netpol

package
v1.21.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: May 12, 2021 License: Apache-2.0 Imports: 28 Imported by: 1

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func AddPodLabels 

func AddPodLabels(k8s *kubeManager, pod *Pod, newPodLabels map[string]string)

AddPodLabels adds new labels to a deployment's template

func CheckSCTPModuleLoadedOnNodes 

func CheckSCTPModuleLoadedOnNodes(f *framework.Framework, nodes *v1.NodeList) bool

CheckSCTPModuleLoadedOnNodes checks whether any node on the list has the sctp.ko module loaded For security reasons, and also to allow clusters to use userspace SCTP implementations, we require that just creating an SCTP Pod/Service/NetworkPolicy must not do anything that would cause the sctp kernel module to be loaded.

func CreatePolicy 

func CreatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

CreatePolicy creates a policy in the given namespace

func GetAllowEgress 

func GetAllowEgress() *networkingv1.NetworkPolicy

GetAllowEgress allows all egress

func GetAllowEgressByCIDR 

func GetAllowEgressByCIDR(podname string, podserverCIDR string) *networkingv1.NetworkPolicy

GetAllowEgressByCIDR creates an egress netpol with an ipblock

func GetAllowEgressByCIDRExcept 

func GetAllowEgressByCIDRExcept(podname string, podserverCIDR string, except []string) *networkingv1.NetworkPolicy

GetAllowEgressByCIDRExcept creates an egress netpol with an ipblock and except

func GetAllowEgressByNamespaceAndPod 

func GetAllowEgressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowEgressByNamespaceAndPod allows egress for pods with matching namespace AND pod labels

func GetAllowEgressByPort 

func GetAllowEgressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy

GetAllowEgressByPort allows egress by port

func GetAllowEgressForTarget 

func GetAllowEgressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowEgressForTarget allows all egress for a target

func GetAllowIngress 

func GetAllowIngress(name string) *networkingv1.NetworkPolicy

GetAllowIngress allows all ingress

func GetAllowIngressByAnyPod 

func GetAllowIngressByAnyPod(name string, targetLabels map[string]string, peersLabel []map[string]string) *networkingv1.NetworkPolicy

GetAllowIngressByAnyPod allows ingress for pods with matching multiple pod labels

func GetAllowIngressByNamespace 

func GetAllowIngressByNamespace(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByNamespace allows ingress for namespace

func GetAllowIngressByNamespaceAndPod 

func GetAllowIngressByNamespaceAndPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByNamespaceAndPod allows ingress for pods with matching namespace AND pod labels

func GetAllowIngressByNamespaceAndPort 

func GetAllowIngressByNamespaceAndPort(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, port *intstr.IntOrString, protocol *v1.Protocol) *networkingv1.NetworkPolicy

GetAllowIngressByNamespaceAndPort allows ingress for namespace AND port AND protocol

func GetAllowIngressByNamespaceOrPod 

func GetAllowIngressByNamespaceOrPod(name string, targetLabels map[string]string, peerNamespaceSelector *metav1.LabelSelector, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByNamespaceOrPod allows ingress for pods with matching namespace OR pod labels

func GetAllowIngressByPod 

func GetAllowIngressByPod(name string, targetLabels map[string]string, peerPodSelector *metav1.LabelSelector) *networkingv1.NetworkPolicy

GetAllowIngressByPod allows ingress by pod labels

func GetAllowIngressByPort 

func GetAllowIngressByPort(name string, port *intstr.IntOrString) *networkingv1.NetworkPolicy

GetAllowIngressByPort allows ingress by port

func GetAllowIngressByProtocol 

func GetAllowIngressByProtocol(name string, targetLabels map[string]string, protocol *v1.Protocol) *networkingv1.NetworkPolicy

GetAllowIngressByProtocol allows ingress for any ports on a specific protocol.

func GetAllowIngressForTarget 

func GetAllowIngressForTarget(name string, targetLabels map[string]string) *networkingv1.NetworkPolicy

