Affected by GO-2025-3635 and 1 other vulnerabilities

GO-2025-3635: In Cilium, packets from terminating endpoints may not be encrypted in Wireguard-enabled clusters in github.com/cilium/cilium

GO-2025-4167: Cilium with misconfigured toGroups in policies can lead to unrestricted egress traffic in Ciliumgithub.com/cilium/cilium

networkpolicy

package

v1.17.2 Latest Latest Go to latest Published: Mar 13, 2025 License: Apache-2.0 Imports: 27 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Documentation ¶

Index ¶

Variables
func EnqueueTLSSecrets(c client.Client, logger *slog.Logger) handler.EventHandler
func IsReferencedByCiliumClusterwideNetworkPolicy(ctx context.Context, c client.Client, logger *slog.Logger, obj *corev1.Secret) bool
func IsReferencedByCiliumNetworkPolicy(ctx context.Context, c client.Client, logger *slog.Logger, obj *corev1.Secret) bool
type Config
- func (def Config) Flags(flags *pflag.FlagSet)
type PolicyParams

Constants ¶

This section is empty.

Variables ¶

View Source

var Cell = cell.Module(
	"network-policy-validator",
	"Validates CNPs and CCNPs and reports their validity status",

	cell.Config(defaultConfig),
	cell.Invoke(registerPolicyValidator),
)

View Source

var SecretSyncCell = cell.Module(
	"netpol-secretsync-watcher",
	"Watches network policy updates for TLS secrets to sync",

	cell.Config(networkPolicyConfig{
		EnablePolicySecretsSync: false,
		PolicySecretsNamespace:  "cilium-secrets",
	}),
	cell.Provide(registerCNPSecretSync),
	cell.Provide(registerCCNPSecretSync),
)

SecretSyncCell manages the Network Policy related controllers.

Functions ¶

func EnqueueTLSSecrets ¶ added in v1.17.0

func EnqueueTLSSecrets(c client.Client, logger *slog.Logger) handler.EventHandler

EnqueueTLSSecrets returns a map function that, given a CiliumNetworkPolicy or CilumClusterwideNetworkPolicy, will return a slice of requests for any Secrets referenced in that CiliumNetworkPolicy.

This includes both TLS secrets (Origination or Termination), plus Secrets used for storing header values.

func IsReferencedByCiliumClusterwideNetworkPolicy ¶ added in v1.17.0

func IsReferencedByCiliumClusterwideNetworkPolicy(ctx context.Context, c client.Client, logger *slog.Logger, obj *corev1.Secret) bool

func IsReferencedByCiliumNetworkPolicy ¶ added in v1.17.0

func IsReferencedByCiliumNetworkPolicy(ctx context.Context, c client.Client, logger *slog.Logger, obj *corev1.Secret) bool

Types ¶

type Config ¶

type Config struct {
	ValidateNetworkPolicy bool `mapstructure:"validate-network-policy"`
}

func (Config) Flags ¶

func (def Config) Flags(flags *pflag.FlagSet)

type PolicyParams ¶

type PolicyParams struct {
	cell.In

	Logger       *slog.Logger
	JobGroup     job.Group
	Clientset    k8s_client.Clientset
	DaemonConfig *option.DaemonConfig

	Cfg Config

	CNPResource  resource.Resource[*cilium_api_v2.CiliumNetworkPolicy]
	CCNPResource resource.Resource[*cilium_api_v2.CiliumClusterwideNetworkPolicy]
}

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
helpers

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL