 Documentation
      ¶
      Documentation
      ¶
    
    
  
    
  
    Overview ¶
Package api defines the API of the Cilium network policy interface +groupName=policy
Index ¶
- Constants
- Variables
- func InitEntities(clusterName string)
- func RegisterToGroupsProvider(providerName string, callback GroupProviderFunc)
- type AWSGroup
- type CIDR
- type CIDRRule
- type CIDRRuleSlice
- type CIDRSlice
- type Decision
- type EgressRule
- func (e *EgressRule) CreateDerivative() (*EgressRule, error)
- func (in *EgressRule) DeepCopy() *EgressRule
- func (in *EgressRule) DeepCopyInto(out *EgressRule)
- func (e *EgressRule) GetDestinationEndpointSelectorsWithRequirements(requirements []metav1.LabelSelectorRequirement) EndpointSelectorSlice
- func (e *EgressRule) IsLabelBased() bool
- func (e *EgressRule) RequiresDerivative() bool
- func (e *EgressRule) SetAggregatedSelectors()
 
- type EndpointSelector
- func (n *EndpointSelector) AddMatch(key, value string)
- func (n EndpointSelector) CachedString() string
- func (n *EndpointSelector) ConvertToLabelSelectorRequirementSlice() []metav1.LabelSelectorRequirement
- func (in *EndpointSelector) DeepCopy() *EndpointSelector
- func (in *EndpointSelector) DeepCopyInto(out *EndpointSelector)
- func (n EndpointSelector) GetMatch(key string) ([]string, bool)
- func (n EndpointSelector) HasKey(key string) bool
- func (n EndpointSelector) HasKeyPrefix(prefix string) bool
- func (n *EndpointSelector) IsWildcard() bool
- func (n *EndpointSelector) LabelSelectorString() string
- func (n EndpointSelector) MarshalJSON() ([]byte, error)
- func (n *EndpointSelector) Matches(lblsToMatch k8sLbls.Labels) bool
- func (n EndpointSelector) String() string
- func (n *EndpointSelector) SyncRequirementsWithLabelSelector()
- func (n *EndpointSelector) UnmarshalJSON(b []byte) error
 
- type EndpointSelectorSlice
- func (in EndpointSelectorSlice) DeepCopy() EndpointSelectorSlice
- func (in EndpointSelectorSlice) DeepCopyInto(out *EndpointSelectorSlice)
- func (s EndpointSelectorSlice) Len() int
- func (s EndpointSelectorSlice) Less(i, j int) bool
- func (s EndpointSelectorSlice) Matches(ctx labels.LabelArray) bool
- func (s EndpointSelectorSlice) SelectsAllEndpoints() bool
- func (s EndpointSelectorSlice) Swap(i, j int)
 
- type Entity
- type EntitySlice
- type FQDNSelector
- type FQDNSelectorSlice
- type GroupProviderFunc
- type IngressRule
- func (in *IngressRule) DeepCopy() *IngressRule
- func (in *IngressRule) DeepCopyInto(out *IngressRule)
- func (i *IngressRule) GetSourceEndpointSelectorsWithRequirements(requirements []metav1.LabelSelectorRequirement) EndpointSelectorSlice
- func (i *IngressRule) IsLabelBased() bool
- func (i *IngressRule) SetAggregatedSelectors()
 
- type K8sServiceNamespace
- type K8sServiceSelectorNamespace
- type KafkaRole
- type L4Proto
- type L7Rules
- type PortProtocol
- type PortRule
- type PortRuleDNS
- type PortRuleHTTP
- type PortRuleKafka
- func (kr *PortRuleKafka) CheckAPIKeyRole(kind int16) bool
- func (in *PortRuleKafka) DeepCopy() *PortRuleKafka
- func (in *PortRuleKafka) DeepCopyInto(out *PortRuleKafka)
- func (k *PortRuleKafka) Equal(o PortRuleKafka) bool
- func (k *PortRuleKafka) Exists(rules L7Rules) bool
- func (kr *PortRuleKafka) GetAPIVersion() (int16, bool)
- func (kr *PortRuleKafka) MapRoleToAPIKey() error
- func (kr *PortRuleKafka) Sanitize() error
 
- type PortRuleL7
- type Rule
- func (r *Rule) CreateDerivative() (*Rule, error)
- func (in *Rule) DeepCopy() *Rule
- func (in *Rule) DeepCopyInto(out *Rule)
- func (r *Rule) RequiresDerivative() bool
- func (r Rule) Sanitize() error
- func (r *Rule) WithDescription(desc string) *Rule
- func (r *Rule) WithEgressRules(rules []EgressRule) *Rule
- func (r *Rule) WithEndpointSelector(es EndpointSelector) *Rule
- func (r *Rule) WithIngressRules(rules []IngressRule) *Rule
- func (r *Rule) WithLabels(labels labels.LabelArray) *Rule
 
- type Rules
- type Service
- type ServiceSelector
- type ToGroups
Constants ¶
const ( ProduceKey = 0 FetchKey = 1 OffsetsKey = 2 MetadataKey = 3 LeaderAndIsr = 4 StopReplica = 5 UpdateMetadata = 6 OffsetCommitKey = 8 OffsetFetchKey = 9 FindCoordinatorKey = 10 JoinGroupKey = 11 CreateTopicsKey = 19 DeleteTopicsKey = 20 DeleteRecordsKey = 21 OffsetForLeaderEpochKey = 23 AddPartitionsToTxnKey = 24 WriteTxnMarkersKey = 27 TxnOffsetCommitKey = 28 AlterReplicaLogDirsKey = 34 DescribeLogDirsKey = 35 CreatePartitionsKey = 37 )
List of Kafka apiKeys which have a topic in their request
const ( HeartbeatKey = 12 LeaveGroupKey = 13 SyncgroupKey = 14 APIVersionsKey = 18 )
List of Kafka apiKey which are not associated with any topic
const ( ProduceRole = "produce" ConsumeRole = "consume" )
List of Kafka Roles
const (
	AWSProvider = "AWS" // AWS provider key
)
    const (
	KafkaMaxTopicLen = 255
)
    KafkaMaxTopicLen is the maximum character len of a topic. Older Kafka versions had longer topic lengths of 255, in Kafka 0.10 version the length was changed from 255 to 249. For compatibility reasons we are using 255
const (
	// MaxCIDRPrefixLengths is used to prevent compile failures at runtime.
