Documentation

Overview

    Package configurator provides some helper functions to helpe you create default Trireme and Monitor configurations.

    Index

    Constants

    View Source
    const (
    	//DefaultProcMountPoint The default proc mountpoint
    	DefaultProcMountPoint = "/proc"
    	//DefaultAporetoProcMountPoint The aporeto proc mountpoint just in case we are launched with some specific docker config
    	DefaultAporetoProcMountPoint = "/aporetoproc"
    )

    Variables

    This section is empty.

    Functions

    func NewCompactPKIWithDocker

    func NewCompactPKIWithDocker(
    	serverID string,
    	networks []string,
    	resolver trireme.PolicyResolver,
    	processor enforcer.PacketProcessor,
    	eventCollector collector.EventCollector,
    	syncAtStart bool,
    	keyPEM []byte,
    	certPEM []byte,
    	caCertPEM []byte,
    	token []byte,
    	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
    	remoteEnforcer bool,
    	killContainerError bool,
    ) (trireme.Trireme, monitor.Monitor)

      NewCompactPKIWithDocker is an example of configuring Trireme to use the compact PKI secrets method. The calling module must provide a policy engine implementation and private/public key pair and parent certificate and key. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire. This is an example use - certificates must be properly protected

      func NewDistributedTriremeDocker

      func NewDistributedTriremeDocker(serverID string,
      	resolver trireme.PolicyResolver,
      	processor enforcer.PacketProcessor,
      	eventCollector collector.EventCollector,
      	secrets secrets.Secrets,
      	impl constants.ImplementationType) trireme.Trireme

        NewDistributedTriremeDocker instantiates Trireme using remote enforcers on the container namespaces

        func NewHybridCompactPKIWithDocker

        func NewHybridCompactPKIWithDocker(
        	serverID string,
        	networks []string,
        	resolver trireme.PolicyResolver,
        	processor enforcer.PacketProcessor,
        	eventCollector collector.EventCollector,
        	syncAtStart bool,
        	keyPEM []byte,
        	certPEM []byte,
        	caCertPEM []byte,
        	token []byte,
        	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
        	remoteEnforcer bool,
        	killContainerError bool,
        ) (trireme.Trireme, monitor.Monitor, monitor.Monitor)

          NewHybridCompactPKIWithDocker is an example of configuring Trireme to use the compact PKI secrets method. The calling module must provide a policy engine implementation and private/public key pair and parent certificate and key. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire. This is an example use - certificates must be properly protected

          func NewHybridTrireme

          func NewHybridTrireme(
          	serverID string,
          	resolver trireme.PolicyResolver,
          	processor enforcer.PacketProcessor,
          	eventCollector collector.EventCollector,
          	secrets secrets.Secrets,
          	networks []string,
          ) trireme.Trireme

            NewHybridTrireme instantiates Trireme with both Linux and Docker enforcers. The Docker enforcers are remote

            func NewLocalTriremeDocker

            func NewLocalTriremeDocker(
            	serverID string,
            	resolver trireme.PolicyResolver,
            	processor enforcer.PacketProcessor,
            	eventCollector collector.EventCollector,
            	secrets secrets.Secrets,
            	impl constants.ImplementationType) trireme.Trireme

              NewLocalTriremeDocker instantiates Trireme for Docker using enforcement on the main namespace

              func NewPKITriremeWithDockerMonitor

              func NewPKITriremeWithDockerMonitor(
              	serverID string,
              	resolver trireme.PolicyResolver,
              	processor enforcer.PacketProcessor,
              	eventCollector collector.EventCollector,
              	syncAtStart bool,
              	keyPEM []byte,
              	certPEM []byte,
              	caCertPEM []byte,
              	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
              	remoteEnforcer bool,
              	killContainerError bool,
              ) (trireme.Trireme, monitor.Monitor, enforcer.PublicKeyAdder)

                NewPKITriremeWithDockerMonitor creates a new network isolator. The calling module must provide a policy engine implementation and private/public key pair and parent certificate. All certificates are passed in PEM format. If a certificate pool is provided certificates will not be transmitted on the wire

                func NewPSKHybridTriremeWithMonitor

                func NewPSKHybridTriremeWithMonitor(
                	serverID string,
                	networks []string,
                	resolver trireme.PolicyResolver,
                	processor enforcer.PacketProcessor,
                	eventCollector collector.EventCollector,
                	syncAtStart bool,
                	key []byte,
                	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
                	killContainerError bool,
                ) (trireme.Trireme, monitor.Monitor, monitor.Monitor)

