Documentation

Overview

    Package policy describes a generic interface for retrieving policies. Different implementations are possible for environments such as Kubernetes, Mesos or other custom environments. An implementation has to provide a method for retrieving policy based on the metadata associated with the container and deleting the policy when the container dies. It is up to the implementation to decide how to generate the policy. The package also defines the basic data structure for communicating policy information. The implementations are responsible for providing all the necessary data.

    Index

    Constants

    View Source
    const (
    	// AllowAll allows everything for the specific PU.
    	AllowAll = 0x1
    	// Police filters on the PU based on the PolicyRules.
    	Police = 0x2
    )
    View Source
    const (
    	// Equal is the equal operator
    	Equal = "="
    	// NotEqual is the not equal operator
    	NotEqual = "=!"
    	// KeyExists is the key=* operator
    	KeyExists = "*"
    	// KeyNotExists means that the key doesnt exist in the incoming tags
    	KeyNotExists = "!*"
    )
    View Source
    const (
    	// DefaultNamespace is the default namespace for applying policy
    	DefaultNamespace = "bridge"
    )

    Variables

    This section is empty.

    Functions

    func ConvertServicesToPortList

    func ConvertServicesToPortList(services []Service) string

      ConvertServicesToPortList converts an array of services to a port list

      Types

      type ActionType

      type ActionType byte

        ActionType is the action that can be applied to a flow.

        const (
        	// Accept is the accept action
        	Accept ActionType = 0x1
        	// Reject is the reject  action
        	Reject ActionType = 0x2
        	// Encrypt instructs data to be encrypted
        	Encrypt ActionType = 0x4
        	// Log instructs the datapath to log the IP addresses
        	Log ActionType = 0x8
        )

        func (ActionType) Accepted

        func (f ActionType) Accepted() bool

          Accepted returns if the action mask contains the Accepted mask.

          func (ActionType) ActionString

          func (f ActionType) ActionString() string

            ActionString returns if the action if accepted of rejected as a long string.

            func (ActionType) Encrypted

            func (f ActionType) Encrypted() bool

              Encrypted returns if the action mask contains the Encrypted mask.

              func (ActionType) Logged

              func (f ActionType) Logged() bool

                Logged returns if the action mask contains the Logged mask.

                func (ActionType) Rejected

                func (f ActionType) Rejected() bool

                  Rejected returns if the action mask contains the Rejected mask.

                  func (ActionType) ShortActionString

                  func (f ActionType) ShortActionString() string

                    ShortActionString returns if the action if accepted of rejected as a short string.

                    func (ActionType) String

                    func (f ActionType) String() string

                    type ExtendedMap

                    type ExtendedMap map[string]string

                      ExtendedMap is a common map with additional functions

                      func (ExtendedMap) Copy

                      func (s ExtendedMap) Copy() ExtendedMap

                        Copy copies an ExtendedMap

                        func (ExtendedMap) Get

                        func (s ExtendedMap) Get(key string) (string, bool)

                          Get does a lookup in the map

                          type FlowPolicy

                          type FlowPolicy struct {
                          	Action    ActionType
                          	ServiceID string
                          	PolicyID  string
                          }

                            FlowPolicy captures the policy for a particular flow

                            type IPRule

                            type IPRule struct {
                            	Address  string
                            	Port     string
                            	Protocol string
                            	Policy   *FlowPolicy
                            }

                              IPRule holds IP rules to external services

                              type IPRuleList

                              type IPRuleList []IPRule

                                IPRuleList is a list of IP rules

                                func (IPRuleList) Copy

                                func (l IPRuleList) Copy() IPRuleList

                                  Copy creates a clone of the IP rule list

                                  type KeyValueOperator

                                  type KeyValueOperator struct {
                                  	Key      string
                                  	Value    []string
                                  	Operator Operator
                                  }

                                    KeyValueOperator describes an individual matching rule

                                    type Operator

                                    type Operator string

                                      Operator defines the operation between your key and value.

                                      type OptionsType

                                      type OptionsType struct {
                                      	// CgroupName is the name of the cgroup
                                      	CgroupName string
                                      
                                      	// CgroupMark is the tag of the cgroup
                                      	CgroupMark string
                                      
                                      	// UserID is the user ID if it exists
                                      	UserID string
                                      
                                      	// Services is the list of services of interest
                                      	Services []Service
                                      
                                      	// PolicyExtensions is policy resolution extensions
                                      	PolicyExtensions interface{}
                                      }

                                        OptionsType is a set of options that can be passed with a policy request

                                        type PUAction

                                        type PUAction int

                                          PUAction defines the action types that applies for a specific PU as a whole.

                                          type PUInfo

                                          type PUInfo struct {
                                          	// ContextID is the ID of the container that the policy applies to
                                          	ContextID string
                                          	// Policy is an instantiation of the container policy
                                          	Policy *PUPolicy
                                          	// RunTime captures all data that are captured from the container
                                          	Runtime *PURuntime
                                          }

                                            PUInfo captures all policy information related to a connection

                                            func NewPUInfo

                                            func NewPUInfo(contextID string, puType constants.PUType) *PUInfo

                                              NewPUInfo instantiates a new ContainerPolicy

                                              func PUInfoFromPolicyAndRuntime

                                              func PUInfoFromPolicyAndRuntime(contextID string, policyInfo *PUPolicy, runtimeInfo *PURuntime) *PUInfo

                                                PUInfoFromPolicyAndRuntime generates a ContainerInfo Struct from an existing RuntimeInfo and PolicyInfo

                                                type PUPolicy

                                                type PUPolicy struct {
                                                	sync.Mutex
                                                	// contains filtered or unexported fields
                                                }

                                                  PUPolicy captures all policy information related ot the container

                                                  func NewPUPolicy

                                                  func NewPUPolicy(
                                                  	id string,
                                                  	action PUAction,
                                                  	appACLs,
                                                  	netACLs IPRuleList,
                                                  	txtags, rxtags TagSelectorList,
                                                  	identity, annotations *TagStore,
                                                  	ips ExtendedMap,
                                                  	triremeNetworks []string,
                                                  	excludedNetworks []string) *PUPolicy

                                                    NewPUPolicy generates a new ContainerPolicyInfo appACLs are the ACLs for packet coming from the Application/PU to the Network. netACLs are the ACLs for packet coming from the Network to the Application/PU.

                                                    func NewPUPolicyWithDefaults

                                                    func NewPUPolicyWithDefaults() *PUPolicy

                                                      NewPUPolicyWithDefaults sets up a PU policy with defaults

                                                      func (*PUPolicy) AddIdentityTag

                                                      func (p *PUPolicy) AddIdentityTag(k, v string)

                                                        AddIdentityTag adds a policy tag

                                                        func (*PUPolicy) AddReceiverRules

                                                        func (p *PUPolicy) AddReceiverRules(t TagSelector)

                                                          AddReceiverRules adds a receiver rule

                                                          func (*PUPolicy) AddTransmitterRules

                                                          func (p *PUPolicy) AddTransmitterRules(t TagSelector)

                                                            AddTransmitterRules adds a transmitter rule

                                                            func (*PUPolicy) Annotations

                                                            func (p *PUPolicy) Annotations() *TagStore

                                                              Annotations returns a copy of the annotations

                                                              func (*PUPolicy) ApplicationACLs

                                                              func (p *PUPolicy) ApplicationACLs() IPRuleList

                                                                ApplicationACLs returns a copy of IPRuleList

                                                                func (*PUPolicy) Clone

                                                                func (p *PUPolicy) Clone() *PUPolicy

                                                                  Clone returns a copy of the policy

                                                                  func (*PUPolicy) DefaultIPAddress

                                                                  func (p *PUPolicy) DefaultIPAddress() (string, bool)

                                                                    DefaultIPAddress returns the default IP address for the processing unit

                                                                    func (*PUPolicy) ExcludedNetworks

                                                                    func (p *PUPolicy) ExcludedNetworks() []string

                                                                      ExcludedNetworks returns the list of excluded networks.

                                                                      func (*PUPolicy) IPAddresses

                                                                      func (p *PUPolicy) IPAddresses() ExtendedMap

                                                                        IPAddresses returns all the IP addresses for the processing unit

                                                                        func (*PUPolicy) Identity

                                                                        func (p *PUPolicy) Identity() *TagStore

                                                                          Identity returns a copy of the Identity

                                                                          func (*PUPolicy) ManagementID

                                                                          func (p *PUPolicy) ManagementID() string

                                                                            ManagementID returns the management ID

                                                                            func (*PUPolicy) NetworkACLs

                                                                            func (p *PUPolicy) NetworkACLs() IPRuleList

                                                                              NetworkACLs returns a copy of IPRuleList

                                                                              func (*PUPolicy) ReceiverRules

                                                                              func (p *PUPolicy) ReceiverRules() TagSelectorList

                                                                                ReceiverRules returns a copy of TagSelectorList

                                                                                func (*PUPolicy) SetIPAddresses

                                                                                func (p *PUPolicy) SetIPAddresses(l ExtendedMap)

                                                                                  SetIPAddresses sets the IP addresses for the processing unit

                                                                                  func (*PUPolicy) SetTriremeAction

                                                                                  func (p *PUPolicy) SetTriremeAction(action PUAction)

                                                                                    SetTriremeAction returns the TriremeAction

                                                                                    func (*PUPolicy) TransmitterRules

                                                                                    func (p *PUPolicy) TransmitterRules() TagSelectorList

                                                                                      TransmitterRules returns a copy of TagSelectorList

                                                                                      func (*PUPolicy) TriremeAction

                                                                                      func (p *PUPolicy) TriremeAction() PUAction

                                                                                        TriremeAction returns the TriremeAction

                                                                                        func (*PUPolicy) TriremeNetworks

                                                                                        func (p *PUPolicy) TriremeNetworks() []string

                                                                                          TriremeNetworks returns the list of networks that Trireme must be applied

                                                                                          func (*PUPolicy) UpdateExcludedNetworks

                                                                                          func (p *PUPolicy) UpdateExcludedNetworks(networks []string)

                                                                                            UpdateExcludedNetworks updates the list of excluded networks.

                                                                                            func (*PUPolicy) UpdateTriremeNetworks

                                                                                            func (p *PUPolicy) UpdateTriremeNetworks(networks []string)

                                                                                              UpdateTriremeNetworks updates the set of networks for trireme

                                                                                              type PURuntime

                                                                                              type PURuntime struct {
                                                                                              
                                                                                              	// GlobalLock is used by Trireme to make sure that two operations do not
                                                                                              	// get interleaved for the same container.
                                                                                              	GlobalLock *sync.Mutex
                                                                                              
                                                                                              	sync.Mutex
                                                                                              	// contains filtered or unexported fields
                                                                                              }

                                                                                                PURuntime holds all data related to the status of the container run time

                                                                                                func NewPURuntime

                                                                                                func NewPURuntime(name string, pid int, nsPath string, tags *TagStore, ips ExtendedMap, puType constants.PUType, options *OptionsType) *PURuntime

                                                                                                  NewPURuntime Generate a new RuntimeInfo

                                                                                                  func NewPURuntimeWithDefaults

                                                                                                  func NewPURuntimeWithDefaults() *PURuntime

                                                                                                    NewPURuntimeWithDefaults sets up PURuntime with defaults

                                                                                                    func (*PURuntime) Clone

                                                                                                    func (r *PURuntime) Clone() *PURuntime

                                                                                                      Clone returns a copy of the policy

                                                                                                      func (*PURuntime) DefaultIPAddress

                                                                                                      func (r *PURuntime) DefaultIPAddress() (string, bool)