	MaxCIDRPrefixLengths = 40
)
    Variables ¶
var ( EndpointSelectorNone = NewESFromLabels(labels.NewLabel(labels.IDNameNone, "", labels.LabelSourceReserved)) // EntitySelectorMapping maps special entity names that come in // policies to selectors EntitySelectorMapping = map[Entity]EndpointSelectorSlice{ EntityAll: {WildcardEndpointSelector}, EntityWorld: {endpointSelectorWorld}, EntityHost: {endpointSelectorHost}, EntityInit: {endpointSelectorInit}, EntityNone: {EndpointSelectorNone}, EntityCluster: {}, } )
var ( // WildcardEndpointSelector is a wildcard endpoint selector matching // all endpoints that can be described with labels. WildcardEndpointSelector = NewESFromLabels() // ReservedEndpointSelectors map reserved labels to EndpointSelectors // that will match those endpoints. ReservedEndpointSelectors = map[string]EndpointSelector{ labels.IDNameHost: newReservedEndpointSelector(labels.IDNameHost), labels.IDNameWorld: newReservedEndpointSelector(labels.IDNameWorld), } )
var CIDRMatchAll = []CIDR{CIDR("0.0.0.0/0"), CIDR("::/0")}
    CIDRMatchAll is a []CIDR that matches everything
var KafkaAPIKeyMap = map[string]int16{
	"produce":              0,
	"fetch":                1,
	"offsets":              2,
	"metadata":             3,
	"leaderandisr":         4,
	"stopreplica":          5,
	"updatemetadata":       6,
	"controlledshutdown":   7,
	"offsetcommit":         8,
	"offsetfetch":          9,
	"findcoordinator":      10,
	"joingroup":            11,
	"heartbeat":            12,
	"leavegroup":           13,
	"syncgroup":            14,
	"describegroups":       15,
	"listgroups":           16,
	"saslhandshake":        17,
	"apiversions":          18,
	"createtopics":         19,
	"deletetopics":         20,
	"deleterecords":        21,
	"initproducerid":       22,
	"offsetforleaderepoch": 23,
	"addpartitionstotxn":   24,
	"addoffsetstotxn":      25,
	"endtxn":               26,
	"writetxnmarkers":      27,
	"txnoffsetcommit":      28,
	"describeacls":         29,
	"createacls":           30,
	"deleteacls":           31,
	"describeconfigs":      32,
	"alterconfigs":         33,
}
    KafkaAPIKeyMap is the map of all allowed kafka API keys with the key values. Reference: https://kafka.apache.org/protocol#protocol_api_keys
var KafkaReverseAPIKeyMap = map[int16]string{
	0:  "produce",
	1:  "fetch",
	2:  "offsets",
	3:  "metadata",
	4:  "leaderandisr",
	5:  "stopreplica",
	6:  "updatemetadata",
	7:  "controlledshutdown",
	8:  "offsetcommit",
	9:  "offsetfetch",
	10: "findcoordinator",
	11: "joingroup",
	12: "heartbeat",
	13: "leavegroup",
	14: "syncgroup",
	15: "describegroups",
	16: "listgroups",
	17: "saslhandshake",
	18: "apiversions",
	19: "createtopics",
	20: "deletetopics",
	21: "deleterecords",
	22: "initproducerid",
	23: "offsetforleaderepoch",
	24: "addpartitionstotxn",
	25: "addoffsetstotxn",
	26: "endtxn",
	27: "writetxnmarkers",
	28: "txnoffsetcommit",
	29: "describeacls",
	30: "createacls",
	31: "deleteacls",
	32: "describeconfigs",
	33: "alterconfigs",
}
    KafkaReverseApiKeyMap is the map of all allowed kafka API keys with the key values. Reference: https://kafka.apache.org/protocol#protocol_api_keys
var KafkaTopicValidChar = regexp.MustCompile(`^[a-zA-Z0-9\\._\\-]+$`)
    KafkaTopicValidChar is a one-time regex generation of all allowed characters in kafka topic name.
Functions ¶
func InitEntities ¶ added in v1.5.0
func InitEntities(clusterName string)
InitEntities is called to initialize the policy API layer
func RegisterToGroupsProvider ¶ added in v1.5.0
func RegisterToGroupsProvider(providerName string, callback GroupProviderFunc)
RegisterToGroupsProvider it will register a new callback that will be used when a new ToGroups rule is added.
Types ¶
type AWSGroup ¶ added in v1.5.0
type AWSGroup struct {
	Labels              map[string]string `json:"labels,omitempty"`
	SecurityGroupsIds   []string          `json:"securityGroupsIds,omitempty"`
	SecurityGroupsNames []string          `json:"securityGroupsNames,omitempty"`
	Region              string            `json:"region,omitempty"`
}
    AWSGroup is an structure that can be used to whitelisting information from AWS integration
func (*AWSGroup) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new AWSGroup.
func (*AWSGroup) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CIDR ¶
type CIDR string
CIDR specifies a block of IP addresses. Example: 192.0.2.1/32
func (*CIDR) MatchesAll ¶ added in v1.5.0
MatchesAll determines whether the CIDR matches all traffic.
type CIDRRule ¶ added in v1.5.0
type CIDRRule struct {
	// CIDR is a CIDR prefix / IP Block.
	//
	Cidr CIDR `json:"cidr"`
	// ExceptCIDRs is a list of IP blocks which the endpoint subject to the rule
	// is not allowed to initiate connections to. These CIDR prefixes should be
	// contained within Cidr. These exceptions are only applied to the Cidr in
	// this CIDRRule, and do not apply to any other CIDR prefixes in any other
	// CIDRRules.
	//
	// +optional
	ExceptCIDRs []CIDR `json:"except,omitempty"`
	// Generated indicates whether the rule was generated based on other rules
	// or provided by user
	Generated bool `json:"-"`
}
    CIDRRule is a rule that specifies a CIDR prefix to/from which outside communication is allowed, along with an optional list of subnets within that CIDR prefix to/from which outside communication is not allowed.
func IPsToCIDRRules ¶ added in v1.5.0
IPsToCIDRRules generates CIDRRules for the IPs passed in./ This function will mark the rule to Generated true by default.
func (*CIDRRule) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CIDRRule.
func (*CIDRRule) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type CIDRRuleSlice ¶ added in v1.5.0
type CIDRRuleSlice []CIDRRule
CIDRRuleSlice is a slice of CIDRRules. It allows receiver methods to be defined for transforming the slice into other convenient forms such as EndpointSelectorSlice.
func (CIDRRuleSlice) DeepCopy ¶ added in v1.5.0
func (in CIDRRuleSlice) DeepCopy() CIDRRuleSlice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CIDRRuleSlice.
func (CIDRRuleSlice) DeepCopyInto ¶ added in v1.5.0
func (in CIDRRuleSlice) DeepCopyInto(out *CIDRRuleSlice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (CIDRRuleSlice) GetAsEndpointSelectors ¶ added in v1.5.0
func (s CIDRRuleSlice) GetAsEndpointSelectors() EndpointSelectorSlice
GetAsEndpointSelectors returns the provided CIDRRule slice as a slice of endpoint selectors
func (CIDRRuleSlice) StringSlice ¶ added in v1.6.9
func (s CIDRRuleSlice) StringSlice() []string
StringSlice returns the CIDRRuleSlice as a slice of strings.
type CIDRSlice ¶ added in v1.5.0
type CIDRSlice []CIDR
CIDRSlice is a slice of CIDRs. It allows receiver methods to be defined for transforming the slice into other convenient forms such as EndpointSelectorSlice.
func ComputeResultantCIDRSet ¶ added in v1.5.0
func ComputeResultantCIDRSet(cidrs CIDRRuleSlice) CIDRSlice
ComputeResultantCIDRSet converts a slice of CIDRRules into a slice of individual CIDRs. This expands the cidr defined by each CIDRRule, applies the CIDR exceptions defined in "ExceptCIDRs", and forms a minimal set of CIDRs that cover all of the CIDRRules.