                  NewPSKHybridTriremeWithMonitor creates a new network isolator. The calling module must provide a policy engine implementation and a pre-shared secret. This is for backward compatibility. Will be removed

                  func NewPSKTriremeWithCNIMonitor

                  func NewPSKTriremeWithCNIMonitor(
                  	serverID string,
                  	resolver trireme.PolicyResolver,
                  	processor enforcer.PacketProcessor,
                  	eventCollector collector.EventCollector,
                  	key []byte,
                  	cniMetadataExtractor rpcmonitor.RPCMetadataExtractor,
                  	remoteEnforcer bool,
                  ) (trireme.Trireme, monitor.Monitor)

                    NewPSKTriremeWithCNIMonitor simple CNI monitor

                    func NewPSKTriremeWithDockerMonitor

                    func NewPSKTriremeWithDockerMonitor(
                    	serverID string,
                    	resolver trireme.PolicyResolver,
                    	processor enforcer.PacketProcessor,
                    	eventCollector collector.EventCollector,
                    	syncAtStart bool,
                    	key []byte,
                    	dockerMetadataExtractor dockermonitor.DockerMetadataExtractor,
                    	remoteEnforcer bool,
                    	killContainerError bool,
                    ) (trireme.Trireme, monitor.Monitor)

                      NewPSKTriremeWithDockerMonitor creates a new network isolator. The calling module must provide a policy engine implementation and a pre-shared secret. This is for backward compatibility. Will be removed

                      func NewSecretsFromPKI

                      func NewSecretsFromPKI(keyPEM, certPEM, caCertPEM []byte) secrets.Secrets

                        NewSecretsFromPKI creates secrets from a PKI

                        func NewSecretsFromPSK

                        func NewSecretsFromPSK(key []byte) secrets.Secrets

                          NewSecretsFromPSK creates secrets from a pre-shared key

                          func NewTriremeLinuxProcess

                          func NewTriremeLinuxProcess(
                          	serverID string,
                          	resolver trireme.PolicyResolver,
                          	processor enforcer.PacketProcessor,
                          	eventCollector collector.EventCollector,
                          	secrets secrets.Secrets) trireme.Trireme

                            NewTriremeLinuxProcess instantiates Trireme for a Linux process implementation

                            Types

                            type TriremeOptions

                            type TriremeOptions struct {
                            	ServerID string
                            
                            	PSK []byte
                            
                            	KeyPEM     []byte
                            	CertPEM    []byte
                            	CaCertPEM  []byte
                            	SmartToken []byte
                            
                            	TargetNetworks []string
                            
                            	Resolver       trireme.PolicyResolver
                            	EventCollector collector.EventCollector
                            	Processor      enforcer.PacketProcessor
                            
                            	CNIMetadataExtractor    rpcmonitor.RPCMetadataExtractor
                            	DockerMetadataExtractor dockermonitor.DockerMetadataExtractor
                            
                            	DockerSocketType string
                            	DockerSocket     string
                            
                            	Validity                time.Duration
                            	ExternalIPCacheValidity time.Duration
                            
                            	FilterQueue *fqconfig.FilterQueue
                            
                            	ModeType constants.ModeType
                            	ImplType constants.ImplementationType
                            
                            	ProcMountPoint        string
                            	AporetoProcMountPoint string
                            
                            	RemoteArg string
                            
                            	RPCAddress              string
                            	LinuxProcessReleasePath string
                            
                            	MutualAuth bool
                            
                            	KillContainerError bool
                            	SyncAtStart        bool
                            
                            	PKI bool
                            
                            	LocalProcess    bool
                            	LocalContainer  bool
                            	RemoteContainer bool
                            	CNI             bool
                            }

                              TriremeOptions defines all the possible configuration options for Trireme configurator

                              func DefaultTriremeOptions

                              func DefaultTriremeOptions() *TriremeOptions

                                DefaultTriremeOptions returns a default set of options.

                                type TriremeResult

                                type TriremeResult struct {
                                	Trireme        trireme.Trireme
                                	DockerMonitor  monitor.Monitor
                                	RPCMonitor     rpcmonitor.RPCMonitor
                                	PublicKeyAdder enforcer.PublicKeyAdder
                                	Secret         secrets.Secrets
                                }

                                  TriremeResult is the result of the creation of Trireme

                                  func NewTriremeWithOptions

                                  func NewTriremeWithOptions(options *TriremeOptions) (*TriremeResult, error)

                                    NewTriremeWithOptions creates all the Trireme objects based on the option struct

                                    Source Files