endpoint

package
v0.10.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jul 21, 2017 License: Apache-2.0 Imports: 35 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	OptionAllowToHost         = "AllowToHost"
	OptionAllowToWorld        = "AllowToWorld"
	OptionConntrackAccounting = "ConntrackAccounting"
	OptionConntrackLocal      = "ConntrackLocal"
	OptionConntrack           = "Conntrack"
	OptionDebug               = "Debug"
	OptionDropNotify          = "DropNotification"
	OptionNAT46               = "NAT46"
	OptionPolicy              = "Policy"
	AlwaysEnforce             = "always"
	NeverEnforce              = "never"
	DefaultEnforcement        = "default"
)
View Source 
const (
	// StateCreating is used to set the endpoint is being created.
	StateCreating = string(models.EndpointStateCreating)
	// StateDisconnected is used to set the endpoint is disconnected.
	StateDisconnected = string(models.EndpointStateDisconnected)
	// StateWaitingForIdentity is used to set if the endpoint is waiting
	// for an identity from the KVStore.
	StateWaitingForIdentity = string(models.EndpointStateWaitingForIdentity)
	// StateReady specifies if the endpoint is read to be used.
	StateReady = string(models.EndpointStateReady)
	// StateRegenerating specifies when the endpoint is being regenerated.
	StateRegenerating = string(models.EndpointStateRegenerating)

	// CallsMapName specifies the base prefix for EP specific call map.
	CallsMapName = "cilium_calls_"
	// PolicyGlobalMapName specifies the global tail call map for EP handle_policy() lookup.
	PolicyGlobalMapName = "cilium_policy"
)
View Source 
const (
	CiliumLocalIdPrefix  PrefixType = "cilium-local"
	CiliumGlobalIdPrefix            = "cilium-global"
	ContainerIdPrefix               = "container-id"
	DockerEndpointPrefix            = "docker-endpoint"
	ContainerNamePrefix             = "container-name"
	PodNamePrefix                   = "pod-name"

	// IPv4Prefix is the prefix used in Cilium IDs when the identifier is
	// the IPv4 address of the endpoint
	IPv4Prefix = "ipv4"
)
View Source 
const (
	// ExecTimeout is the execution timeout to use in join_ep.sh executions
	ExecTimeout = time.Duration(30 * time.Second)
)

Variables

View Source 
var (
	OptionSpecAllowToHost = option.Option{
		Define:      "ALLOW_TO_HOST",
		Immutable:   true,
		Description: "Allow all traffic to local host",
	}

	OptionSpecAllowToWorld = option.Option{
		Define:      "ALLOW_TO_WORLD",
		Immutable:   true,
		Description: "Allow all traffic to outside world",
	}

	OptionSpecConntrackAccounting = option.Option{
		Define:      "CONNTRACK_ACCOUNTING",
		Description: "Enable per flow (conntrack) statistics",
		Requires:    []string{OptionConntrack},
	}

	OptionSpecConntrackLocal = option.Option{
		Define:      "CONNTRACK_LOCAL",
		Description: "Use endpoint dedicated tracking table instead of global one",
		Requires:    []string{OptionConntrack},
	}

	OptionSpecConntrack = option.Option{
		Define:      "CONNTRACK",
		Description: "Enable stateful connection tracking",
	}

	OptionSpecDebug = option.Option{
		Define:      "DEBUG",
		Description: "Enable debugging trace statements",
	}

	OptionSpecDropNotify = option.Option{
		Define:      "DROP_NOTIFY",
		Description: "Enable drop notifications",
	}

	OptionSpecNAT46 = option.Option{
		Define:      "ENABLE_NAT46",
		Description: "Enable automatic NAT46 translation",
		Requires:    []string{OptionConntrack},
		Verify: func(key string, val bool) error {
			if !IPv4Enabled {
				return fmt.Errorf("NAT46 requires IPv4 to be enabled")
			} else {
				return nil
			}
		},
	}

	OptionSpecPolicy = option.Option{
		Define:      "POLICY_ENFORCEMENT",
		Description: "Enable policy enforcement",
	}

	EndpointMutableOptionLibrary = option.OptionLibrary{
		OptionConntrackAccounting: &OptionSpecConntrackAccounting,
		OptionConntrackLocal:      &OptionSpecConntrackLocal,
		OptionConntrack:           &OptionSpecConntrack,
		OptionDebug:               &OptionSpecDebug,
		OptionDropNotify:          &OptionSpecDropNotify,
		OptionNAT46:               &OptionSpecNAT46,
		OptionPolicy:              &OptionSpecPolicy,
	}

	EndpointOptionLibrary = option.OptionLibrary{
		OptionAllowToHost:  &OptionSpecAllowToHost,
		OptionAllowToWorld: &OptionSpecAllowToWorld,
	}
)
View Source 
var (
	//IPv4Enabled can be set to false to indicate IPv6 only operation
	IPv4Enabled = true
)

Functions

func CallsMapPath added in v0.9.0 

func CallsMapPath(id int) string

func Ct4MapPath 

func Ct4MapPath(id int) string

func Ct6MapPath 

func Ct6MapPath(id int) string

func FilterEPDir 

func FilterEPDir(dirFiles []os.FileInfo) []string

FilterEPDir returns a list of directories' names that possible belong to an endpoint.

func NewCiliumID 

func NewCiliumID(id int64) string

func NewID 

func NewID(prefix PrefixType, id string) string

func OptionChanged 

func OptionChanged(key string, value bool, data interface{})

func OrderEndpointAsc 

func OrderEndpointAsc(eps []*models.Endpoint)

OrderEndpointAsc orders the slice of Endpoint in ascending ID order.

func ParseCiliumID 

func ParseCiliumID(id string) (int64, error)

ParseCiliumID parses id as cilium endpoint id and returns numeric portion.

Types

type Endpoint 

type Endpoint struct {
	ID               uint16       // Endpoint ID.
	Mutex            sync.RWMutex // Protects all variables from this structure below this line
	ContainerName    string       // Docker container name.
	DockerID         string       // Docker ID.
	DockerNetworkID  string       // Docker network ID.
	DockerEndpointID string       // Docker endpoint ID.
	IfName           string       // Container's interface name.
	LabelsHash       string
	OpLabels         pkgLabels.OpLabels
	LXCMAC           mac.MAC               // Container MAC address.
	IPv6             addressing.CiliumIPv6 // Container IPv6 address.
	IPv4             addressing.CiliumIPv4 // Container IPv4 address.
	IfIndex          int                   // Host's interface index.
	NodeMAC          mac.MAC               // Node MAC address.
	NodeIP           net.IP                // Node IPv6 address.
	SecLabel         *policy.Identity      // Security Label  set to this endpoint.
	PortMap          []PortMap             // Port mapping used for this endpoint.
	Consumable       *policy.Consumable
	PolicyMap        *policymap.PolicyMap
	L3Policy         *policy.L3Policy
	L3Maps           L3Maps
	Opts             *option.BoolOptions // Endpoint bpf options.
	Status           *EndpointStatus
	State            string
	// PolicyCalculated is true as soon as the policy has been calculated
	// for the first time
	PolicyCalculated bool
	PodName          string // K8s pod for this endpoint.
}

Endpoint contains all the details for a particular LXC and the host interface to where is connected to.

func NewEndpointFromChangeModel 

func NewEndpointFromChangeModel(base *models.EndpointChangeRequest, l pkgLabels.Labels) (*Endpoint, error)

NewEndpointFromChangeModel creates a new endpoint from a request

func ParseEndpoint 

func ParseEndpoint(strEp string) (*Endpoint, error)

ParseEndpoint parses the given strEp which is in the form of: common.CiliumCHeaderPrefix + common.Version + ":" + endpointBase64

func (*Endpoint) Allows 

func (e *Endpoint) Allows(id policy.NumericIdentity) bool

func (*Endpoint) ApplyOptsLocked added in v0.9.0 

func (e *Endpoint) ApplyOptsLocked(opts map[string]string) bool

ApplyOptsLocked applies the given options to the endpoint's options and returns true if there were any options changed.

func (*Endpoint) CallsMapPathLocked added in v0.9.0 

func (e *Endpoint) CallsMapPathLocked() string

CallsMapPathLocked returns the path to cilium tail calls map of an endpoint.

func (*Endpoint) CreateDirectory 

func (e *Endpoint) CreateDirectory() error

func (*Endpoint) Ct4MapPathLocked added in v0.9.0 

func (e *Endpoint) Ct4MapPathLocked() string

Ct4MapPath returns the path to IPv4 connection tracking map of endpoint.

func (*Endpoint) Ct6MapPathLocked added in v0.9.0 

func (e *Endpoint) Ct6MapPathLocked() string

Ct6MapPath returns the path to IPv6 connection tracking map of endpoint.