Assumes no error checking is necessary as CIDRRule.Sanitize already does this.
func (CIDRSlice) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new CIDRSlice.
func (CIDRSlice) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (CIDRSlice) GetAsEndpointSelectors ¶ added in v1.5.0
func (s CIDRSlice) GetAsEndpointSelectors() EndpointSelectorSlice
GetAsEndpointSelectors returns the provided CIDR slice as a slice of endpoint selectors
func (CIDRSlice) String ¶ added in v1.6.9
String converts the CIDRSlice into a human-readable string.
func (CIDRSlice) StringSlice ¶ added in v1.5.0
StringSlice returns the CIDR slice as a slice of strings.
type Decision ¶
type Decision byte
Decision is a reachability policy decision
func (Decision) MarshalJSON ¶
MarshalJSON returns the decision as JSON formatted buffer
func (*Decision) UnmarshalJSON ¶
UnmarshalJSON parses a JSON formatted buffer and returns a decision
type EgressRule ¶
type EgressRule struct {
	// ToEndpoints is a list of endpoints identified by an EndpointSelector to
	// which the endpoints subject to the rule are allowed to communicate.
	//
	// Example:
	// Any endpoint with the label "role=frontend" can communicate with any
	// endpoint carrying the label "role=backend".
	//
	// +optional
	ToEndpoints []EndpointSelector `json:"toEndpoints,omitempty"`
	// ToRequires is a list of additional constraints which must be met
	// in order for the selected endpoints to be able to connect to other
	// endpoints. These additional constraints do no by itself grant access
	// privileges and must always be accompanied with at least one matching
	// ToEndpoints.
	//
	// Example:
	// Any Endpoint with the label "team=A" requires any endpoint to which it
	// communicates to also carry the label "team=A".
	//
	// +optional
	ToRequires []EndpointSelector `json:"toRequires,omitempty"`
	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is allowed to
	// connect to.
	//
	// Example:
	// Any endpoint with the label "role=frontend" is allowed to initiate
	// connections to destination port 8080/tcp
	//
	// +optional
	ToPorts []PortRule `json:"toPorts,omitempty"`
	// ToCIDR is a list of IP blocks which the endpoint subject to the rule
	// is allowed to initiate connections. Only connections destined for
	// outside of the cluster and not targeting the host will be subject
	// to CIDR rules.  This will match on the destination IP address of
	// outgoing connections. Adding a prefix into ToCIDR or into ToCIDRSet
	// with no ExcludeCIDRs is equivalent. Overlaps are allowed between
	// ToCIDR and ToCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=database-proxy" is allowed to
	// initiate connections to 10.2.3.0/24
	//
	// +optional
	ToCIDR CIDRSlice `json:"toCIDR,omitempty"`
	// ToCIDRSet is a list of IP blocks which the endpoint subject to the rule
	// is allowed to initiate connections to in addition to connections
	// which are allowed via ToEndpoints, along with a list of subnets contained
	// within their corresponding IP block to which traffic should not be
	// allowed. This will match on the destination IP address of outgoing
	// connections. Adding a prefix into ToCIDR or into ToCIDRSet with no
	// ExcludeCIDRs is equivalent. Overlaps are allowed between ToCIDR and
	// ToCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=database-proxy" is allowed to
	// initiate connections to 10.2.3.0/24 except from IPs in subnet 10.2.3.0/28.
	//
	// +optional
	ToCIDRSet CIDRRuleSlice `json:"toCIDRSet,omitempty"`
	// ToEntities is a list of special entities to which the endpoint subject
	// to the rule is allowed to initiate connections. Supported entities are
	// `world`, `cluster` and `host`
	//
	// +optional
	ToEntities EntitySlice `json:"toEntities,omitempty"`
	// ToServices is a list of services to which the endpoint subject
	// to the rule is allowed to initiate connections.
	//
	// Example:
	// Any endpoint with the label "app=backend-app" is allowed to
	// initiate connections to all cidrs backing the "external-service" service
	// + optional
	ToServices []Service `json:"toServices,omitempty"`
	// ToFQDN allows whitelisting DNS names in place of IPs. The IPs that result
	// from DNS resolution of `ToFQDN.MatchName`s are added to the same
	// EgressRule object as ToCIDRSet entries, and behave accordingly. Any L4 and
	// L7 rules within this EgressRule will also apply to these IPs.
	// The DNS -> IP mapping is re-resolved periodically from within the
	// cilium-agent, and the IPs in the DNS response are effected in the policy
	// for selected pods as-is (i.e. the list of IPs is not modified in any way).
	// Note: An explicit rule to allow for DNS traffic is needed for the pods, as
	// ToFQDN counts as an egress rule and will enforce egress policy when
	// PolicyEnforcment=default.
	// Note: If the resolved IPs are IPs within the kubernetes cluster, the
	// ToFQDN rule will not apply to that IP.
	// Note: ToFQDN cannot occur in the same policy as other To* rules.
	//
	// The current implementation has a number of limitations:
	// - The DNS resolution originates from cilium-agent, and not from the pods.
	// Differences between the responses seen by cilium agent and a particular
	// pod will whitelist the incorrect IP.
	// - DNS TTLs are ignored, and cilium-agent will repoll on a short interval
	// (5 seconds). Each change to the DNS data will trigger a policy
	// regeneration. This may result in delayed updates to the policy for an
	// endpoint when the data changes often or the system is under load.
	//
	// +optional
	ToFQDNs FQDNSelectorSlice `json:"toFQDNs,omitempty"`
	// ToGroups is a directive that allows the integration with multiple outside
	// providers. Currently, only AWS is supported, and the rule can select by
	// multiple sub directives:
	//
	// Example:
	// toGroups:
	// - aws:
	//     securityGroupsIds:
	//     - 'sg-XXXXXXXXXXXXX'
	// +optional
	ToGroups []ToGroups `json:"toGroups,omitempty"`
	// contains filtered or unexported fields
}
    EgressRule contains all rule types which can be applied at egress, i.e. network traffic that originates inside the endpoint and exits the endpoint selected by the endpointSelector.
- All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.
- If multiple members of the structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the ToRequires member; the effects of any Requires field in any rule will apply to all other rules as well.
