delete()

func (*Consumable) RemoveMap 

func (c *Consumable) RemoveMap(m *policymap.PolicyMap)

type ConsumableDecision 

type ConsumableDecision byte
const (
	UNDECIDED ConsumableDecision = iota
	ACCEPT
	ALWAYS_ACCEPT
	DENY
)

func (ConsumableDecision) MarshalJSON 

func (d ConsumableDecision) MarshalJSON() ([]byte, error)

func (ConsumableDecision) String 

func (d ConsumableDecision) String() string

func (*ConsumableDecision) UnmarshalJSON 

func (d *ConsumableDecision) UnmarshalJSON(b []byte) error

type Consumer 

type Consumer struct {
	ID           uint32
	Reverse      *Consumer
	DeletionMark bool
	Decision     ConsumableDecision
}

func NewConsumer 

func NewConsumer(id uint32) *Consumer

func (*Consumer) DeepCopy 

func (c *Consumer) DeepCopy() *Consumer

type Container 

type Container struct {
	dTypes.ContainerJSON
	OpLabels OpLabels
	NRetries uint
}

func (*Container) IsDockerOrInfracontainer 

func (c *Container) IsDockerOrInfracontainer() bool

type EPPortMap 

type EPPortMap struct {
	From  uint16 `json:"from"`
	To    uint16 `json:"to"`
	Proto uint8  `json:"proto"`
}

EPPortMap is the port mapping representation for a particular endpoint.

type Endpoint 

type Endpoint struct {
	ID               uint16                `json:"id"`                 // Endpoint ID.
	DockerID         string                `json:"docker-id"`          // Docker ID.
	DockerNetworkID  string                `json:"docker-network-id"`  // Docker network ID.
	DockerEndpointID string                `json:"docker-endpoint-id"` // Docker endpoint ID.
	IfName           string                `json:"interface-name"`     // Container's interface name.
	LXCMAC           MAC                   `json:"lxc-mac"`            // Container MAC address.
	IPv6             addressing.CiliumIPv6 `json:"ipv6"`               // Container IPv6 address.
	IPv4             addressing.CiliumIPv4 `json:"ipv4"`               // Container IPv4 address.
	IfIndex          int                   `json:"interface-index"`    // Host's interface index.
	NodeMAC          MAC                   `json:"node-mac"`           // Node MAC address.
	NodeIP           net.IP                `json:"node-ip"`            // Node IPv6 address.
	SecLabel         *SecCtxLabel          `json:"security-label"`     // Security Label  set to this endpoint.
	PortMap          []EPPortMap           `json:"port-mapping"`       // Port mapping used for this endpoint.
	Consumable       *Consumable           `json:"consumable"`
	PolicyMap        *policymap.PolicyMap  `json:"-"`
	Opts             *BoolOptions          `json:"options"` // Endpoint bpf options.
}

Endpoint contains all the details for a particular LXC and the host interface to where is connected to.

func ParseEndpoint 

func ParseEndpoint(strEp string) (*Endpoint, error)

ParseEndpoint parses the given strEp which is in the form of: common.CiliumCHeaderPrefix + common.Version + ":" + endpointBase64

func (*Endpoint) Allows 

func (e *Endpoint) Allows(id uint32) bool

func (*Endpoint) ApplyOpts 

func (e *Endpoint) ApplyOpts(opts OptionMap) bool

func (Endpoint) Base64 

func (ep Endpoint) Base64() (string, error)

Base64 returns the endpoint in a base64 format.

func (*Endpoint) DeepCopy 

func (e *Endpoint) DeepCopy() *Endpoint

func (*Endpoint) InvalidatePolicy 

func (e *Endpoint) InvalidatePolicy()

func (*Endpoint) IsCNI 

func (e *Endpoint) IsCNI() bool

IsCNI returns true if the endpoint was created by CNI, false otherwise.

func (*Endpoint) IsLibnetwork 

func (e *Endpoint) IsLibnetwork() bool

IsLibnetwork returns true if the endpoint was created by Libnetwork, false otherwise.

func (*Endpoint) PolicyMapPath 

func (e *Endpoint) PolicyMapPath() string

func (*Endpoint) SetDefaultOpts 

func (ep *Endpoint) SetDefaultOpts(opts *BoolOptions)

func (*Endpoint) SetID 

func (e *Endpoint) SetID()

SetID sets the endpoint's host local unique ID.

func (*Endpoint) SetSecLabel 

func (e *Endpoint) SetSecLabel(labels *SecCtxLabel)

func (Endpoint) String 

func (e Endpoint) String() string

String returns endpoint on a JSON format.

type IPv4 

type IPv4 [4]byte

binary representation for encoding in binary structs

func (IPv4) IP 

func (v4 IPv4) IP() net.IP

func (IPv4) String 

func (v4 IPv4) String() string

type IPv6 

type IPv6 [16]byte

binary representation for encoding in binary structs

func (IPv6) IP 

func (v6 IPv6) IP() net.IP

func (IPv6) String 

func (v6 IPv6) String() string

type IngressIsolationPolicy 

type IngressIsolationPolicy string
const (
	// Deny all ingress traffic to pods in this namespace. Ingress means
	// any incoming traffic to pods, whether that be from other pods within this namespace
	// or any source outside of this namespace.
	DefaultDeny IngressIsolationPolicy = "DefaultDeny"
)

type Label 

type Label struct {
	Key   string `json:"key"`
	Value string `json:"value,omitempty"`
	// Source can be on of the values present in const.go (e.g.: CiliumLabelSource)
	Source string `json:"source"`
	// contains filtered or unexported fields
}

Label is the cilium's representation of a container label.

func NewLabel 

func NewLabel(key string, value string, source string) *Label

NewLabel returns a new label from the given key, value and source. If source is empty, the default value will be common.CiliumLabelSource. If key starts with '$', the source will be overwritten with common.ReservedLabelSource. If key contains ':', the value before ':' will be used as source if given source is empty, otherwise the value before ':' will be deleted and unused.

func ParseLabel 

func ParseLabel(str string) *Label

ParseLabel returns the label representation of the given string. The str should be in the form of Source:Key=Value or Source:Key if Value is empty. It also parses short forms, for example: $host will be Label{Key: "host", Source: "reserved", Value: ""}.

func (*Label) AbsoluteKey 

func (l *Label) AbsoluteKey() string

AbsoluteKey if set returns the absolute key path, otherwise returns the label's Key.

func (*Label) Covers 

func (l *Label) Covers(path string) bool

func (*Label) Equals 

func (l *Label) Equals(b *Label) bool

Equals returns true if source, AbsoluteKey() and Value are equal and false otherwise.

func (*Label) IsAllLabel 

func (l *Label) IsAllLabel() bool

func (*Label) IsValid 

func (l *Label) IsValid() bool

IsValid returns true if Key != "".

func (*Label) Matches 

func (l *Label) Matches(target *Label) bool

func (*Label) Resolve 

func (l *Label) Resolve(policyNode *PolicyNode)

Resolve resolves the absolute key path for this Label from policyNode.

func (Label) String 

func (l Label) String() string

String returns the string representation of Label in the for of Source:Key=Value or Source:Key if Value is empty.

func (*Label) UnmarshalJSON 

func (l *Label) UnmarshalJSON(data []byte) error

UnmarshalJSON TODO create better explanation about unmarshall with examples

type LabelOp 

type LabelOp map[LabelOpType]Labels

type LabelOpType 

type LabelOpType string
const (
	AddLabelsOp     LabelOpType = "AddLabelsOp"
	DelLabelsOp     LabelOpType = "DelLabelsOp"
	EnableLabelsOp  LabelOpType = "EnableLabelsOp"
	DisableLabelsOp LabelOpType = "DisableLabelsOp"
)

type LabelPrefix 

type LabelPrefix struct {
	Prefix string `json:"prefix"`
	Source string `json:"source"`
}

Label is the cilium's representation of a container label.

