Documentation ¶
Overview ¶
Copyright 2016 Authors of Cilium
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2016 Authors of Cilium ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- Variables
- func FilterEPDir(dirFiles []os.FileInfo) []string
- func OptionChanged(key string, value bool, data interface{})
- func OrderEndpointAsc(eps []Endpoint)
- func ParseBase64ToEndpoint(str string, ep *Endpoint) error
- func ParseOption(arg string, lib *OptionLibrary) (string, bool, error)
- func SplitPolicyNodePath(fullPath string) (string, string)
- type AllowRule
- type BoolOptions
- func (o *BoolOptions) Apply(n OptionMap, changed ChangedFunc, data interface{}) int
- func (bo *BoolOptions) DeepCopy() *BoolOptions
- func (o *BoolOptions) Delete(key string)
- func (o *BoolOptions) Dump()
- func (o *BoolOptions) GetFmtList() string
- func (o *BoolOptions) GetFmtOpt(name string) string
- func (o *BoolOptions) InheritDefault(parent *BoolOptions, key string)
- func (o *BoolOptions) IsEnabled(key string) bool
- func (o *BoolOptions) Set(key string, value bool)
- func (o *BoolOptions) SetIfUnset(key string, value bool)
- func (o *BoolOptions) Validate(n OptionMap) error
- type ChangedFunc
- type Consumable
- func (c *Consumable) AddMap(m *policymap.PolicyMap)
- func (c *Consumable) AllowConsumer(id uint32) *Consumer
- func (c *Consumable) AllowConsumerAndReverse(id uint32)
- func (c *Consumable) Allows(id uint32) bool
- func (c *Consumable) BanConsumer(id uint32)
- func (c *Consumable) Consumer(id uint32) *Consumer
- func (c *Consumable) DeepCopy() *Consumable
- func (c *Consumable) Delete()
- func (c *Consumable) RemoveMap(m *policymap.PolicyMap)
- type ConsumableDecision
- type Consumer
- type Container
- type EPPortMap
- type Endpoint
- func (e *Endpoint) Allows(id uint32) bool
- func (e *Endpoint) ApplyOpts(opts OptionMap) bool
- func (ep Endpoint) Base64() (string, error)
- func (e *Endpoint) DeepCopy() *Endpoint
- func (e *Endpoint) InvalidatePolicy()
- func (e *Endpoint) IsCNI() bool
- func (e *Endpoint) IsLibnetwork() bool
- func (e *Endpoint) PolicyMapPath() string
- func (ep *Endpoint) SetDefaultOpts(opts *BoolOptions)
- func (e *Endpoint) SetID()
- func (e *Endpoint) SetSecLabel(labels *SecCtxLabel)
- func (e Endpoint) String() string
- type IPv4
- type IPv6
- type IngressIsolationPolicy
- type Label
- func (l *Label) AbsoluteKey() string
- func (l *Label) Covers(path string) bool
- func (l *Label) Equals(b *Label) bool
- func (l *Label) IsAllLabel() bool
- func (l *Label) IsValid() bool
- func (l *Label) Matches(target *Label) bool
- func (l *Label) Resolve(policyNode *PolicyNode)
- func (l Label) String() string
- func (l *Label) UnmarshalJSON(data []byte) error
- type LabelOp
- type LabelOpType
- type LabelPrefix
- type LabelPrefixCfg
- type Labels
- type LearningLabel
- type MAC
- type NamespaceIngressPolicy
- type NamespaceNetworkPolicy
- type NamespaceSpec
- type OpLabels
- type Option
- type OptionLibrary
- type OptionMap
- type PingResponse
- type PolicyNode
- func (pn *PolicyNode) AddChild(name string, child *PolicyNode) error
- func (p *PolicyNode) Allows(ctx *SearchContext) ConsumableDecision
- func (pn *PolicyNode) BuildPath() (string, error)
- func (p *PolicyNode) Covers(ctx *SearchContext) bool
- func (pn *PolicyNode) DebugString(level int) string
- func (pn *PolicyNode) Merge(obj *PolicyNode) error
- func (p *PolicyNode) Path() string