- ToEndpoints, ToCIDR, ToCIDRSet, ToEntities, ToServices and ToGroups are mutually exclusive. Only one of these members may be present within an individual rule.
func (*EgressRule) CreateDerivative ¶ added in v1.5.0
func (e *EgressRule) CreateDerivative() (*EgressRule, error)
CreateDerivative will return a new rule based on the data gathered by the rules that creates a new derivative policy. In the case of ToGroups will call outside using the groups callback and this function can take a bit of time.
func (*EgressRule) DeepCopy ¶ added in v1.5.0
func (in *EgressRule) DeepCopy() *EgressRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EgressRule.
func (*EgressRule) DeepCopyInto ¶ added in v1.5.0
func (in *EgressRule) DeepCopyInto(out *EgressRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*EgressRule) GetDestinationEndpointSelectorsWithRequirements ¶ added in v1.6.0
func (e *EgressRule) GetDestinationEndpointSelectorsWithRequirements(requirements []metav1.LabelSelectorRequirement) EndpointSelectorSlice
GetDestinationEndpointSelectorsWithRequirements returns a slice of endpoints selectors covering all L3 source selectors of the ingress rule
func (*EgressRule) IsLabelBased ¶ added in v1.5.0
func (e *EgressRule) IsLabelBased() bool
IsLabelBased returns true whether the L3 destination endpoints are selected based on labels, i.e. either by setting ToEndpoints or ToEntities, or not setting any To field.
func (*EgressRule) RequiresDerivative ¶ added in v1.5.0
func (e *EgressRule) RequiresDerivative() bool
RequiresDerivative returns true when the EgressRule contains sections that need a derivative policy created in order to be enforced (e.g. ToGroups).
func (*EgressRule) SetAggregatedSelectors ¶ added in v1.5.0
func (e *EgressRule) SetAggregatedSelectors()
SetAggregatedSelectors creates a single slice containing all of the following fields within the EgressRule, converted to EndpointSelector, to be stored within the EgressRule for easy lookup while performing policy evaluation for the rule: * ToEntities * ToCIDR * ToCIDRSet * ToFQDNs
ToEndpoints is not aggregated due to requirement folding in GetDestinationEndpointSelectorsWithRequirements()
type EndpointSelector ¶
type EndpointSelector struct {
	*metav1.LabelSelector
	// contains filtered or unexported fields
}
    EndpointSelector is a wrapper for k8s LabelSelector.
func NewESFromK8sLabelSelector ¶
func NewESFromK8sLabelSelector(srcPrefix string, lss ...*metav1.LabelSelector) EndpointSelector
NewESFromK8sLabelSelector returns a new endpoint selector from the label where it the given srcPrefix will be encoded in the label's keys.
func NewESFromLabels ¶
func NewESFromLabels(lbls ...labels.Label) EndpointSelector
NewESFromLabels creates a new endpoint selector from the given labels.
func NewESFromMatchRequirements ¶ added in v1.5.0
func NewESFromMatchRequirements(matchLabels map[string]string, reqs []metav1.LabelSelectorRequirement) EndpointSelector
NewESFromMatchRequirements creates a new endpoint selector from the given match specifications: An optional set of labels that must match, and an optional slice of LabelSelectorRequirements.
If the caller intends to reuse 'matchLabels' or 'reqs' after creating the EndpointSelector, they must make a copy of the parameter.
func (*EndpointSelector) AddMatch ¶ added in v1.5.0
func (n *EndpointSelector) AddMatch(key, value string)
AddMatch adds a match for 'key' == 'value' to the endpoint selector.
func (EndpointSelector) CachedString ¶ added in v1.6.0
func (n EndpointSelector) CachedString() string
CachedString returns the cached string representation of the LabelSelector for this EndpointSelector.
func (*EndpointSelector) ConvertToLabelSelectorRequirementSlice ¶ added in v1.5.0
func (n *EndpointSelector) ConvertToLabelSelectorRequirementSlice() []metav1.LabelSelectorRequirement
ConvertToLabelSelectorRequirementSlice converts the MatchLabels and MatchExpressions within the specified EndpointSelector into a list of LabelSelectorRequirements.
func (*EndpointSelector) DeepCopy ¶ added in v1.5.0
func (in *EndpointSelector) DeepCopy() *EndpointSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointSelector.
func (*EndpointSelector) DeepCopyInto ¶ added in v1.5.0
func (in *EndpointSelector) DeepCopyInto(out *EndpointSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (EndpointSelector) GetMatch ¶ added in v1.5.0
func (n EndpointSelector) GetMatch(key string) ([]string, bool)
GetMatch checks for a match on the specified key, and returns the value that the key must match, and true. If a match cannot be found, returns nil, false.
func (EndpointSelector) HasKey ¶ added in v1.5.0
func (n EndpointSelector) HasKey(key string) bool
HasKey checks if the endpoint selector contains the given key in its MatchLabels map or in its MatchExpressions slice.
func (EndpointSelector) HasKeyPrefix ¶
func (n EndpointSelector) HasKeyPrefix(prefix string) bool
HasKeyPrefix checks if the endpoint selector contains the given key prefix in its MatchLabels map and MatchExpressions slice.
func (*EndpointSelector) IsWildcard ¶ added in v1.5.0
func (n *EndpointSelector) IsWildcard() bool
IsWildcard returns true if the endpoint selector selects all endpoints.
func (*EndpointSelector) LabelSelectorString ¶ added in v1.5.0
func (n *EndpointSelector) LabelSelectorString() string
LabelSelectorString returns a user-friendly string representation of EndpointSelector.
func (EndpointSelector) MarshalJSON ¶
func (n EndpointSelector) MarshalJSON() ([]byte, error)
MarshalJSON returns a JSON representation of the byte array.
func (*EndpointSelector) Matches ¶
func (n *EndpointSelector) Matches(lblsToMatch k8sLbls.Labels) bool
Matches returns true if the endpoint selector Matches the `lblsToMatch`. Returns always true if the endpoint selector contains the reserved label for "all".
func (EndpointSelector) String ¶
func (n EndpointSelector) String() string
String returns a string representation of EndpointSelector.
func (*EndpointSelector) SyncRequirementsWithLabelSelector ¶ added in v1.5.0
func (n *EndpointSelector) SyncRequirementsWithLabelSelector()
SyncRequirementsWithLabelSelector ensures that the requirements within the specified EndpointSelector are in sync with the LabelSelector. This is because the LabelSelector has publicly accessible fields, which can be updated without concurrently updating the requirements, so the two fields can become out of sync.
func (*EndpointSelector) UnmarshalJSON ¶
func (n *EndpointSelector) UnmarshalJSON(b []byte) error
UnmarshalJSON unmarshals the endpoint selector from the byte array.
type EndpointSelectorSlice ¶ added in v1.5.0
type EndpointSelectorSlice []EndpointSelector
EndpointSelectorSlice is a slice of EndpointSelectors that can be sorted.
func (EndpointSelectorSlice) DeepCopy ¶ added in v1.5.0
func (in EndpointSelectorSlice) DeepCopy() EndpointSelectorSlice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EndpointSelectorSlice.
func (EndpointSelectorSlice) DeepCopyInto ¶ added in v1.5.0
func (in EndpointSelectorSlice) DeepCopyInto(out *EndpointSelectorSlice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (EndpointSelectorSlice) Len ¶ added in v1.5.0
func (s EndpointSelectorSlice) Len() int
func (EndpointSelectorSlice) Less ¶ added in v1.5.0
func (s EndpointSelectorSlice) Less(i, j int) bool
func (EndpointSelectorSlice) Matches ¶ added in v1.5.0
func (s EndpointSelectorSlice) Matches(ctx labels.LabelArray) bool
Matches returns true if any of the EndpointSelectors in the slice match the provided labels
func (EndpointSelectorSlice) SelectsAllEndpoints ¶ added in v1.5.0
func (s EndpointSelectorSlice) SelectsAllEndpoints() bool
SelectsAllEndpoints returns whether the EndpointSelectorSlice selects all endpoints, which is true if the wildcard endpoint selector is present in the slice.