type LabelPrefixCfg 

type LabelPrefixCfg struct {
	Version       int            `json:"version"`
	LabelPrefixes []*LabelPrefix `json:"valid-prefixes"`
}

LabelPrefixCfg is the label prefix configuration to filter labels of started containers.

func DefaultLabelPrefixCfg 

func DefaultLabelPrefixCfg() *LabelPrefixCfg

DefaultLabelPrefixCfg returns a default LabelPrefixCfg using the latest LPCfgFileVersion and the following label prefixes: Key: common.GlobalLabelPrefix, Source: common.CiliumLabelSource and Key: common.GlobalLabelPrefix, Source: common.K8sLabelSource.

func ReadLabelPrefixCfgFrom 

func ReadLabelPrefixCfgFrom(fileName string) (*LabelPrefixCfg, error)

ReadLabelPrefixCfgFrom reads a label prefix configuration file from fileName. If the version is not supported by us it returns an error.

func (*LabelPrefixCfg) FilterLabels 

func (lpc *LabelPrefixCfg) FilterLabels(labels Labels) Labels

FilterLabels returns Labels from the given labels that have the same source and the same prefix as one of lpc valid prefixes.

type Labels 

type Labels map[string]*Label

Labels is a map of labels where the map's key is the same as the label's key.

func LabelSlice2LabelsMap 

func LabelSlice2LabelsMap(lbls []Label) Labels

/ LabelSlice2LabelsMap returns a Labels' map with all labels from the given slice of label.

func Map2Labels 

func Map2Labels(m map[string]string, source string) Labels

Map2Labels transforms in the form: map[key(string)]value(string) into Labels. The source argument will overwrite the source written in the key of the given map. Example: l := Map2Labels(map[string]string{"k8s:foo": "bar"}, "cilium") fmt.Printf("%+v\n", l) 

map[string]Label{"foo":Label{Key:"foo", Value:"bar", Source:"cilium"}}

func ParseStringLabels 

func ParseStringLabels(strLbls []string) Labels

func (Labels) DeepCopy 

func (lbls Labels) DeepCopy() Labels

func (Labels) MergeLabels 

func (lbls Labels) MergeLabels(from Labels)

MergeLabels merges labels from into to. It overwrites all labels with the same Key as from writen into to. Example: to := Labels{Label{key1, value1, source1}, Label{key2, value3, source4}} from := Labels{Label{key1, value3, source4}} to.MergeLabels(from) fmt.Printf("%+v\n", to) 

Labels{Label{key1, value3, source4}, Label{key2, value3, source4}}

func (Labels) SHA256Sum 

func (lbls Labels) SHA256Sum() (string, error)

SHA256Sum calculates lbls' internal SHA256Sum. For a particular set of labels is guarantee that it will always have the same SHA256Sum.

func (Labels) ToSlice 

func (lbls Labels) ToSlice() []Label

/ ToSlice returns a slice of label with the values of the given Labels' map.

type LearningLabel 

type LearningLabel struct {
	EndpointID uint16
	Learn      bool
}

func NewLearningLabel 

func NewLearningLabel(endpointID uint16, learn bool) *LearningLabel

type MAC 

type MAC net.HardwareAddr

MAC address is an net.HardwareAddr encapsulation to force cilium to only use MAC-48.

func (MAC) MarshalIndentJSON 

func (m MAC) MarshalIndentJSON(prefix, indent string) ([]byte, error)

func (MAC) MarshalJSON 

func (m MAC) MarshalJSON() ([]byte, error)

func (MAC) String 

func (m MAC) String() string

String returns the string representation of m.

func (MAC) Uint64 

func (m MAC) Uint64() (uint64, error)

Uint64 returns the MAC in uint64 format. The MAC is represented as little-endian in the returned value. Example: 

m := MAC([]{0x11, 0x12, 0x23, 0x34, 0x45, 0x56})
v, err := m.Uint64()
fmt.Printf("0x%X", v) // 0x564534231211

func (*MAC) UnmarshalJSON 

func (m *MAC) UnmarshalJSON(data []byte) error

type NamespaceIngressPolicy 

type NamespaceIngressPolicy struct {
	// The isolation policy to apply to pods in this namespace.
	// Currently this field only supports "DefaultDeny", but could
	// be extended to support other policies in the future.  When set to DefaultDeny,
	// pods in this namespace are denied ingress traffic by default.  When not defined,
	// the cluster default ingress isolation policy is applied (currently allow all).
	Isolation *IngressIsolationPolicy `json:"isolation,omitempty"`
}

Configuration for ingress to pods within this namespace. For now, this only supports specifying an isolation policy.

type NamespaceNetworkPolicy 

type NamespaceNetworkPolicy struct {
	// Ingress configuration for this namespace.  This config is
	// applied to all pods within this namespace. For now, only
	// ingress is supported.  This field is optional - if not
	// defined, then the cluster default for ingress is applied.
	Ingress *NamespaceIngressPolicy `json:"ingress,omitempty"`
}

type NamespaceSpec 

type NamespaceSpec struct {
	// This is a pointer so that it can be left undefined.
	NetworkPolicy *NamespaceNetworkPolicy `json:"networkPolicy,omitempty"`
}

Standard NamespaceSpec object, modified to include a new NamespaceNetworkPolicy field.

type OpLabels 

type OpLabels struct {
	// All labels
	AllLabels Labels
	// Active labels that are enabled and disabled but not deleted
	UserLabels Labels
	// Labels that are enabled
	EndpointLabels Labels
	// Labels from probes
	ProbeLabels Labels
}

func (*OpLabels) DeepCopy 

func (o *OpLabels) DeepCopy() *OpLabels

func (*OpLabels) GetDeletedLabels 

func (opl *OpLabels) GetDeletedLabels() Labels

type Option 

type Option struct {
	Define      string
	Description string
	Immutable   bool
}

type OptionLibrary 

type OptionLibrary map[string]*Option

func (OptionLibrary) Define 

func (l OptionLibrary) Define(name string) string

func (OptionLibrary) Lookup 

func (l OptionLibrary) Lookup(name string) (string, *Option)

func (OptionLibrary) Validate 

func (l OptionLibrary) Validate(name string) error

type OptionMap 

type OptionMap map[string]bool

func (OptionMap) DeepCopy 

func (om OptionMap) DeepCopy() OptionMap

type PingResponse 

type PingResponse struct {
	NodeAddress string       `json:"node-address"`
	Opts        *BoolOptions `json:"options"`
}

type PolicyNode 

type PolicyNode struct {
	Name     string                 `json:"name"`
	Parent   *PolicyNode            `json:"-"`
	Rules    []PolicyRule           `json:"rules,omitempty"`
	Children map[string]*PolicyNode `json:"children,omitempty"`
	// contains filtered or unexported fields
}

Node to define hierarchy of rules

func K8sNP2CP 

func K8sNP2CP(np v1beta1.NetworkPolicy) (string, *PolicyNode, error)

func NewPolicyNode 

func NewPolicyNode(name string, parent *PolicyNode) *PolicyNode

func (*PolicyNode) AddChild 

func (pn *PolicyNode) AddChild(name string, child *PolicyNode) error

func (*PolicyNode) Allows 

func (p *PolicyNode) Allows(ctx *SearchContext) ConsumableDecision

func (*PolicyNode) BuildPath 

func (pn *PolicyNode) BuildPath() (string, error)

func (*PolicyNode) Covers 

func (p *PolicyNode) Covers(ctx *SearchContext) bool

func (*PolicyNode) DebugString 

func (pn *PolicyNode) DebugString(level int) string

func (*PolicyNode) Merge 

func (pn *PolicyNode) Merge(obj *PolicyNode) error

func (*PolicyNode) Path 

func (p *PolicyNode) Path() string

func (*PolicyNode) ResolveTree 

func (pn *PolicyNode) ResolveTree() error

func (*PolicyNode) UnmarshalJSON 

func (pn *PolicyNode) UnmarshalJSON(data []byte) error

type PolicyRule 

type PolicyRule interface {
	Allows(ctx *SearchContext) ConsumableDecision
	Resolve(node *PolicyNode) error
}

type PolicyRuleConsumers 

type PolicyRuleConsumers struct {
	Coverage []Label     `json:"coverage,omitempty"`
	Allow    []AllowRule `json:"allow"`
}