GetAllowIngressForTarget allows ingress for target

func GetAllowIngressOnProtocolByPort 

func GetAllowIngressOnProtocolByPort(name string, protocol v1.Protocol, targetLabels map[string]string, portNum *intstr.IntOrString) *networkingv1.NetworkPolicy

GetAllowIngressOnProtocolByPort is a base network policy template which distinguishes between the types of v1.Protocol available in v1 core

func GetDenyAll 

func GetDenyAll(name string) *networkingv1.NetworkPolicy

GetDenyAll denies ingress traffic, AS WELL as egress traffic. - BOTH policy types must be specified - The Egress rule must (like the ingress default rule) be a array with 0 values.

func GetDenyAllWithEgressDNS 

func GetDenyAllWithEgressDNS() *networkingv1.NetworkPolicy

GetDenyAllWithEgressDNS deny all egress traffic, besides DNS/UDP port

func GetDenyEgress 

func GetDenyEgress(name string) *networkingv1.NetworkPolicy

GetDenyEgress returns a default deny egress policy.

func GetDenyEgressForTarget 

func GetDenyEgressForTarget(name string, targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy

GetDenyEgressForTarget returns a default deny egress policy.

func GetDenyIngress 

func GetDenyIngress(name string) *networkingv1.NetworkPolicy

GetDenyIngress returns a default deny ingress policy.

func GetDenyIngressEmptyPeerSelector 

func GetDenyIngressEmptyPeerSelector(name string) *networkingv1.NetworkPolicy

GetDenyIngressEmptyPeerSelector returns a default ingress deny policy using empty Peer selector.

func GetDenyIngressForTarget 

func GetDenyIngressForTarget(targetSelector metav1.LabelSelector) *networkingv1.NetworkPolicy

GetDenyIngressForTarget denies all ingress for target

func GetRandomIngressPolicies 

func GetRandomIngressPolicies(num int) []*networkingv1.NetworkPolicy

GetRandomIngressPolicies returns "num" random policies that allow a unique:n label, i.e. unique:1, unique:2, and so on. Used for creating a 'background' set of policies.

func ProbePodToPodConnectivity 

func ProbePodToPodConnectivity(k8s *kubeManager, model *Model, testCase *TestCase)

ProbePodToPodConnectivity runs a series of probes in kube, and records the results in `testCase.Reachability`

func ResetNamespaceLabels 

func ResetNamespaceLabels(k8s *kubeManager, ns string)

ResetNamespaceLabels resets the labels for a namespace

func ResetPodLabels 

func ResetPodLabels(k8s *kubeManager, pod *Pod)

ResetPodLabels resets the labels for a deployment's template

func UpdateNamespaceLabels 

func UpdateNamespaceLabels(k8s *kubeManager, ns string, newNsLabel map[string]string)

UpdateNamespaceLabels sets the labels for a namespace

func UpdatePolicy 

func UpdatePolicy(k8s *kubeManager, policy *networkingv1.NetworkPolicy, namespace string)

UpdatePolicy updates a networkpolicy

func ValidateOrFail 

func ValidateOrFail(k8s *kubeManager, model *Model, testCase *TestCase)

ValidateOrFail validates connectivity

Types

type Container 

type Container struct {
	Port     int32
	Protocol v1.Protocol
}

Container is the abstract representation of what matters to network policy tests for a container; i.e. it ignores kube implementation details

func (*Container) Name 

func (c *Container) Name() string

Name returns the container name

func (*Container) PortName 

func (c *Container) PortName() string

PortName returns the container port name

func (*Container) Spec 

func (c *Container) Spec() v1.Container

Spec returns the kube container spec

type Model 

type Model struct {
	Namespaces []*Namespace

	// the raw data
	NamespaceNames []string
	PodNames       []string
	Ports          []int32
	Protocols      []v1.Protocol
	DNSDomain      string
	// contains filtered or unexported fields
}