func (EndpointSelectorSlice) Swap ¶ added in v1.5.0
func (s EndpointSelectorSlice) Swap(i, j int)
type Entity ¶ added in v1.5.0
type Entity string
Entity specifies the class of receiver/sender endpoints that do not have individual identities. Entities are used to describe "outside of cluster", "host", etc.
const ( // EntityAll is an entity that represents all traffic EntityAll Entity = "all" // EntityWorld is an entity that represents traffic external to // endpoint's cluster EntityWorld Entity = "world" // EntityCluster is an entity that represents traffic within the // endpoint's cluster, to endpoints not managed by cilium EntityCluster Entity = "cluster" // EntityHost is an entity that represents traffic within endpoint host EntityHost Entity = "host" // EntityInit is an entity that represents an initializing endpoint EntityInit Entity = "init" // EntityNone is an entity that can be selected but never exist EntityNone Entity = "none" )
type EntitySlice ¶ added in v1.5.0
type EntitySlice []Entity
EntitySlice is a slice of entities
func (EntitySlice) DeepCopy ¶ added in v1.5.0
func (in EntitySlice) DeepCopy() EntitySlice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new EntitySlice.
func (EntitySlice) DeepCopyInto ¶ added in v1.5.0
func (in EntitySlice) DeepCopyInto(out *EntitySlice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (EntitySlice) GetAsEndpointSelectors ¶ added in v1.5.0
func (s EntitySlice) GetAsEndpointSelectors() EndpointSelectorSlice
GetAsEndpointSelectors returns the provided entity slice as a slice of endpoint selectors
type FQDNSelector ¶ added in v1.5.0
type FQDNSelector struct {
	// MatchName matches literal DNS names. A trailing "." is automatically added
	// when missing.
	MatchName string `json:"matchName,omitempty"`
	// MatchPattern allows using wildcards to match DNS names. All wildcards are
	// case insensitive. The wildcards are:
	// - "*" matches 0 or more DNS valid characters, and may occur anywhere in
	// the pattern. As a special case a "*" as the leftmost character, without a
	// following "." matches all subdomains as well as the name to the right.
	// A trailing "." is automatically added when missing.
	//
	// Examples:
	// `*.cilium.io` matches subomains of cilium at that level
	//   www.cilium.io and blog.cilium.io match, cilium.io and google.com do not
	// `*cilium.io` matches cilium.io and all subdomains 1 level below
	//   www.cilium.io, blog.cilium.io and cilium.io match, google.com does not
	// sub*.cilium.io matches subdomains of cilium where the subdomain component
	// begins with "sub"
	//   sub.cilium.io and subdomain.cilium.io match, www.cilium.io,
	//   blog.cilium.io, cilium.io and google.com do not
	MatchPattern string `json:"matchPattern,omitempty"`
}
    func (*FQDNSelector) DeepCopy ¶ added in v1.5.0
func (in *FQDNSelector) DeepCopy() *FQDNSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNSelector.
func (*FQDNSelector) DeepCopyInto ¶ added in v1.5.0
func (in *FQDNSelector) DeepCopyInto(out *FQDNSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*FQDNSelector) GetAsEndpointSelectors ¶ added in v1.5.0
func (s *FQDNSelector) GetAsEndpointSelectors() EndpointSelectorSlice
GetAsEndpointSelectors returns a FQDNSelector as a single EntityNone EndpointSelector slice. Note that toFQDNs behaves differently than most other rules. The presence of any toFQDNs rules means the endpoint must enforce policy, but the IPs are later added as toCIDRSet entries and processed as such.
func (*FQDNSelector) String ¶ added in v1.6.0
func (s *FQDNSelector) String() string
func (*FQDNSelector) ToRegex ¶ added in v1.6.0
func (s *FQDNSelector) ToRegex() (*regexp.Regexp, error)
ToRegex converts the given FQDNSelector to its corresponding regular expression. If the MatchName field is set in the selector, it performs all needed formatting to ensure that the field is a valid regular expression.
type FQDNSelectorSlice ¶ added in v1.5.0
type FQDNSelectorSlice []FQDNSelector
FQDNSelectorSlice is a wrapper type for []FQDNSelector to make is simpler to bind methods.
func (FQDNSelectorSlice) DeepCopy ¶ added in v1.5.0
func (in FQDNSelectorSlice) DeepCopy() FQDNSelectorSlice
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new FQDNSelectorSlice.
func (FQDNSelectorSlice) DeepCopyInto ¶ added in v1.5.0
func (in FQDNSelectorSlice) DeepCopyInto(out *FQDNSelectorSlice)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (FQDNSelectorSlice) GetAsEndpointSelectors ¶ added in v1.5.0
func (s FQDNSelectorSlice) GetAsEndpointSelectors() EndpointSelectorSlice
GetAsEndpointSelectors will return a single EntityNone if any toFQDNs rules exist, and a nil slice otherwise.
type GroupProviderFunc ¶ added in v1.5.0
GroupProviderFunc is a func that need to be register to be able to register a new provider in the platform.
type IngressRule ¶
type IngressRule struct {
	// FromEndpoints is a list of endpoints identified by an
	// EndpointSelector which are allowed to communicate with the endpoint
	// subject to the rule.
	//
	// Example:
	// Any endpoint with the label "role=backend" can be consumed by any
	// endpoint carrying the label "role=frontend".
	//
	// +optional
	FromEndpoints []EndpointSelector `json:"fromEndpoints,omitempty"`
	// FromRequires is a list of additional constraints which must be met
	// in order for the selected endpoints to be reachable. These
	// additional constraints do no by itself grant access privileges and
	// must always be accompanied with at least one matching FromEndpoints.
	//
	// Example:
	// Any Endpoint with the label "team=A" requires consuming endpoint
	// to also carry the label "team=A".
	//
	// +optional
	FromRequires []EndpointSelector `json:"fromRequires,omitempty"`
	// ToPorts is a list of destination ports identified by port number and
	// protocol which the endpoint subject to the rule is allowed to
	// receive connections on.
	//
	// Example:
	// Any endpoint with the label "app=httpd" can only accept incoming
	// connections on port 80/tcp.
	//
	// +optional
	ToPorts []PortRule `json:"toPorts,omitempty"`
	// FromCIDR is a list of IP blocks which the endpoint subject to the
	// rule is allowed to receive connections from. Only connections which
	// do *not* originate from the cluster or from the local host are subject
	// to CIDR rules. In order to allow in-cluster connectivity, use the
	// FromEndpoints field.  This will match on the source IP address of
	// incoming connections. Adding  a prefix into FromCIDR or into
	// FromCIDRSet with no ExcludeCIDRs is  equivalent.  Overlaps are
	// allowed between FromCIDR and FromCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=my-legacy-pet" is allowed to receive
	// connections from 10.3.9.1
	//
	// +optional
	FromCIDR CIDRSlice `json:"fromCIDR,omitempty"`
	// FromCIDRSet is a list of IP blocks which the endpoint subject to the
	// rule is allowed to receive connections from in addition to FromEndpoints,
	// along with a list of subnets contained within their corresponding IP block
	// from which traffic should not be allowed.