Allow the following consumers

func (*PolicyRuleConsumers) Allows 

func (c *PolicyRuleConsumers) Allows(ctx *SearchContext) ConsumableDecision

func (*PolicyRuleConsumers) Resolve 

func (c *PolicyRuleConsumers) Resolve(node *PolicyNode) error

type PolicyRuleDropPrivileges 

type PolicyRuleDropPrivileges struct {
	Coverage       []Label     `json:"coverage,omitempty"`
	DropPrivileges []Privilege `json:"drop-privileges"`
}

Do not allow further rules of specified type

type PolicyRulePorts 

type PolicyRulePorts struct {
	Coverage []Label `json:"coverage,omitempty"`
	Ports    []Port  `json:"ports"`
}

type PolicyRuleRequires 

type PolicyRuleRequires struct {
	Coverage []Label `json:"coverage,omitempty"`
	Requires []Label `json:"requires"`
}

Any further consumer requires the specified list of labels in order to consume

func (*PolicyRuleRequires) Allows 

func (r *PolicyRuleRequires) Allows(ctx *SearchContext) ConsumableDecision

A require rule imposes additional label requirements but does not imply access immediately. Hence if the label context is not sufficient access can be denied but fullfillment of the requirement only leads to the decision being UNDECIDED waiting on an explicit allow rule further down the tree

func (*PolicyRuleRequires) Resolve 

func (c *PolicyRuleRequires) Resolve(node *PolicyNode) error

type PolicyTree 

type PolicyTree struct {
	Root *PolicyNode
}

Overall policy tree

func (*PolicyTree) Allows 

func (t *PolicyTree) Allows(ctx *SearchContext) ConsumableDecision

type Port 

type Port struct {
	Proto  string `json:"protocol"`
	Number int    `json:"number"`
}

type Privilege 

type Privilege byte

Available privileges for policy nodes to define 

const (
	ALLOW Privilege = iota
	ALWAYS_ALLOW
	REQUIRES
	DROP_PRIVILEGES
)

func (Privilege) MarshalJSON 

func (d Privilege) MarshalJSON() ([]byte, error)

func (Privilege) String 

func (p Privilege) String() string

func (*Privilege) UnmarshalJSON 

func (p *Privilege) UnmarshalJSON(b []byte) error

type ReservedID 

type ReservedID uint32
const (
	ID_UNKNOWN ReservedID = iota
	ID_HOST
	ID_WORLD
)

func GetID 

func GetID(name string) ReservedID

func (ReservedID) String 

func (id ReservedID) String() string

type SearchContext 

type SearchContext struct {
	Trace   Tracing
	Logging *logging.LogBackend
	// TODO: Put this as []*Label?
	From []Label
	To   []Label
}

func (*SearchContext) TargetCoveredBy 

func (s *SearchContext) TargetCoveredBy(coverage []Label) bool

type SearchContextReply 

type SearchContextReply struct {
	Logging  []byte
	Decision ConsumableDecision
}

type SecCtxLabel 

type SecCtxLabel struct {
	// SecCtxLabel's ID.
	ID uint32 `json:"id"`
	// Containers that have this SecCtxLabel where their value is the last time they were seen.
	Labels Labels `json:"labels"`
	// Set of labels that belong to this SecCtxLabel.
	Containers map[string]time.Time `json:"containers"`
}

SecCtxLabel is the representation of the security context for a particular set of labels.

func NewSecCtxLabel 

func NewSecCtxLabel() *SecCtxLabel

func (*SecCtxLabel) AddOrUpdateContainer 

func (s *SecCtxLabel) AddOrUpdateContainer(contID string)

func (*SecCtxLabel) DeepCopy 

func (s *SecCtxLabel) DeepCopy() *SecCtxLabel

func (*SecCtxLabel) DelContainer 

func (s *SecCtxLabel) DelContainer(contID string)

func (*SecCtxLabel) RefCount 

func (s *SecCtxLabel) RefCount() int

type ServerError 

type ServerError struct {
	Code int    `json:"code"`
	Text string `json:"text"`
}