- func (pn *PolicyNode) ResolveTree() error
- func (pn *PolicyNode) UnmarshalJSON(data []byte) error
- type PolicyRule
- type PolicyRuleConsumers
- type PolicyRuleDropPrivileges
- type PolicyRulePorts
- type PolicyRuleRequires
- type PolicyTree
- type Port
- type Privilege
- type ReservedID
- type SearchContext
- type SearchContextReply
- type SecCtxLabel
- type ServerError
- type Tracing
- type U8proto
- type UIAnimateEdge
- type UIEdge
- type UINode
- type UITopo
- func (t *UITopo) AddOrUpdateEdge(from, to int, pe *policymap.PolicyEntry)
- func (t *UITopo) AddOrUpdateNode(id32 uint32, lbls []Label, refCount int)
- func (t *UITopo) DeleteEdge(from, to int)
- func (t *UITopo) DeleteNode(id32 uint32)
- func (t *UITopo) GetEdges() []UIEdge
- func (t *UITopo) GetNodes() []UINode
- func (t *UITopo) RefreshEdges()
- type UIUpdateMsg
- func (u UIUpdateMsg) Add() UIUpdateMsg
- func (u UIUpdateMsg) Ani() UIUpdateMsg
- func (u UIUpdateMsg) AnimatedEdge(edge UIEdge) UIUpdateMsg
- func (u UIUpdateMsg) Build() UIUpdateMsg
- func (u UIUpdateMsg) Del() UIUpdateMsg
- func (u UIUpdateMsg) Edge(edge UIEdge) UIUpdateMsg
- func (u UIUpdateMsg) Mod() UIUpdateMsg
- func (u UIUpdateMsg) Node(node UINode) UIUpdateMsg
Constants ¶
const ( OptionNAT46 = "NAT46" OptionPolicy = "Policy" OptionDropNotify = "DropNotification" OptionConntrack = "Conntrack" OptionConntrackAccounting = "ConntrackAccounting" OptionDebug = "Debug" OptionAllowToHost = "AllowToHost" OptionAllowToWorld = "AllowToWorld" OptionLearnTraffic = "LearnTraffic" )
const ( ID_NAME_ALL = "all" ID_NAME_HOST = "host" ID_NAME_WORLD = "world" )
const (
// LPCfgFileVersion represents the version of a Label Prefix Configuration File
LPCfgFileVersion = 1
)
Variables ¶
var ( OptionSpecNAT46 = Option{ Define: "ENABLE_NAT46", Description: "Enable automatic NAT46 translation", } OptionSpecPolicy = Option{ Define: "POLICY_ENFORCEMENT", Description: "Enable policy enforcement", } OptionSpecDropNotify = Option{ Define: "DROP_NOTIFY", Description: "Enable drop notifications", } OptionSpecConntrack = Option{ Define: "CONNTRACK", Description: "Enable stateful connection tracking", } OptionSpecConntrackAccounting = Option{ Define: "CONNTRACK_ACCOUNTING", Description: "Enable per flow (conntrack) statistics", } OptionSpecDebug = Option{ Define: "DEBUG", Description: "Enable debugging trace statements", } OptionSpecAllowToHost = Option{ Define: "ALLOW_TO_HOST", Immutable: true, Description: "Allow all traffic to local host", } OptionSpecAllowToWorld = Option{ Define: "ALLOW_TO_WORLD", Immutable: true, Description: "Allow all traffic to outside world", } OptionSpecLearnTraffic = Option{ Define: "LEARN_TRAFFIC", Description: "Learn and add labels to the list of allowed labels", } EndpointOptionLibrary = OptionLibrary{ OptionNAT46: &OptionSpecNAT46, OptionPolicy: &OptionSpecPolicy, OptionDropNotify: &OptionSpecDropNotify, OptionConntrack: &OptionSpecConntrack, OptionConntrackAccounting: &OptionSpecConntrackAccounting, OptionDebug: &OptionSpecDebug, OptionAllowToHost: &OptionSpecAllowToHost, OptionAllowToWorld: &OptionSpecAllowToWorld, OptionLearnTraffic: &OptionSpecLearnTraffic, } )
var ( ResDec = map[string]ReservedID{ ID_NAME_HOST: ID_HOST, ID_NAME_WORLD: ID_WORLD, } ResEnc = map[ReservedID]string{ ID_HOST: ID_NAME_HOST, ID_WORLD: ID_NAME_WORLD, } )
Functions ¶
func FilterEPDir ¶
FilterEPDir returns a list of directories' names that possible belong to an endpoint.
func OptionChanged ¶
func OrderEndpointAsc ¶
func OrderEndpointAsc(eps []Endpoint)
OrderEndpointAsc orders the slice of Endpoint in ascending ID order.
func ParseBase64ToEndpoint ¶
ParseBase64ToEndpoint parses the endpoint stored in the given base64 string.
func ParseOption ¶
func ParseOption(arg string, lib *OptionLibrary) (string, bool, error)
func SplitPolicyNodePath ¶
Types ¶
type AllowRule ¶
type AllowRule struct { Action ConsumableDecision `json:"action,omitempty"` Label Label `json:"label"` }
func (*AllowRule) Allows ¶
func (a *AllowRule) Allows(ctx *SearchContext) ConsumableDecision
func (*AllowRule) UnmarshalJSON ¶
type BoolOptions ¶
type BoolOptions struct { Opts OptionMap `json:"map"` Library *OptionLibrary `json:"-"` }
func NewBoolOptions ¶
func NewBoolOptions(lib *OptionLibrary) *BoolOptions
func (*BoolOptions) Apply ¶
func (o *BoolOptions) Apply(n OptionMap, changed ChangedFunc, data interface{}) int
func (*BoolOptions) DeepCopy ¶
func (bo *BoolOptions) DeepCopy() *BoolOptions
func (*BoolOptions) Delete ¶
func (o *BoolOptions) Delete(key string)
func (*BoolOptions) Dump ¶
func (o *BoolOptions) Dump()
func (*BoolOptions) GetFmtList ¶
func (o *BoolOptions) GetFmtList() string
func (*BoolOptions) GetFmtOpt ¶
func (o *BoolOptions) GetFmtOpt(name string) string
GetFmtOpt returns #define name if option exists and is set to true in endpoint's Opts map or #undef name if option does not exist or exists but is set to false
func (*BoolOptions) InheritDefault ¶
func (o *BoolOptions) InheritDefault(parent *BoolOptions, key string)
func (*BoolOptions) IsEnabled ¶
func (o *BoolOptions) IsEnabled(key string) bool
func (*BoolOptions) Set ¶
func (o *BoolOptions) Set(key string, value bool)
func (*BoolOptions) SetIfUnset ¶
func (o *BoolOptions) SetIfUnset(key string, value bool)
func (*BoolOptions) Validate ¶
func (o *BoolOptions) Validate(n OptionMap) error
type ChangedFunc ¶
type Consumable ¶
type Consumable struct { ID uint32 `json:"id"` Iteration int `json:"-"` Labels *SecCtxLabel `json:"labels"` LabelList []Label `json:"-"` Maps map[int]*policymap.PolicyMap `json:"-"` Consumers map[string]*Consumer `json:"consumers"` ReverseRules map[uint32]*Consumer `json:"-"` }
func GetConsumable ¶
func GetConsumable(id uint32, labels *SecCtxLabel) *Consumable
func LookupConsumable ¶
func LookupConsumable(id uint32) *Consumable
func (*Consumable) AddMap ¶
func (c *Consumable) AddMap(m *policymap.PolicyMap)
func (*Consumable) AllowConsumer ¶
func (c *Consumable) AllowConsumer(id uint32) *Consumer
func (*Consumable) AllowConsumerAndReverse ¶
func (c *Consumable) AllowConsumerAndReverse(id uint32)
func (*Consumable) Allows ¶
func (c *Consumable) Allows(id uint32) bool
func (*Consumable) BanConsumer ¶
func (c *Consumable) BanConsumer(id uint32)
func (*Consumable) Consumer ¶
func (c *Consumable) Consumer(id uint32) *Consumer
func (*Consumable) DeepCopy ¶
func (c *Consumable) DeepCopy() *Consumable
func (*Consumable) Delete ¶
func (c *Consumable) Delete()
func (*Consumable) RemoveMap ¶
func (c *Consumable) RemoveMap(m *policymap.PolicyMap)
type ConsumableDecision ¶
type ConsumableDecision byte
const ( UNDECIDED ConsumableDecision = iota ACCEPT ALWAYS_ACCEPT DENY )
func (ConsumableDecision) MarshalJSON ¶
func (d ConsumableDecision) MarshalJSON() ([]byte, error)
func (ConsumableDecision) String ¶
func (d ConsumableDecision) String() string
func (*ConsumableDecision) UnmarshalJSON ¶
func (d *ConsumableDecision) UnmarshalJSON(b []byte) error
type Consumer ¶
type Consumer struct { ID uint32 Reverse *Consumer DeletionMark bool Decision ConsumableDecision }
func NewConsumer ¶
type Container ¶
type Container struct { dTypes.ContainerJSON OpLabels OpLabels NRetries uint }
func (*Container) IsDockerOrInfracontainer ¶
type EPPortMap ¶
type EPPortMap struct { From uint16 `json:"from"` To uint16 `json:"to"` Proto uint8 `json:"proto"` }
EPPortMap is the port mapping representation for a particular endpoint.