Model defines the namespaces, deployments, services, pods, containers and associated data for network policy test cases and provides the source of truth

func NewModel 

func NewModel(namespaces []string, podNames []string, ports []int32, protocols []v1.Protocol, dnsDomain string) *Model

NewModel instantiates a model based on: - namespaces - pods - ports to listen on - protocols to listen on The total number of pods is the number of namespaces x the number of pods per namespace. The number of containers per pod is the number of ports x the number of protocols. The *total* number of containers is namespaces x pods x ports x protocols.

func (*Model) AllPodStrings 

func (m *Model) AllPodStrings() []PodString

AllPodStrings returns a slice of all pod strings

func (*Model) AllPods 

func (m *Model) AllPods() []*Pod

AllPods returns a slice of all pods

func (*Model) FindPod 

func (m *Model) FindPod(ns string, name string) (*Pod, error)

FindPod returns the pod of matching namespace and name, or an error

func (*Model) NewReachability 

func (m *Model) NewReachability() *Reachability

NewReachability instantiates a default-true reachability from the model's pods

type Namespace 

type Namespace struct {
	Name string
	Pods []*Pod
}

Namespace is the abstract representation of what matters to network policy tests for a namespace; i.e. it ignores kube implementation details

func (*Namespace) LabelSelector 

func (ns *Namespace) LabelSelector() map[string]string

LabelSelector returns the default labels that should be placed on a namespace in order for it to be uniquely selectable by label selectors

func (*Namespace) Spec 

func (ns *Namespace) Spec() *v1.Namespace

Spec builds a kubernetes namespace spec

type Peer 

type Peer struct {
	Namespace string
	Pod       string
}

Peer is used for matching pods by either or both of the pod's namespace and name.

func (*Peer) Matches 

func (p *Peer) Matches(pod PodString) bool

Matches checks whether the Peer matches the PodString: - an empty namespace means the namespace will always match - otherwise, the namespace must match the PodString's namespace - same goes for Pod: empty matches everything, otherwise must match exactly

type Pod 

type Pod struct {
	Namespace  string
	Name       string
	Containers []*Container
}

Pod is the abstract representation of what matters to network policy tests for a pod; i.e. it ignores kube implementation details

func (*Pod) ContainerSpecs 

func (p *Pod) ContainerSpecs() []v1.Container

ContainerSpecs builds kubernetes container specs for the pod

func (*Pod) KubePod 

func (p *Pod) KubePod() *v1.Pod

KubePod returns the kube pod

func (*Pod) LabelSelector 

func (p *Pod) LabelSelector() map[string]string

LabelSelector returns the default labels that should be placed on a pod/deployment in order for it to be uniquely selectable by label selectors

func (*Pod) PodString 

func (p *Pod) PodString() PodString

PodString returns a corresponding pod string

func (*Pod) QualifiedServiceAddress 

func (p *Pod) QualifiedServiceAddress(dnsDomain string) string

QualifiedServiceAddress returns the address that can be used to hit a service from any namespace in the cluster

func (*Pod) Service 

func (p *Pod) Service() *v1.Service

Service returns a kube service spec

func (*Pod) ServiceName 

func (p *Pod) ServiceName() string

ServiceName returns the unqualified service name

type PodString 

type PodString string

PodString represents a namespace 'x' + pod 'a' as "x/a".

func NewPodString 

func NewPodString(namespace string, podName string) PodString

NewPodString instantiates a PodString from the given namespace and name.

func (PodString) Namespace 

func (pod PodString) Namespace() string

Namespace extracts the namespace

func (PodString) PodName 

func (pod PodString) PodName() string

PodName extracts the pod name

func (PodString) String 

func (pod PodString) String() string

String converts back to a string

type ProbeJob 

type ProbeJob struct {
	PodFrom        *Pod
	PodTo          *Pod
	ToPort         int
	ToPodDNSDomain string
	Protocol       v1.Protocol
}