ServerError is the type of message used when the daemon returns any error messages in case of failure.

func (ServerError) String 

func (se ServerError) String() string

String returns string format of the given ServerError.

type Tracing 

type Tracing int
const (
	TRACE_DISABLED Tracing = iota
	TRACE_ENABLED
	TRACE_VERBOSE
)

type U8proto 

type U8proto uint8

func (*U8proto) String 

func (p *U8proto) String() string

type UIAnimateEdge 

type UIAnimateEdge struct {
	Edge        string `json:"edge"`
	TrafficSize uint64 `json:"trafficSize"`
}

type UIEdge 

type UIEdge struct {
	ID      string `json:"id"`
	From    int    `json:"from"`
	To      int    `json:"to"`
	Value   int64  `json:"value"`
	Removed bool   `json:"dashes"`
	Color   string `json:"color"`
	Title   string `json:"title"`
	Length  int    `json:"length,omitempty"`

	UIAnimateEdge `json:"-"`
	// contains filtered or unexported fields
}

func (*UIEdge) Build 

func (e *UIEdge) Build()

type UINode 

type UINode struct {
	ID     int     `json:"id"`
	Size   int     `json:"size"`
	Label  string  `json:"label"`
	Labels []Label `json:"-"`
	Title  string  `json:"title"`
	// contains filtered or unexported fields
}

func (*UINode) Build 

func (n *UINode) Build()

type UITopo 

type UITopo struct {
	UIChan chan UIUpdateMsg
	// contains filtered or unexported fields
}

func NewUITopo 

func NewUITopo() UITopo

func (*UITopo) AddOrUpdateEdge 

func (t *UITopo) AddOrUpdateEdge(from, to int, pe *policymap.PolicyEntry)

func (*UITopo) AddOrUpdateNode 

func (t *UITopo) AddOrUpdateNode(id32 uint32, lbls []Label, refCount int)

func (*UITopo) DeleteEdge 

func (t *UITopo) DeleteEdge(from, to int)

func (*UITopo) DeleteNode 

func (t *UITopo) DeleteNode(id32 uint32)

func (*UITopo) GetEdges 

func (t *UITopo) GetEdges() []UIEdge

func (*UITopo) GetNodes 

func (t *UITopo) GetNodes() []UINode

func (*UITopo) RefreshEdges 

func (t *UITopo) RefreshEdges()

type UIUpdateMsg 

type UIUpdateMsg struct {
	RemoveID string          `json:"id,omitempty"`
	UINode   *UINode         `json:"node,omitempty"`
	UIEdge   *UIEdge         `json:"edge,omitempty"`
	UIEdges  []UIAnimateEdge `json:"edges,omitempty"`
	Type     string          `json:"type"`
	// contains filtered or unexported fields
}

func NewUIUpdateMsg 

func NewUIUpdateMsg() UIUpdateMsg

func (UIUpdateMsg) Add 

func (u UIUpdateMsg) Add() UIUpdateMsg

func (UIUpdateMsg) Ani 

func (u UIUpdateMsg) Ani() UIUpdateMsg

func (UIUpdateMsg) AnimatedEdge 

func (u UIUpdateMsg) AnimatedEdge(edge UIEdge) UIUpdateMsg

func (UIUpdateMsg) Build 

func (u UIUpdateMsg) Build() UIUpdateMsg

func (UIUpdateMsg) Del 

func (u UIUpdateMsg) Del() UIUpdateMsg

func (UIUpdateMsg) Edge 

func (u UIUpdateMsg) Edge(edge UIEdge) UIUpdateMsg

func (UIUpdateMsg) Mod 

func (u UIUpdateMsg) Mod() UIUpdateMsg

func (UIUpdateMsg) Node 

func (u UIUpdateMsg) Node(node UINode) UIUpdateMsg

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.