type Endpoint ¶
type Endpoint struct { ID uint16 `json:"id"` // Endpoint ID. DockerID string `json:"docker-id"` // Docker ID. DockerNetworkID string `json:"docker-network-id"` // Docker network ID. DockerEndpointID string `json:"docker-endpoint-id"` // Docker endpoint ID. IfName string `json:"interface-name"` // Container's interface name. LXCMAC MAC `json:"lxc-mac"` // Container MAC address. IPv6 addressing.CiliumIPv6 `json:"ipv6"` // Container IPv6 address. IPv4 addressing.CiliumIPv4 `json:"ipv4"` // Container IPv4 address. IfIndex int `json:"interface-index"` // Host's interface index. NodeMAC MAC `json:"node-mac"` // Node MAC address. NodeIP net.IP `json:"node-ip"` // Node IPv6 address. SecLabel *SecCtxLabel `json:"security-label"` // Security Label set to this endpoint. PortMap []EPPortMap `json:"port-mapping"` // Port mapping used for this endpoint. Consumable *Consumable `json:"consumable"` PolicyMap *policymap.PolicyMap `json:"-"` Opts *BoolOptions `json:"options"` // Endpoint bpf options. }
Endpoint contains all the details for a particular LXC and the host interface to where is connected to.
func ParseEndpoint ¶
ParseEndpoint parses the given strEp which is in the form of: common.CiliumCHeaderPrefix + common.Version + ":" + endpointBase64
func (*Endpoint) InvalidatePolicy ¶
func (e *Endpoint) InvalidatePolicy()
func (*Endpoint) IsLibnetwork ¶
IsLibnetwork returns true if the endpoint was created by Libnetwork, false otherwise.
func (*Endpoint) PolicyMapPath ¶
func (*Endpoint) SetDefaultOpts ¶
func (ep *Endpoint) SetDefaultOpts(opts *BoolOptions)
func (*Endpoint) SetSecLabel ¶
func (e *Endpoint) SetSecLabel(labels *SecCtxLabel)
type IngressIsolationPolicy ¶
type IngressIsolationPolicy string
const ( // Deny all ingress traffic to pods in this namespace. Ingress means // any incoming traffic to pods, whether that be from other pods within this namespace // or any source outside of this namespace. DefaultDeny IngressIsolationPolicy = "DefaultDeny" )
type Label ¶
type Label struct { Key string `json:"key"` Value string `json:"value,omitempty"` // Source can be on of the values present in const.go (e.g.: CiliumLabelSource) Source string `json:"source"` // contains filtered or unexported fields }
Label is the cilium's representation of a container label.
func NewLabel ¶
NewLabel returns a new label from the given key, value and source. If source is empty, the default value will be common.CiliumLabelSource. If key starts with '$', the source will be overwritten with common.ReservedLabelSource. If key contains ':', the value before ':' will be used as source if given source is empty, otherwise the value before ':' will be deleted and unused.
func ParseLabel ¶
ParseLabel returns the label representation of the given string. The str should be in the form of Source:Key=Value or Source:Key if Value is empty. It also parses short forms, for example: $host will be Label{Key: "host", Source: "reserved", Value: ""}.
func (*Label) AbsoluteKey ¶
AbsoluteKey if set returns the absolute key path, otherwise returns the label's Key.
func (*Label) Equals ¶
Equals returns true if source, AbsoluteKey() and Value are equal and false otherwise.
func (*Label) IsAllLabel ¶
func (*Label) Resolve ¶
func (l *Label) Resolve(policyNode *PolicyNode)
Resolve resolves the absolute key path for this Label from policyNode.
func (Label) String ¶
String returns the string representation of Label in the for of Source:Key=Value or Source:Key if Value is empty.