	// This will match on the source IP address of incoming connections. Adding
	// a prefix into FromCIDR or into FromCIDRSet with no ExcludeCIDRs is
	// equivalent. Overlaps are allowed between FromCIDR and FromCIDRSet.
	//
	// Example:
	// Any endpoint with the label "app=my-legacy-pet" is allowed to receive
	// connections from 10.0.0.0/8 except from IPs in subnet 10.96.0.0/12.
	//
	// +optional
	FromCIDRSet CIDRRuleSlice `json:"fromCIDRSet,omitempty"`
	// FromEntities is a list of special entities which the endpoint subject
	// to the rule is allowed to receive connections from. Supported entities are
	// `world`, `cluster` and `host`
	//
	// +optional
	FromEntities EntitySlice `json:"fromEntities,omitempty"`
	// contains filtered or unexported fields
}
    IngressRule contains all rule types which can be applied at ingress, i.e. network traffic that originates outside of the endpoint and is entering the endpoint selected by the endpointSelector.
- All members of this structure are optional. If omitted or empty, the member will have no effect on the rule.
- If multiple members are set, all of them need to match in order for the rule to take effect. The exception to this rule is FromRequires field; the effects of any Requires field in any rule will apply to all other rules as well.
- For now, combining ToPorts, FromCIDR, and FromEndpoints in the same rule is not supported and any such rules will be rejected. In the future, this will be supported and if multiple members of this structure are specified, then all members must match in order for the rule to take effect. The exception to this rule is the Requires field, the effects of any Requires field in any rule will apply to all other rules as well.
func (*IngressRule) DeepCopy ¶ added in v1.5.0
func (in *IngressRule) DeepCopy() *IngressRule
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new IngressRule.
func (*IngressRule) DeepCopyInto ¶ added in v1.5.0
func (in *IngressRule) DeepCopyInto(out *IngressRule)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*IngressRule) GetSourceEndpointSelectorsWithRequirements ¶ added in v1.6.0
func (i *IngressRule) GetSourceEndpointSelectorsWithRequirements(requirements []metav1.LabelSelectorRequirement) EndpointSelectorSlice
GetSourceEndpointSelectorsWithRequirements returns a slice of endpoints selectors covering all L3 source selectors of the ingress rule
func (*IngressRule) IsLabelBased ¶ added in v1.5.0
func (i *IngressRule) IsLabelBased() bool
IsLabelBased returns true whether the L3 source endpoints are selected based on labels, i.e. either by setting FromEndpoints or FromEntities, or not setting any From field.
func (*IngressRule) SetAggregatedSelectors ¶ added in v1.5.0
func (i *IngressRule) SetAggregatedSelectors()
SetAggregatedSelectors creates a single slice containing all of the following fields within the IngressRule, converted to EndpointSelector, to be stored within the IngressRule for easy lookup while performing policy evaluation for the rule: * FromEntities * FromCIDR * FromCIDRSet
FromEndpoints is not aggregated due to requirement folding in GetSourceEndpointSelectorsWithRequirements()
type K8sServiceNamespace ¶ added in v1.5.0
type K8sServiceNamespace struct {
	ServiceName string `json:"serviceName,omitempty"`
	Namespace   string `json:"namespace,omitempty"`
}
    K8sServiceNamespace is an abstraction for the k8s service + namespace types.
func (*K8sServiceNamespace) DeepCopy ¶ added in v1.5.0
func (in *K8sServiceNamespace) DeepCopy() *K8sServiceNamespace
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8sServiceNamespace.
func (*K8sServiceNamespace) DeepCopyInto ¶ added in v1.5.0
func (in *K8sServiceNamespace) DeepCopyInto(out *K8sServiceNamespace)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type K8sServiceSelectorNamespace ¶ added in v1.5.0
type K8sServiceSelectorNamespace struct {
	Selector  ServiceSelector `json:"selector"`
	Namespace string          `json:"namespace,omitempty"`
}
    K8sServiceSelectorNamespace wraps service selector with namespace
func (*K8sServiceSelectorNamespace) DeepCopy ¶ added in v1.5.0
func (in *K8sServiceSelectorNamespace) DeepCopy() *K8sServiceSelectorNamespace
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new K8sServiceSelectorNamespace.
func (*K8sServiceSelectorNamespace) DeepCopyInto ¶ added in v1.5.0
func (in *K8sServiceSelectorNamespace) DeepCopyInto(out *K8sServiceSelectorNamespace)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type KafkaRole ¶ added in v1.5.0
type KafkaRole []int16
KafkaRole is the list of all low-level apiKeys to be expanded as per the value of Role
func (KafkaRole) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new KafkaRole.
func (KafkaRole) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type L4Proto ¶ added in v1.5.0
type L4Proto string
L4Proto is a layer 4 protocol name
func ParseL4Proto ¶ added in v1.5.0
ParseL4Proto parses a string as layer 4 protocol
type L7Rules ¶
type L7Rules struct {
	// HTTP specific rules.
	//
	// +optional
	HTTP []PortRuleHTTP `json:"http,omitempty"`
	// Kafka-specific rules.
	//
	// +optional
	Kafka []PortRuleKafka `json:"kafka,omitempty"`
	// DNS-specific rules.
	//
	// +optional
	DNS []PortRuleDNS `json:"dns,omitempty"`
	// Name of the L7 protocol for which the Key-value pair rules apply
	//
	// +optional
	L7Proto string `json:"l7proto,omitempty"`
	// Key-value pair rules
	//
	// +optional
	L7 []PortRuleL7 `json:"l7,omitempty"`
}
    L7Rules is a union of port level rule types. Mixing of different port level rule types is disallowed, so exactly one of the following must be set. If none are specified, then no additional port level rules are applied.
func (*L7Rules) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new L7Rules.
func (*L7Rules) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PortProtocol ¶
type PortProtocol struct {
	// Port is an L4 port number. For now the string will be strictly
	// parsed as a single uint16. In the future, this field may support
	// ranges in the form "1024-2048
	Port string `json:"port"`
	// Protocol is the L4 protocol. If omitted or empty, any protocol
	// matches. Accepted values: "TCP", "UDP", ""/"ANY"
	//
	// Matching on ICMP is not supported.
	//
	// +optional
	Protocol L4Proto `json:"protocol,omitempty"`
}
    PortProtocol specifies an L4 port with an optional transport protocol
func (PortProtocol) Covers ¶ added in v1.6.0
func (p PortProtocol) Covers(other PortProtocol) bool
Covers returns true if the ports and protocol specified in the received PortProtocol are equal to or a superset of the ports and protocol in 'other'.
func (*PortProtocol) DeepCopy ¶ added in v1.5.0
func (in *PortProtocol) DeepCopy() *PortProtocol
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortProtocol.
func (*PortProtocol) DeepCopyInto ¶ added in v1.5.0
func (in *PortProtocol) DeepCopyInto(out *PortProtocol)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PortRule ¶
type PortRule struct {
	// Ports is a list of L4 port/protocol
	//
	// If omitted or empty but RedirectPort is set, then all ports of the
	// endpoint subject to either the ingress or egress rule are being
	// redirected.