func (*Endpoint) DeepCopy 

func (e *Endpoint) DeepCopy() *Endpoint

func (*Endpoint) GetBPFKeys added in v0.10.0 

func (e *Endpoint) GetBPFKeys() []lxcmap.EndpointKey

GetBPFKeys returns all keys which should represent this endpoint in the BPF endpoints map

func (*Endpoint) GetBPFValue added in v0.10.0 

func (e *Endpoint) GetBPFValue() (*lxcmap.EndpointInfo, error)

GetBPFValue returns the value which should represent this endpoint in the BPF endpoints map

func (*Endpoint) GetID added in v0.10.0 

func (e *Endpoint) GetID() uint64

GetID returns the endpoint's ID

func (*Endpoint) GetIPv4Address added in v0.10.0 

func (e *Endpoint) GetIPv4Address() string

GetIPv4Address returns the IPv4 address of the endpoint

func (*Endpoint) GetIPv6Address added in v0.10.0 

func (e *Endpoint) GetIPv6Address() string

GetIPv6Address returns the IPv6 address of the endpoint

func (*Endpoint) GetIdentity 

func (e *Endpoint) GetIdentity() policy.NumericIdentity

func (*Endpoint) GetLabels added in v0.10.0 

func (e *Endpoint) GetLabels() []string

GetLabels returns the labels as slice

func (*Endpoint) GetModel 

func (e *Endpoint) GetModel() *models.Endpoint

func (*Endpoint) HasLabels added in v0.10.0 

func (e *Endpoint) HasLabels(l pkgLabels.Labels) bool

HasLabels returns whether endpoint e contains all labels l. Will return 'false' if any label in l is not in the endpoint's labels.

func (*Endpoint) IPv4EgressMapPathLocked added in v0.10.0 

func (e *Endpoint) IPv4EgressMapPathLocked() string

IPv4EgressMapPathLocked returns the path to policy map of endpoint.

func (*Endpoint) IPv4IngressMapPathLocked added in v0.10.0 

func (e *Endpoint) IPv4IngressMapPathLocked() string

IPv4IngressMapPathLocked returns the path to policy map of endpoint.

func (*Endpoint) IPv6EgressMapPathLocked added in v0.10.0 

func (e *Endpoint) IPv6EgressMapPathLocked() string

IPv6EgressMapPathLocked returns the path to policy map of endpoint.

func (*Endpoint) IPv6IngressMapPathLocked added in v0.10.0 

func (e *Endpoint) IPv6IngressMapPathLocked() string

IPv6IngressMapPathLocked returns the path to policy map of endpoint.

func (*Endpoint) LeaveLocked added in v0.9.0 

func (e *Endpoint) LeaveLocked(owner Owner)

LeaveLocked removes the endpoint's directory from the system. Must be called with Endpoint's mutex locked.

func (*Endpoint) LogStatus 

func (e *Endpoint) LogStatus(typ StatusType, code StatusCode, msg string)

func (*Endpoint) LogStatusOK 

func (e *Endpoint) LogStatusOK(typ StatusType, msg string)

func (*Endpoint) PolicyGlobalMapPathLocked added in v0.9.0 

func (e *Endpoint) PolicyGlobalMapPathLocked() string

PolicyGlobalMapPathLocked returns the path to the global policy map.

func (*Endpoint) PolicyID added in v0.9.0 

func (e *Endpoint) PolicyID() string

PolicyID returns an identifier for the endpoint's policy. Must be called with the endpoint's lock held.

func (*Endpoint) PolicyMapPathLocked added in v0.9.0 

func (e *Endpoint) PolicyMapPathLocked() string

PolicyMapPathLocked returns the path to policy map of endpoint.

func (*Endpoint) ProxyID added in v0.10.0 

func (e *Endpoint) ProxyID(l4 *policy.L4Filter) string

ProxyID returns a unique string to identify a proxy mapping

func (*Endpoint) RLock added in v0.10.0 

func (e *Endpoint) RLock()

RLock locks the endpoint for reading

func (*Endpoint) RUnlock added in v0.10.0 

func (e *Endpoint) RUnlock()

