Documentation
¶
Overview ¶
Package policy implements the registry's network-policy and expression-policy handlers. It is extracted from pkg/registry/server as part of the R2.4 registry decomposition.
Thread safety: all exported methods are safe for concurrent use; locking is delegated to the Read/Write callbacks supplied by the parent server.
Index ¶
- type AuthChecker
- type Callbacks
- type EnterpriseChecker
- type ExprPolicy
- type NetworkPolicy
- type NetworkState
- type PolicyReader
- type PolicyWriter
- type Store
- func (st *Store) HandleGetExprPolicy(msg map[string]interface{}) (map[string]interface{}, error)
- func (st *Store) HandleGetNetworkPolicy(msg map[string]interface{}) (map[string]interface{}, error)
- func (st *Store) HandleSetExprPolicy(msg map[string]interface{}) (map[string]interface{}, error)
- func (st *Store) HandleSetNetworkPolicy(msg map[string]interface{}) (map[string]interface{}, error)
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type AuthChecker ¶
AuthChecker verifies that the requester is allowed to mutate the named network's policy (owner/admin role or admin token). Returning a non-nil error rejects the request.
type Callbacks ¶
type Callbacks struct {
// Save triggers a debounced snapshot write.
Save func()
// Audit records an audit log entry.
Audit func(action string, attrs ...any)
// IncPolicyChanges increments the pilot_policy_changes_total counter.
IncPolicyChanges func()
}
Callbacks bundles the side-effect functions the Store calls on state changes. All functions must be safe for concurrent use.
type EnterpriseChecker ¶
EnterpriseChecker verifies that the given network has the Enterprise flag. Returning a non-nil error rejects the request.
type ExprPolicy ¶
type ExprPolicy = json.RawMessage
ExprPolicy holds the raw JSON bytes for a programmable expression-policy document (nil = none set).
type NetworkPolicy ¶
type NetworkPolicy struct {
MaxMembers int `json:"max_members"` // 0 = unlimited
AllowedPorts []uint16 `json:"allowed_ports"` // empty = all ports allowed
Description string `json:"description"` // human-readable description
}
NetworkPolicy defines constraints and metadata for a network. Field shape mirrors server.NetworkPolicy for mechanical adoption.
type NetworkState ¶
type NetworkState struct {
Policy NetworkPolicy
Expr ExprPolicy
MemberCount int // current member count for max_members enforcement
}
NetworkState is the policy-relevant snapshot of a network returned by PolicyReader.
type PolicyReader ¶
type PolicyReader func(netID uint16) (NetworkState, error)
PolicyReader reads the current NetworkState for a network. Implementations must be safe for concurrent use and must acquire whatever locks are needed internally.
type PolicyWriter ¶
type PolicyWriter func(netID uint16, policy NetworkPolicy, expr ExprPolicy) error
PolicyWriter persists an updated NetworkPolicy and ExprPolicy for a network. Passing a nil expr clears any existing expression-policy document. Implementations must be safe for concurrent use and must acquire whatever locks are needed internally.
type Store ¶
type Store struct {
// contains filtered or unexported fields
}
Store holds the network-policy handler logic and delegates state mutations via PolicyReader / PolicyWriter callbacks.
func NewStore ¶
func NewStore(read PolicyReader, write PolicyWriter, auth AuthChecker, enterprise EnterpriseChecker, cb Callbacks) *Store
NewStore creates a ready-to-use policy Store.
func (*Store) HandleGetExprPolicy ¶
HandleGetExprPolicy returns the programmable expression-policy for a network.
func (*Store) HandleGetNetworkPolicy ¶
HandleGetNetworkPolicy returns the policy for a given network. Any caller may query the policy (no role check required).
func (*Store) HandleSetExprPolicy ¶
HandleSetExprPolicy sets or replaces the programmable expression-policy for a network. Requires owner or admin role (or global/per-network admin token).
func (*Store) HandleSetNetworkPolicy ¶
HandleSetNetworkPolicy sets or updates a network's policy constraints. Requires owner or admin role (or global/per-network admin token). Enterprise gate applies: only enterprise networks may have policies.
Source Files