	//
	// +optional
	Ports []PortProtocol `json:"ports,omitempty"`
	// Rules is a list of additional port level rules which must be met in
	// order for the PortRule to allow the traffic. If omitted or empty,
	// no layer 7 rules are enforced.
	//
	// +optional
	Rules *L7Rules `json:"rules,omitempty"`
}
    PortRule is a list of ports/protocol combinations with optional Layer 7 rules which must be met.
func (*PortRule) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRule.
func (*PortRule) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type PortRuleDNS ¶ added in v1.5.0
type PortRuleDNS FQDNSelector
PortRuleDNS is a list of allowed DNS lookups.
func (*PortRuleDNS) DeepCopy ¶ added in v1.5.0
func (in *PortRuleDNS) DeepCopy() *PortRuleDNS
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRuleDNS.
func (*PortRuleDNS) DeepCopyInto ¶ added in v1.5.0
func (in *PortRuleDNS) DeepCopyInto(out *PortRuleDNS)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PortRuleDNS) Equal ¶ added in v1.5.0
func (d *PortRuleDNS) Equal(o PortRuleDNS) bool
Equal returns true if both rules are equal
func (*PortRuleDNS) Exists ¶ added in v1.5.0
func (d *PortRuleDNS) Exists(rules L7Rules) bool
Exists returns true if the DNS rule already exists in the list of rules
func (*PortRuleDNS) Sanitize ¶ added in v1.5.0
func (r *PortRuleDNS) Sanitize() error
Sanitize checks that the matchName in the portRule can be compiled as a regex. It does not check that a DNS name is a valid DNS name.
type PortRuleHTTP ¶
type PortRuleHTTP struct {
	// Path is an extended POSIX regex matched against the path of a
	// request. Currently it can contain characters disallowed from the
	// conventional "path" part of a URL as defined by RFC 3986.
	//
	// If omitted or empty, all paths are all allowed.
	//
	// +optional
	Path string `json:"path,omitempty"`
	// Method is an extended POSIX regex matched against the method of a
	// request, e.g. "GET", "POST", "PUT", "PATCH", "DELETE", ...
	//
	// If omitted or empty, all methods are allowed.
	//
	// +optional
	Method string `json:"method,omitempty"`
	// Host is an extended POSIX regex matched against the host header of a
	// request, e.g. "foo.com"
	//
	// If omitted or empty, the value of the host header is ignored.
	//
	// +optional
	Host string `json:"host,omitempty"`
	// Headers is a list of HTTP headers which must be present in the
	// request. If omitted or empty, requests are allowed regardless of
	// headers present.
	//
	// +optional
	Headers []string `json:"headers,omitempty"`
}
    PortRuleHTTP is a list of HTTP protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.
All fields of this type are extended POSIX regex as defined by IEEE Std 1003.1, (i.e this follows the egrep/unix syntax, not the perl syntax) matched against the path of an incoming request. Currently it can contain characters disallowed from the conventional "path" part of a URL as defined by RFC 3986.
func (*PortRuleHTTP) DeepCopy ¶ added in v1.5.0
func (in *PortRuleHTTP) DeepCopy() *PortRuleHTTP
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRuleHTTP.
func (*PortRuleHTTP) DeepCopyInto ¶ added in v1.5.0
func (in *PortRuleHTTP) DeepCopyInto(out *PortRuleHTTP)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PortRuleHTTP) Equal ¶ added in v1.5.0
func (h *PortRuleHTTP) Equal(o PortRuleHTTP) bool
Equal returns true if both HTTP rules are equal
func (*PortRuleHTTP) Exists ¶ added in v1.5.0
func (h *PortRuleHTTP) Exists(rules L7Rules) bool
Exists returns true if the HTTP rule already exists in the list of rules
func (*PortRuleHTTP) Sanitize ¶ added in v1.5.0
func (h *PortRuleHTTP) Sanitize() error
Sanitize sanitizes HTTP rules. It ensures that the path and method fields are valid regular expressions. Note that the proxy may support a wider-range of regular expressions (e.g. that specified by ECMAScript), so this function may return some false positives. If the rule is invalid, returns an error.
type PortRuleKafka ¶ added in v1.5.0
type PortRuleKafka struct {
	// +optional
	Role string `json:"role,omitempty"`
	// APIKey is a case-insensitive string matched against the key of a
	// request, e.g. "produce", "fetch", "createtopic", "deletetopic", et al
	// Reference: https://kafka.apache.org/protocol#protocol_api_keys
	//
	// If omitted or empty, and if Role is not specified, then all keys are allowed.
	//
	// +optional
	APIKey string `json:"apiKey,omitempty"`
	// APIVersion is the version matched against the api version of the
	// Kafka message. If set, it has to be a string representing a positive
	// integer.
	//
	// If omitted or empty, all versions are allowed.
	//
	// +optional
	APIVersion string `json:"apiVersion,omitempty"`
	// ClientID is the client identifier as provided in the request.
	//
	// From Kafka protocol documentation:
	// This is a user supplied identifier for the client application. The
	// user can use any identifier they like and it will be used when
	// logging errors, monitoring aggregates, etc. For example, one might
	// want to monitor not just the requests per second overall, but the
	// number coming from each client application (each of which could
	// reside on multiple servers). This id acts as a logical grouping
	// across all requests from a particular client.
	//
	// If omitted or empty, all client identifiers are allowed.
	//
	// +optional
	ClientID string `json:"clientID,omitempty"`
	// Topic is the topic name contained in the message. If a Kafka request
	// contains multiple topics, then all topics must be allowed or the
	// message will be rejected.
	//
	// This constraint is ignored if the matched request message type
	// doesn't contain any topic. Maximum size of Topic can be 249
	// characters as per recent Kafka spec and allowed characters are
	// a-z, A-Z, 0-9, -, . and _
	// Older Kafka versions had longer topic lengths of 255, but in Kafka 0.10
	// version the length was changed from 255 to 249. For compatibility
	// reasons we are using 255
	//
	// If omitted or empty, all topics are allowed.
