cache

package
v1.18.2 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Sep 16, 2025 License: Apache-2.0 Imports: 34 Imported by: 92

Documentation

Index

Constants

View Source 
const CheckpointFile = "local_allocator_state.json"

The filename for the local allocator checkpoont. This is periodically written, and restored on restart. The full path is, by default, /run/cilium/state/local_allocator_state.json

Variables

View Source 
var ErrNonLocalIdentity = fmt.Errorf("labels would result in global identity")
View Source 
var (
	// IdentitiesPath is the path to where identities are stored in the
	// key-value store.
	IdentitiesPath = path.Join(kvstore.BaseKeyPrefix, "state", "identities", "v1")
)

Functions

This section is empty.

Types

type AllocatorConfig added in v1.17.0 

type AllocatorConfig struct {
	EnableOperatorManageCIDs bool
	Timeout                  time.Duration
	SyncInterval             time.Duration
	// contains filtered or unexported fields
}

func NewTestAllocatorConfig added in v1.18.0 

func NewTestAllocatorConfig() AllocatorConfig

NewTestAllocatorConfig returns an AllocatorConfig initialized for testing purposes.

type CachingIdentityAllocator 

type CachingIdentityAllocator struct {

	// IdentityAllocator is an allocator for security identities from the
	// kvstore.
	IdentityAllocator *allocator.Allocator
	// contains filtered or unexported fields
}

CachingIdentityAllocator manages the allocation of identities for both global and local identities.

func NewCachingIdentityAllocator 

func NewCachingIdentityAllocator(logger *slog.Logger, owner IdentityAllocatorOwner, config AllocatorConfig) *CachingIdentityAllocator

NewCachingIdentityAllocator creates a new instance of an CachingIdentityAllocator.

func (*CachingIdentityAllocator) AllocateIdentity 

func (m *CachingIdentityAllocator) AllocateIdentity(ctx context.Context, lbls labels.Labels, notifyOwner bool, oldNID identity.NumericIdentity) (id *identity.Identity, allocated bool, err error)

AllocateIdentity allocates an identity described by the specified labels. If an identity for the specified set of labels already exist, the identity is re-used and reference counting is performed, otherwise a new identity is allocated via the kvstore or via the local identity allocator. A possible previously used numeric identity for these labels can be passed in as the 'oldNID' parameter; identity.InvalidIdentity must be passed if no previous numeric identity exists.

func (*CachingIdentityAllocator) AllocateLocalIdentity added in v1.16.0 

func (m *CachingIdentityAllocator) AllocateLocalIdentity(lbls labels.Labels, notifyOwner bool, oldNID identity.NumericIdentity) (id *identity.Identity, allocated bool, err error)

AllocateLocalIdentity works the same as AllocateIdentity, but it guarantees that the allocated identity will be local-only. If the provided set of labels does not map to a local identity scope, this will return an error.

func (*CachingIdentityAllocator) Close 

func (m *CachingIdentityAllocator) Close()

Close closes the identity allocator

func (*CachingIdentityAllocator) EnableCheckpointing added in v1.16.0 

func (m *CachingIdentityAllocator) EnableCheckpointing()

EnableCheckpointing enables checkpointing the local allocator state. The CachingIdentityAllocator is used in multiple places, but we only want to checkpoint the "primary" allocator

func (*CachingIdentityAllocator) GetIdentities 

func (m *CachingIdentityAllocator) GetIdentities() IdentitiesModel

GetIdentities returns all known identities

func (*CachingIdentityAllocator) GetIdentityCache 

func (m *CachingIdentityAllocator) GetIdentityCache() identity.IdentityMap

GetIdentityCache returns a cache of all known identities

func (*CachingIdentityAllocator) InitIdentityAllocator 

func (m *CachingIdentityAllocator) InitIdentityAllocator(client clientset.Interface, kvstoreClient kvstore.Client) <-chan struct{}

InitIdentityAllocator creates the global identity allocator. Only the first invocation of this function will have an effect. The Caller must have initialized well known identities before calling this (by calling identity.InitWellKnownIdentities()). The client is only used by the CRD identity allocator currently. Returns a channel which is closed when initialization of the allocator is completed. TODO: identity backends are initialized directly in this function, pulling in dependencies on kvstore and k8s. It would be better to decouple this, since the backends are an interface.