                                                                                                        DefaultIPAddress returns the default IP address for the processing unit

                                                                                                        func (*PURuntime) IPAddresses

                                                                                                        func (r *PURuntime) IPAddresses() ExtendedMap

                                                                                                          IPAddresses returns all the IP addresses for the processing unit

                                                                                                          func (*PURuntime) MarshalJSON

                                                                                                          func (r *PURuntime) MarshalJSON() ([]byte, error)

                                                                                                            MarshalJSON Marshals this struct.

                                                                                                            func (*PURuntime) NSPath

                                                                                                            func (r *PURuntime) NSPath() string

                                                                                                              NSPath returns the NSPath

                                                                                                              func (*PURuntime) Name

                                                                                                              func (r *PURuntime) Name() string

                                                                                                                Name returns the PID

                                                                                                                func (*PURuntime) Options

                                                                                                                func (r *PURuntime) Options() OptionsType

                                                                                                                  Options returns tags for the processing unit

                                                                                                                  func (*PURuntime) PUType

                                                                                                                  func (r *PURuntime) PUType() constants.PUType

                                                                                                                    PUType returns the PU type

                                                                                                                    func (*PURuntime) Pid

                                                                                                                    func (r *PURuntime) Pid() int

                                                                                                                      Pid returns the PID

                                                                                                                      func (*PURuntime) SetIPAddresses

                                                                                                                      func (r *PURuntime) SetIPAddresses(ipa ExtendedMap)

                                                                                                                        SetIPAddresses sets up all the IP addresses for the processing unit

                                                                                                                        func (*PURuntime) SetNSPath

                                                                                                                        func (r *PURuntime) SetNSPath(nsPath string)

                                                                                                                          SetNSPath sets the NSPath

                                                                                                                          func (*PURuntime) SetOptions

                                                                                                                          func (r *PURuntime) SetOptions(options OptionsType)

                                                                                                                            SetOptions sets the Options

                                                                                                                            func (*PURuntime) SetPUType

                                                                                                                            func (r *PURuntime) SetPUType(puType constants.PUType)

                                                                                                                              SetPUType sets the PU Type

                                                                                                                              func (*PURuntime) SetPid

                                                                                                                              func (r *PURuntime) SetPid(pid int)

                                                                                                                                SetPid sets the PID

                                                                                                                                func (*PURuntime) Tag

                                                                                                                                func (r *PURuntime) Tag(key string) (string, bool)

                                                                                                                                  Tag returns a specific tag for the processing unit

                                                                                                                                  func (*PURuntime) Tags

                                                                                                                                  func (r *PURuntime) Tags() *TagStore

                                                                                                                                    Tags returns tags for the processing unit

                                                                                                                                    func (*PURuntime) UnmarshalJSON

                                                                                                                                    func (r *PURuntime) UnmarshalJSON(param []byte) error

                                                                                                                                      UnmarshalJSON Unmarshals this struct.

                                                                                                                                      type PURuntimeJSON

                                                                                                                                      type PURuntimeJSON struct {
                                                                                                                                      	// PUType is the type of the PU
                                                                                                                                      	PUType constants.PUType
                                                                                                                                      	// Pid holds the value of the first process of the container
                                                                                                                                      	Pid int
                                                                                                                                      	// NSPath is the path to the networking namespace for this PURuntime if applicable.
                                                                                                                                      	NSPath string
                                                                                                                                      	// Name is the name of the container
                                                                                                                                      	Name string
                                                                                                                                      	// IPAddress is the IP Address of the container
                                                                                                                                      	IPAddresses ExtendedMap
                                                                                                                                      	// Tags is a map of the metadata of the container
                                                                                                                                      	Tags *TagStore
                                                                                                                                      	// Options is a map of the options of the container
                                                                                                                                      	Options *OptionsType
                                                                                                                                      }

                                                                                                                                        PURuntimeJSON is a Json representation of PURuntime

                                                                                                                                        type RuntimeReader

                                                                                                                                        type RuntimeReader interface {
                                                                                                                                        
                                                                                                                                        	// Pid returns the Pid of the Runtime.
                                                                                                                                        	Pid() int
                                                                                                                                        
                                                                                                                                        	// Name returns the process name of the Runtime.
                                                                                                                                        	Name() string
                                                                                                                                        
                                                                                                                                        	// Tag returns  the value of the given tag.
                                                                                                                                        	Tag(string) (string, bool)
                                                                                                                                        
                                                                                                                                        	// Tags returns a copy of the list of the tags.
                                                                                                                                        	Tags() *TagStore
                                                                                                                                        
                                                                                                                                        	// Options returns a copy of the list of options.
                                                                                                                                        	Options() OptionsType
                                                                                                                                        
                                                                                                                                        	// DefaultIPAddress retutns the default IP address.
                                                                                                                                        	DefaultIPAddress() (string, bool)
                                                                                                                                        
                                                                                                                                        	// IPAddresses returns a copy of all the IP addresses.
                                                                                                                                        	IPAddresses() ExtendedMap
                                                                                                                                        
                                                                                                                                        	// Returns the PUType for the PU
                                                                                                                                        	PUType() constants.PUType
                                                                                                                                        }

                                                                                                                                          A RuntimeReader allows to get the specific parameters stored in the Runtime

                                                                                                                                          type Service

                                                                                                                                          type Service struct {
                                                                                                                                          	// Protocol is the protocol number
                                                                                                                                          	Protocol uint8
                                                                                                                                          
                                                                                                                                          	// Port is the target port
                                                                                                                                          	Port uint16
                                                                                                                                          }

                                                                                                                                            Service is a protocol/port service of interest - used to pass user requests

                                                                                                                                            type TagSelector

                                                                                                                                            type TagSelector struct {
                                                                                                                                            	Clause []KeyValueOperator
                                                                                                                                            	Policy *FlowPolicy
                                                                                                                                            }

                                                                                                                                              TagSelector info describes a tag selector key Operator value

                                                                                                                                              type TagSelectorList

                                                                                                                                              type TagSelectorList []TagSelector

                                                                                                                                                TagSelectorList defines a list of TagSelectors

                                                                                                                                                func (TagSelectorList) Copy

                                                                                                                                                  Copy returns a copy of the TagSelectorList

                                                                                                                                                  type TagStore

                                                                                                                                                  type TagStore struct {
                                                                                                                                                  	Tags []string
                                                                                                                                                  }

                                                                                                                                                    TagStore stores the tags - it allows duplicate key values

                                                                                                                                                    func NewTagStore

                                                                                                                                                    func NewTagStore() *TagStore

                                                                                                                                                      NewTagStore creates a new TagStore

                                                                                                                                                      func NewTagStoreFromMap

                                                                                                                                                      func NewTagStoreFromMap(tags map[string]string) *TagStore

                                                                                                                                                        NewTagStoreFromMap creates a tag store from an input map

                                                                                                                                                        func (*TagStore) AppendKeyValue

                                                                                                                                                        func (t *TagStore) AppendKeyValue(key, value string)

                                                                                                                                                          AppendKeyValue appends a key and value to the tag store

                                                                                                                                                          func (*TagStore) Copy

                                                                                                                                                          func (t *TagStore) Copy() *TagStore

                                                                                                                                                            Copy copies an ExtendedMap

                                                                                                                                                            func (*TagStore) Get

                                                                                                                                                            func (t *TagStore) Get(key string) (string, bool)

                                                                                                                                                              Get does a lookup in the list of tags

                                                                                                                                                              func (*TagStore) GetSlice

                                                                                                                                                              func (t *TagStore) GetSlice() []string

                                                                                                                                                                GetSlice returns the tagstore as a slice