	//
	// +optional
	Topic string `json:"topic,omitempty"`
	// contains filtered or unexported fields
}
    PortRuleKafka is a list of Kafka protocol constraints. All fields are optional, if all fields are empty or missing, the rule will match all Kafka messages.
func (*PortRuleKafka) CheckAPIKeyRole ¶ added in v1.5.0
func (kr *PortRuleKafka) CheckAPIKeyRole(kind int16) bool
CheckAPIKeyRole checks the apiKey value in the request, and returns true if it is allowed else false
func (*PortRuleKafka) DeepCopy ¶ added in v1.5.0
func (in *PortRuleKafka) DeepCopy() *PortRuleKafka
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRuleKafka.
func (*PortRuleKafka) DeepCopyInto ¶ added in v1.5.0
func (in *PortRuleKafka) DeepCopyInto(out *PortRuleKafka)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PortRuleKafka) Equal ¶ added in v1.5.0
func (k *PortRuleKafka) Equal(o PortRuleKafka) bool
Equal returns true if both rules are equal
func (*PortRuleKafka) Exists ¶ added in v1.5.0
func (k *PortRuleKafka) Exists(rules L7Rules) bool
Exists returns true if the HTTP rule already exists in the list of rules
func (*PortRuleKafka) GetAPIVersion ¶ added in v1.5.0
func (kr *PortRuleKafka) GetAPIVersion() (int16, bool)
GetAPIVersion returns the APIVersion as integer or the bool set to true if any API version is allowed
func (*PortRuleKafka) MapRoleToAPIKey ¶ added in v1.5.0
func (kr *PortRuleKafka) MapRoleToAPIKey() error
MapRoleToAPIKey maps the Role to the low level set of APIKeys for that role
func (*PortRuleKafka) Sanitize ¶ added in v1.5.0
func (kr *PortRuleKafka) Sanitize() error
Sanitize sanitizes Kafka rules TODO we need to add support to check wildcard and prefix/suffix later on.
type PortRuleL7 ¶ added in v1.5.0
PortRuleL7 is a list of key-value pairs interpreted by a L7 protocol as protocol constraints. All fields are optional, if all fields are empty or missing, the rule does not have any effect.
func (PortRuleL7) DeepCopy ¶ added in v1.5.0
func (in PortRuleL7) DeepCopy() PortRuleL7
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PortRuleL7.
func (PortRuleL7) DeepCopyInto ¶ added in v1.5.0
func (in PortRuleL7) DeepCopyInto(out *PortRuleL7)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*PortRuleL7) Equal ¶ added in v1.5.0
func (h *PortRuleL7) Equal(o PortRuleL7) bool
Equal returns true if both L7 rules are equal
func (*PortRuleL7) Exists ¶ added in v1.5.0
func (h *PortRuleL7) Exists(rules L7Rules) bool
Exists returns true if the L7 rule already exists in the list of rules
func (*PortRuleL7) Sanitize ¶ added in v1.5.0
func (rule *PortRuleL7) Sanitize() error
Sanitize sanitizes key-value pair rules. It makes sure keys are present.
type Rule ¶
type Rule struct {
	// EndpointSelector selects all endpoints which should be subject to
	// this rule. Cannot be empty.
	EndpointSelector EndpointSelector `json:"endpointSelector"`
	// Ingress is a list of IngressRule which are enforced at ingress.
	// If omitted or empty, this rule does not apply at ingress.
	//
	// +optional
	Ingress []IngressRule `json:"ingress,omitempty"`
	// Egress is a list of EgressRule which are enforced at egress.
	// If omitted or empty, this rule does not apply at egress.
	//
	// +optional
	Egress []EgressRule `json:"egress,omitempty"`
	// Labels is a list of optional strings which can be used to
	// re-identify the rule or to store metadata. It is possible to lookup
	// or delete strings based on labels. Labels are not required to be
	// unique, multiple rules can have overlapping or identical labels.
	//
	// +optional
	Labels labels.LabelArray `json:"labels,omitempty"`
	// Description is a free form string, it can be used by the creator of
	// the rule to store human readable explanation of the purpose of this
	// rule. Rules cannot be identified by comment.
	//
	// +optional
	Description string `json:"description,omitempty"`
}
    Rule is a policy rule which must be applied to all endpoints which match the labels contained in the endpointSelector
Each rule is split into an ingress section which contains all rules applicable at ingress, and an egress section applicable at egress. For rule types such as `L4Rule` and `CIDR` which can be applied at both ingress and egress, both ingress and egress side have to either specifically allow the connection or one side has to be omitted.
Either ingress, egress, or both can be provided. If both ingress and egress are omitted, the rule has no effect.
func NewRule ¶ added in v1.5.0
func NewRule() *Rule
NewRule builds a new rule with no selector and no policy.
func (*Rule) CreateDerivative ¶ added in v1.5.0
CreateDerivative will return a new Rule with the new data based gather by the rules that autogenerated new Rule
func (*Rule) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rule.
func (*Rule) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*Rule) RequiresDerivative ¶ added in v1.5.0
RequiresDerivative it return true if the rule has a derivative rule.
func (Rule) Sanitize ¶ added in v1.5.0
Sanitize validates and sanitizes a policy rule. Minor edits such as capitalization of the protocol name are automatically fixed up. More fundamental violations will cause an error to be returned.
func (*Rule) WithDescription ¶ added in v1.5.0
WithDescription configures the Rule with the specified description metadata.
func (*Rule) WithEgressRules ¶ added in v1.5.0
func (r *Rule) WithEgressRules(rules []EgressRule) *Rule
WithEgressRules configures the Rule with the specified rules.
func (*Rule) WithEndpointSelector ¶ added in v1.5.0
func (r *Rule) WithEndpointSelector(es EndpointSelector) *Rule
WithEndpointSelector configures the Rule with the specified selector.
func (*Rule) WithIngressRules ¶ added in v1.5.0
func (r *Rule) WithIngressRules(rules []IngressRule) *Rule
WithIngressRules configures the Rule with the specified rules.
func (*Rule) WithLabels ¶ added in v1.5.0
func (r *Rule) WithLabels(labels labels.LabelArray) *Rule
WithLabels configures the Rule with the specified labels metadata.
type Rules ¶
type Rules []*Rule
Rules is a collection of api.Rule.
All rules must be evaluated in order to come to a conclusion. While it is sufficient to have a single fromEndpoints rule match, none of the fromRequires may be violated at the same time.
func (Rules) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Rules.
func (Rules) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type Service ¶ added in v1.5.0
type Service struct {
	// K8sServiceSelector selects services by k8s labels and namespace
	K8sServiceSelector *K8sServiceSelectorNamespace `json:"k8sServiceSelector,omitempty"`
	// K8sService selects service by name and namespace pair
	K8sService *K8sServiceNamespace `json:"k8sService,omitempty"`
}
    Service wraps around selectors for services
func (*Service) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Service.
func (*Service) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ServiceSelector ¶ added in v1.5.0
type ServiceSelector EndpointSelector
ServiceSelector is a label selector for k8s services
func (*ServiceSelector) DeepCopy ¶ added in v1.5.0
func (in *ServiceSelector) DeepCopy() *ServiceSelector
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ServiceSelector.
func (*ServiceSelector) DeepCopyInto ¶ added in v1.5.0
func (in *ServiceSelector) DeepCopyInto(out *ServiceSelector)
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
type ToGroups ¶ added in v1.5.0
type ToGroups struct {
	AWS *AWSGroup `json:"aws,omitempty"`
}
    ToGroups structure to store all kinds of new integrations that needs a new derivative policy.
func (*ToGroups) DeepCopy ¶ added in v1.5.0
DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new ToGroups.
func (*ToGroups) DeepCopyInto ¶ added in v1.5.0
DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
func (*ToGroups) GetCidrSet ¶ added in v1.5.0
GetCidrSet will return the CIDRRule for the rule using the callbacks that are register in the platform.