func (*Label) UnmarshalJSON ¶
UnmarshalJSON TODO create better explanation about unmarshall with examples
type LabelOp ¶
type LabelOp map[LabelOpType]Labels
type LabelOpType ¶
type LabelOpType string
const ( AddLabelsOp LabelOpType = "AddLabelsOp" DelLabelsOp LabelOpType = "DelLabelsOp" EnableLabelsOp LabelOpType = "EnableLabelsOp" DisableLabelsOp LabelOpType = "DisableLabelsOp" )
type LabelPrefix ¶
Label is the cilium's representation of a container label.
type LabelPrefixCfg ¶
type LabelPrefixCfg struct { Version int `json:"version"` LabelPrefixes []*LabelPrefix `json:"valid-prefixes"` }
LabelPrefixCfg is the label prefix configuration to filter labels of started containers.
func DefaultLabelPrefixCfg ¶
func DefaultLabelPrefixCfg() *LabelPrefixCfg
DefaultLabelPrefixCfg returns a default LabelPrefixCfg using the latest LPCfgFileVersion and the following label prefixes: Key: common.GlobalLabelPrefix, Source: common.CiliumLabelSource and Key: common.GlobalLabelPrefix, Source: common.K8sLabelSource.
func ReadLabelPrefixCfgFrom ¶
func ReadLabelPrefixCfgFrom(fileName string) (*LabelPrefixCfg, error)
ReadLabelPrefixCfgFrom reads a label prefix configuration file from fileName. If the version is not supported by us it returns an error.
func (*LabelPrefixCfg) FilterLabels ¶
func (lpc *LabelPrefixCfg) FilterLabels(labels Labels) Labels
FilterLabels returns Labels from the given labels that have the same source and the same prefix as one of lpc valid prefixes.
type Labels ¶
Labels is a map of labels where the map's key is the same as the label's key.
func LabelSlice2LabelsMap ¶
/ LabelSlice2LabelsMap returns a Labels' map with all labels from the given slice of label.
func Map2Labels ¶
Map2Labels transforms in the form: map[key(string)]value(string) into Labels. The source argument will overwrite the source written in the key of the given map. Example: l := Map2Labels(map[string]string{"k8s:foo": "bar"}, "cilium") fmt.Printf("%+v\n", l)
map[string]Label{"foo":Label{Key:"foo", Value:"bar", Source:"cilium"}}
func ParseStringLabels ¶
func (Labels) MergeLabels ¶
MergeLabels merges labels from into to. It overwrites all labels with the same Key as from writen into to. Example: to := Labels{Label{key1, value1, source1}, Label{key2, value3, source4}} from := Labels{Label{key1, value3, source4}} to.MergeLabels(from) fmt.Printf("%+v\n", to)
Labels{Label{key1, value3, source4}, Label{key2, value3, source4}}
type LearningLabel ¶
func NewLearningLabel ¶
func NewLearningLabel(endpointID uint16, learn bool) *LearningLabel
type MAC ¶
type MAC net.HardwareAddr
MAC address is an net.HardwareAddr encapsulation to force cilium to only use MAC-48.
func (MAC) MarshalIndentJSON ¶
func (MAC) MarshalJSON ¶
func (MAC) Uint64 ¶
Uint64 returns the MAC in uint64 format. The MAC is represented as little-endian in the returned value. Example:
m := MAC([]{0x11, 0x12, 0x23, 0x34, 0x45, 0x56}) v, err := m.Uint64() fmt.Printf("0x%X", v) // 0x564534231211
func (*MAC) UnmarshalJSON ¶
type NamespaceIngressPolicy ¶
type NamespaceIngressPolicy struct { // The isolation policy to apply to pods in this namespace. // Currently this field only supports "DefaultDeny", but could // be extended to support other policies in the future. When set to DefaultDeny, // pods in this namespace are denied ingress traffic by default. When not defined, // the cluster default ingress isolation policy is applied (currently allow all). Isolation *IngressIsolationPolicy `json:"isolation,omitempty"` }
Configuration for ingress to pods within this namespace. For now, this only supports specifying an isolation policy.
type NamespaceNetworkPolicy ¶
type NamespaceNetworkPolicy struct { // Ingress configuration for this namespace. This config is // applied to all pods within this namespace. For now, only // ingress is supported. This field is optional - if not // defined, then the cluster default for ingress is applied. Ingress *NamespaceIngressPolicy `json:"ingress,omitempty"` }
type NamespaceSpec ¶
type NamespaceSpec struct { // This is a pointer so that it can be left undefined. NetworkPolicy *NamespaceNetworkPolicy `json:"networkPolicy,omitempty"` }
Standard NamespaceSpec object, modified to include a new NamespaceNetworkPolicy field.
type OpLabels ¶
type OpLabels struct { // All labels AllLabels Labels // Active labels that are enabled and disabled but not deleted UserLabels Labels // Labels that are enabled EndpointLabels Labels // Labels from probes ProbeLabels Labels }
func (*OpLabels) GetDeletedLabels ¶
type OptionLibrary ¶
func (OptionLibrary) Define ¶
func (l OptionLibrary) Define(name string) string
func (OptionLibrary) Validate ¶
func (l OptionLibrary) Validate(name string) error
type PingResponse ¶
type PingResponse struct { NodeAddress string `json:"node-address"` Opts *BoolOptions `json:"options"` }
type PolicyNode ¶
type PolicyNode struct { Name string `json:"name"` Parent *PolicyNode `json:"-"` Rules []PolicyRule `json:"rules,omitempty"` Children map[string]*PolicyNode `json:"children,omitempty"` // contains filtered or unexported fields }
Node to define hierarchy of rules
func K8sNP2CP ¶
func K8sNP2CP(np v1beta1.NetworkPolicy) (string, *PolicyNode, error)
func NewPolicyNode ¶
func NewPolicyNode(name string, parent *PolicyNode) *PolicyNode
func (*PolicyNode) AddChild ¶
func (pn *PolicyNode) AddChild(name string, child *PolicyNode) error
func (*PolicyNode) Allows ¶
func (p *PolicyNode) Allows(ctx *SearchContext) ConsumableDecision
func (*PolicyNode) BuildPath ¶
func (pn *PolicyNode) BuildPath() (string, error)
func (*PolicyNode) Covers ¶
func (p *PolicyNode) Covers(ctx *SearchContext) bool
func (*PolicyNode) DebugString ¶
func (pn *PolicyNode) DebugString(level int) string
func (*PolicyNode) Merge ¶
func (pn *PolicyNode) Merge(obj *PolicyNode) error
func (*PolicyNode) Path ¶
func (p *PolicyNode) Path() string
func (*PolicyNode) ResolveTree ¶
func (pn *PolicyNode) ResolveTree() error
func (*PolicyNode) UnmarshalJSON ¶
func (pn *PolicyNode) UnmarshalJSON(data []byte) error
type PolicyRule ¶
type PolicyRule interface { Allows(ctx *SearchContext) ConsumableDecision Resolve(node *PolicyNode) error }
type PolicyRuleConsumers ¶
type PolicyRuleConsumers struct { Coverage []Label `json:"coverage,omitempty"` Allow []AllowRule `json:"allow"` }
Allow the following consumers
func (*PolicyRuleConsumers) Allows ¶
func (c *PolicyRuleConsumers) Allows(ctx *SearchContext) ConsumableDecision
func (*PolicyRuleConsumers) Resolve ¶
func (c *PolicyRuleConsumers) Resolve(node *PolicyNode) error
type PolicyRuleDropPrivileges ¶
type PolicyRuleDropPrivileges struct { Coverage []Label `json:"coverage,omitempty"` DropPrivileges []Privilege `json:"drop-privileges"` }
Do not allow further rules of specified type
type PolicyRulePorts ¶
type PolicyRuleRequires ¶
type PolicyRuleRequires struct { Coverage []Label `json:"coverage,omitempty"` Requires []Label `json:"requires"` }
Any further consumer requires the specified list of labels in order to consume
func (*PolicyRuleRequires) Allows ¶
func (r *PolicyRuleRequires) Allows(ctx *SearchContext) ConsumableDecision
A require rule imposes additional label requirements but does not imply access immediately. Hence if the label context is not sufficient access can be denied but fullfillment of the requirement only leads to the decision being UNDECIDED waiting on an explicit allow rule further down the tree
func (*PolicyRuleRequires) Resolve ¶
func (c *PolicyRuleRequires) Resolve(node *PolicyNode) error
type PolicyTree ¶
type PolicyTree struct {
Root *PolicyNode
}
Overall policy tree
func (*PolicyTree) Allows ¶
func (t *PolicyTree) Allows(ctx *SearchContext) ConsumableDecision
type Privilege ¶
type Privilege byte
Available privileges for policy nodes to define
func (Privilege) MarshalJSON ¶
func (*Privilege) UnmarshalJSON ¶
type ReservedID ¶
type ReservedID uint32
const ( ID_UNKNOWN ReservedID = iota ID_HOST ID_WORLD )
func GetID ¶
func GetID(name string) ReservedID
func (ReservedID) String ¶
func (id ReservedID) String() string
type SearchContext ¶
type SearchContext struct { Trace Tracing Logging *logging.LogBackend // TODO: Put this as []*Label? From []Label To []Label }
func (*SearchContext) TargetCoveredBy ¶
func (s *SearchContext) TargetCoveredBy(coverage []Label) bool
type SearchContextReply ¶
type SearchContextReply struct { Logging []byte Decision ConsumableDecision }
type SecCtxLabel ¶
type SecCtxLabel struct { // SecCtxLabel's ID. ID uint32 `json:"id"` // Containers that have this SecCtxLabel where their value is the last time they were seen. Labels Labels `json:"labels"` // Set of labels that belong to this SecCtxLabel. Containers map[string]time.Time `json:"containers"` }
SecCtxLabel is the representation of the security context for a particular set of labels.