ProbeJob packages the data for the input of a pod->pod connectivity probe

type ProbeJobResults 

type ProbeJobResults struct {
	Job         *ProbeJob
	IsConnected bool
	Err         error
	Command     string
}

ProbeJobResults packages the data for the results of a pod->pod connectivity probe

type Reachability 

type Reachability struct {
	Expected *TruthTable
	Observed *TruthTable
	Pods     []*Pod
}

Reachability packages the data for a cluster-wide connectivity probe

func NewReachability 

func NewReachability(pods []*Pod, defaultExpectation bool) *Reachability

NewReachability instantiates a reachability

func (*Reachability) AllowLoopback 

func (r *Reachability) AllowLoopback()

AllowLoopback expects all communication from a pod to itself to be allowed. In general, call it after setting up any other rules since loopback logic follows no policy.

func (*Reachability) Expect 

func (r *Reachability) Expect(from PodString, to PodString, isConnected bool)

Expect sets the expected value for a single observation

func (*Reachability) ExpectAllEgress 

func (r *Reachability) ExpectAllEgress(pod PodString, connected bool)

ExpectAllEgress defines that any traffic going out of the pod will be allowed/denied (true/false)

func (*Reachability) ExpectAllIngress 

func (r *Reachability) ExpectAllIngress(pod PodString, connected bool)

ExpectAllIngress defines that any traffic going into the pod will be allowed/denied (true/false)

func (*Reachability) ExpectPeer 

func (r *Reachability) ExpectPeer(from *Peer, to *Peer, connected bool)

ExpectPeer sets expected values using Peer matchers

func (*Reachability) Observe 

func (r *Reachability) Observe(fromPod PodString, toPod PodString, isConnected bool)

Observe records a single connectivity observation

func (*Reachability) PrintSummary 

func (r *Reachability) PrintSummary(printExpected bool, printObserved bool, printComparison bool)

PrintSummary prints the summary

func (*Reachability) Summary 

func (r *Reachability) Summary(ignoreLoopback bool) (trueObs int, falseObs int, ignoredObs int, comparison *TruthTable)

Summary produces a useful summary of expected and observed data

type TestCase 

type TestCase struct {
	ToPort       int
	Protocol     v1.Protocol
	Reachability *Reachability
}

TestCase describes the data for a netpol test

type TruthTable 

type TruthTable struct {
	Froms []string
	Tos   []string

	Values map[string]map[string]bool
	// contains filtered or unexported fields
}

TruthTable takes in n items and maintains an n x n table of booleans for each ordered pair

func NewTruthTable 

func NewTruthTable(froms []string, tos []string, defaultValue *bool) *TruthTable

NewTruthTable creates a new truth table with froms and tos

func NewTruthTableFromItems 

func NewTruthTableFromItems(items []string, defaultValue *bool) *TruthTable

NewTruthTableFromItems creates a new truth table with items

func (*TruthTable) Compare 

func (tt *TruthTable) Compare(other *TruthTable) *TruthTable

Compare is used to check two truth tables for equality, returning its result in the form of a third truth table. Both tables are expected to have identical items.

func (*TruthTable) Get 

func (tt *TruthTable) Get(from string, to string) bool

Get gets the specified value

func (*TruthTable) IsComplete 

func (tt *TruthTable) IsComplete() bool

IsComplete returns true if there's a value set for every single pair of items, otherwise it returns false.

func (*TruthTable) PrettyPrint 

func (tt *TruthTable) PrettyPrint(indent string) string

PrettyPrint produces a nice visual representation.

func (*TruthTable) Set 

func (tt *TruthTable) Set(from string, to string, value bool)

Set sets the value for from->to

func (*TruthTable) SetAllFrom 

func (tt *TruthTable) SetAllFrom(from string, value bool)

SetAllFrom sets all values where from = 'from'

func (*TruthTable) SetAllTo 

func (tt *TruthTable) SetAllTo(to string, value bool)

SetAllTo sets all values where to = 'to'

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.