RUnlock unlocks the endpoint after reading

func (*Endpoint) Regenerate 

func (e *Endpoint) Regenerate(owner Owner) <-chan bool

Regenerate forces the regeneration of endpoint programs & policy

func (*Endpoint) RegenerateIfReady 

func (e *Endpoint) RegenerateIfReady(owner Owner) error

func (*Endpoint) RemoveDirectory 

func (e *Endpoint) RemoveDirectory()

func (*Endpoint) RemoveFromGlobalPolicyMap added in v0.9.0 

func (e *Endpoint) RemoveFromGlobalPolicyMap() error

func (*Endpoint) SetDefaultOpts 

func (e *Endpoint) SetDefaultOpts(opts *option.BoolOptions)

func (*Endpoint) SetIdentity 

func (e *Endpoint) SetIdentity(owner Owner, id *policy.Identity)

func (*Endpoint) String 

func (e *Endpoint) String() string

String returns endpoint on a JSON format.

func (*Endpoint) StringID 

func (e *Endpoint) StringID() string

StringID returns the endpoint's ID in a string.

func (*Endpoint) TriggerPolicyUpdates 

func (e *Endpoint) TriggerPolicyUpdates(owner Owner) (bool, error)

TriggerPolicyUpdates indicates that a policy change is likely to affect this endpoint. Will update all required endpoint configuration and state to reflect new policy and regenerate programs if required.

Returns true if policy was changed and endpoints needs to be rebuilt

func (*Endpoint) Update 

func (e *Endpoint) Update(owner Owner, opts models.ConfigurationMap) error

Update modifies the endpoint options and regenerates the program.

func (*Endpoint) UpdateOrchIdentityLabels added in v0.10.0 

func (e *Endpoint) UpdateOrchIdentityLabels(l pkgLabels.Labels) bool

UpdateOrchIdentityLabels updates orchestration labels for the endpoint which are used in determining the security identity for the endpoint.

func (*Endpoint) UpdateOrchInformationLabels added in v0.10.0 

func (e *Endpoint) UpdateOrchInformationLabels(l pkgLabels.Labels)

UpdateOrchInformationLabels updates orchestration labels for the endpoint which are not used in determining the security identity for the endpoint.

type EndpointStatus 

type EndpointStatus struct {
	// CurrentStatuses is the last status of a given priority.
	CurrentStatuses componentStatus `json:"current-status,omitempty"`
	// Contains the last maxLogs messages for this endpoint.
	Log statusLog `json:"log,omitempty"`
	// Index is the index in the statusLog, is used to keep track the next
	// available position to write a new log message.
	Index int `json:"index"`
	// contains filtered or unexported fields
}

EndpointStatus represents the endpoint status.

func NewEndpointStatus 

func NewEndpointStatus() *EndpointStatus

func (*EndpointStatus) CurrentStatus 

func (e *EndpointStatus) CurrentStatus() StatusCode

func (*EndpointStatus) DeepCopy 

func (e *EndpointStatus) DeepCopy() *EndpointStatus

func (*EndpointStatus) GetModel 

func (e *EndpointStatus) GetModel() []*models.EndpointStatusChange

func (*EndpointStatus) String 

func (e *EndpointStatus) String() string

type L3MapType added in v0.10.0 

type L3MapType int

L3MapType is an enumeration type for different kind of IP CIDR bpf maps. 

const (
	IPv6Ingress L3MapType = iota
	IPv4Ingress
	IPv6Egress
	IPv4Egress
	MapCount
)

L3 Map types.

type L3Maps added in v0.10.0 

type L3Maps [MapCount]*cidrmap.CIDRMap

L3Maps is an array for pointers to all the supported L3 bpf map types.

func (*L3Maps) Close added in v0.10.0 

func (l3 *L3Maps) Close()

Close closes all bpf maps, but does not destroy them.

func (*L3Maps) DeepCopy added in v0.10.0 

func (l3 *L3Maps) DeepCopy() L3Maps

DeepCopy duplicates the bpf map references, but the duplicates refer to the same bpf maps.

func (*L3Maps) DestroyBpfMap added in v0.10.0 

func (l3 *L3Maps) DestroyBpfMap(mt L3MapType, path string)

DestroyBpfMap closes and removes a bpf map type 'mt' from the file system using path 'path'.

func (*L3Maps) ResetBpfMap added in v0.10.0 

func (l3 *L3Maps) ResetBpfMap(mt L3MapType, path string) error

ResetBpfMap destroys the old bpf map of type 'mt' and creates a new one using 'path'.

type Owner 

type Owner interface {
	// Must return true if tracing of the policy resolution is to be enabled
	TracingEnabled() bool

	// Must return true if dry mode is enabled
	DryModeEnabled() bool

	// PolicyEnabled returns whether policy enforcement is enabled
	PolicyEnabled() bool

	// EnablePolicyEnforcement returns whether owner should enable policy enforcement.
	EnablePolicyEnforcement() bool

	// UpdateEndpointPolicyEnforcement returns whether policy enforcement
	// should be enabled for the specified endpoint.
	UpdateEndpointPolicyEnforcement(e *Endpoint) bool

	// GetPolicyEnforcementType returns the type of policy enforcement for the Owner.
	PolicyEnforcement() string

	// AlwaysAllowLocalhost returns true if localhost is always allowed to
	// reach local endpoints
	AlwaysAllowLocalhost() bool

	// Must return an instance of a ConsumableCache
	GetConsumableCache() *policy.ConsumableCache

	// Must resolve label id to an identiy
	GetCachedLabelList(ID policy.NumericIdentity) (labels.LabelArray, error)

	// Must return the policy repository
	GetPolicyRepository() *policy.Repository

	// Return the next available global identity
	GetCachedMaxLabelID() (policy.NumericIdentity, error)

	// UpdateProxyRedirect must update the redirect configuration of an endpoint in the prox
	UpdateProxyRedirect(e *Endpoint, l4 *policy.L4Filter) (uint16, error)

	// RemoveProxyRedirect must remove the redirect installed by UpdateProxyRedirect
	RemoveProxyRedirect(e *Endpoint, l4 *policy.L4Filter) error

	// GetStateDir must return path to the state directory
	GetStateDir() string

	// Must return path to BPF template files directory
	GetBpfDir() string

	// QueueEndpointBuild puts the given request in the processing queue
	QueueEndpointBuild(*Request)

	// RemoveFromEndpointQueue removes all requests from the working que
	RemoveFromEndpointQueue(epID uint64)

	// Returns true if debugging has been enabled
	DebugEnabled() bool
}

Owner is the interface defines the requirements for anybody owning policies.

type PortMap 

type PortMap struct {
	From  uint16 `json:"from"`
	To    uint16 `json:"to"`
	Proto uint8  `json:"proto"`
}

PortMap is the port mapping representation for a particular endpoint.

type PrefixType 

type PrefixType string

func ParseID 

func ParseID(id string) (PrefixType, string, error)

ParseID parses specified id and returns normalized id as string.

func SplitID 

func SplitID(id string) (PrefixType, string)

SplitID splits ID into prefix and id. No validation is performed on prefix.

func ValidateID 

func ValidateID(id string) (PrefixType, string, error)

ValidateID parses specified id and returns normalized id as string.

func (PrefixType) String 

func (s PrefixType) String() string

type Request added in v0.9.0 

type Request struct {
	// ID request ID.
	ID uint64
	// MyTurn is used to know when is its turn.
	MyTurn chan bool
	// Done is used to tell the Processor the request as finished.
	Done chan bool
	// ExternalDone is used for external listeners this request as finished
	// if returns true the build was successful, false otherwise.
	ExternalDone chan bool
}

Request is used to create the endpoint's request and send it to the endpoints processor.

type Status 

type Status struct {
	Code StatusCode `json:"code"`
	Msg  string     `json:"msg"`
	Type StatusType `json:"status-type"`
}

func NewStatusOK 

func NewStatusOK(typ StatusType, info string) Status

func (Status) String 

func (s Status) String() string

type StatusCode 

type StatusCode int
const (
	OK       StatusCode = 0
	Warning  StatusCode = -1
	Failure  StatusCode = -2
	Disabled StatusCode = -3
)

func (StatusCode) ColorString 

func (sc StatusCode) ColorString() string

func (StatusCode) String 

func (sc StatusCode) String() string

type StatusResponse 

type StatusResponse struct {
	KVStore    Status              `json:"kvstore"`
	Docker     Status              `json:"docker"`
	Kubernetes Status              `json:"kubernetes"`
	Logstash   Status              `json:"logstash"`
	Cilium     Status              `json:"cilium"`
	IPAMStatus map[string][]string `json:",omitempty"`
}

type StatusType 

type StatusType int

StatusType represents the type for the given status, higher the value, higher the priority. 

const (
	BPF    StatusType = 200
	Policy StatusType = 100
	Other  StatusType = 0
)

type UpdateCompilationError 

type UpdateCompilationError struct {
	// contains filtered or unexported fields
}

func (UpdateCompilationError) Error 

func (e UpdateCompilationError) Error() string

type UpdateValidationError 

type UpdateValidationError struct {
	// contains filtered or unexported fields
}

func (UpdateValidationError) Error 

func (e UpdateValidationError) Error() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.