func NewSecCtxLabel ¶
func NewSecCtxLabel() *SecCtxLabel
func (*SecCtxLabel) AddOrUpdateContainer ¶
func (s *SecCtxLabel) AddOrUpdateContainer(contID string)
func (*SecCtxLabel) DeepCopy ¶
func (s *SecCtxLabel) DeepCopy() *SecCtxLabel
func (*SecCtxLabel) DelContainer ¶
func (s *SecCtxLabel) DelContainer(contID string)
func (*SecCtxLabel) RefCount ¶
func (s *SecCtxLabel) RefCount() int
type ServerError ¶
ServerError is the type of message used when the daemon returns any error messages in case of failure.
func (ServerError) String ¶
func (se ServerError) String() string
String returns string format of the given ServerError.
type UIAnimateEdge ¶
type UIEdge ¶
type UIEdge struct { ID string `json:"id"` From int `json:"from"` To int `json:"to"` Value int64 `json:"value"` Removed bool `json:"dashes"` Color string `json:"color"` Title string `json:"title"` Length int `json:"length,omitempty"` UIAnimateEdge `json:"-"` // contains filtered or unexported fields }
type UINode ¶
type UITopo ¶
type UITopo struct { UIChan chan UIUpdateMsg // contains filtered or unexported fields }
func (*UITopo) AddOrUpdateEdge ¶
func (t *UITopo) AddOrUpdateEdge(from, to int, pe *policymap.PolicyEntry)
func (*UITopo) AddOrUpdateNode ¶
func (*UITopo) DeleteEdge ¶
func (*UITopo) DeleteNode ¶
func (*UITopo) RefreshEdges ¶
func (t *UITopo) RefreshEdges()
type UIUpdateMsg ¶
type UIUpdateMsg struct { RemoveID string `json:"id,omitempty"` UINode *UINode `json:"node,omitempty"` UIEdge *UIEdge `json:"edge,omitempty"` UIEdges []UIAnimateEdge `json:"edges,omitempty"` Type string `json:"type"` // contains filtered or unexported fields }
func NewUIUpdateMsg ¶
func NewUIUpdateMsg() UIUpdateMsg
func (UIUpdateMsg) Add ¶
func (u UIUpdateMsg) Add() UIUpdateMsg
func (UIUpdateMsg) Ani ¶
func (u UIUpdateMsg) Ani() UIUpdateMsg
func (UIUpdateMsg) AnimatedEdge ¶
func (u UIUpdateMsg) AnimatedEdge(edge UIEdge) UIUpdateMsg
func (UIUpdateMsg) Build ¶
func (u UIUpdateMsg) Build() UIUpdateMsg
func (UIUpdateMsg) Del ¶
func (u UIUpdateMsg) Del() UIUpdateMsg
func (UIUpdateMsg) Edge ¶
func (u UIUpdateMsg) Edge(edge UIEdge) UIUpdateMsg
func (UIUpdateMsg) Mod ¶
func (u UIUpdateMsg) Mod() UIUpdateMsg
func (UIUpdateMsg) Node ¶
func (u UIUpdateMsg) Node(node UINode) UIUpdateMsg