func (*CachingIdentityAllocator) LocalIdentityChanges added in v1.18.0 

func (m *CachingIdentityAllocator) LocalIdentityChanges() stream.Observable[IdentityChange]

LocalIdentityChanges returns an observable for (only) node-local identities. Replays current state on subscription followed by a Sync event.

func (*CachingIdentityAllocator) LookupIdentity 

func (m *CachingIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity

LookupIdentity looks up the identity by its labels but does not create it. This function will first search through the local cache, then the caches for remote kvstores and finally fall back to the main kvstore. May return nil for lookups if the allocator has not yet been synchronized.

func (*CachingIdentityAllocator) LookupIdentityByID 

func (m *CachingIdentityAllocator) LookupIdentityByID(ctx context.Context, id identity.NumericIdentity) *identity.Identity

LookupIdentityByID returns the identity by ID. This function will first search through the local cache, then the caches for remote kvstores and finally fall back to the main kvstore May return nil for lookups if the allocator has not yet been synchronized.

func (*CachingIdentityAllocator) Observe 

func (m *CachingIdentityAllocator) Observe(ctx context.Context, next func(IdentityChange), complete func(error))

Observe identity changes. Doesn't include local identities. Conforms to stream.Observable. Replays the current state of the cache when subscribing.

func (*CachingIdentityAllocator) Release 

func (m *CachingIdentityAllocator) Release(ctx context.Context, id *identity.Identity, notifyOwner bool) (released bool, err error)

Release is the reverse operation of AllocateIdentity() and releases the identity again. This function may result in kvstore operations. After the last user has released the ID, the returned lastUse value is true.

func (*CachingIdentityAllocator) ReleaseLocalIdentities added in v1.18.0 

func (m *CachingIdentityAllocator) ReleaseLocalIdentities(nids ...identity.NumericIdentity) ([]identity.NumericIdentity, error)

ReleaseLocalIdentities releases solely local identities. It always updates the SelectorCache.

Returns the list of released (refcount = 0) identities

func (*CachingIdentityAllocator) ReleaseRestoredIdentities added in v1.16.0 

func (m *CachingIdentityAllocator) ReleaseRestoredIdentities()

ReleaseRestoredIdentities releases any identities that were restored, reducing their reference count and cleaning up as necessary. This always notifies the owner (i.e. updates the SelectorCache).

func (*CachingIdentityAllocator) RemoveRemoteIdentities 

func (m *CachingIdentityAllocator) RemoveRemoteIdentities(name string)

func (*CachingIdentityAllocator) RestoreLocalIdentities added in v1.16.0 

func (m *CachingIdentityAllocator) RestoreLocalIdentities() (map[identity.NumericIdentity]*identity.Identity, error)

RestoreLocalIdentities reads in the checkpointed local allocator state from disk and allocates a reference to every previously existing identity.

Once all identity-allocating objects are synchronized (e.g. network policies, remote nodes), call ReleaseRestoredIdentities to release the held references.

func (*CachingIdentityAllocator) UnwithholdLocalIdentities added in v1.15.0 

func (m *CachingIdentityAllocator) UnwithholdLocalIdentities(nids []identity.NumericIdentity)

func (*CachingIdentityAllocator) WaitForInitialGlobalIdentities 

func (m *CachingIdentityAllocator) WaitForInitialGlobalIdentities(ctx context.Context) error

WaitForInitialGlobalIdentities waits for the initial set of global security identities to have been received and populated into the allocator cache.

func (*CachingIdentityAllocator) WatchRemoteIdentities 

func (m *CachingIdentityAllocator) WatchRemoteIdentities(remoteName string, remoteID uint32, backend kvstore.BackendOperations, cachedPrefix bool) (allocator.RemoteIDCache, error)

WatchRemoteIdentities returns a RemoteCache instance which can be later started to watch identities in another kvstore and sync them to the local identity cache. remoteName should be unique unless replacing an existing remote's backend. When cachedPrefix is set, identities are assumed to be stored under the "cilium/cache" prefix, and the watcher is adapted accordingly.

func (*CachingIdentityAllocator) WithholdLocalIdentities added in v1.15.0 

func (m *CachingIdentityAllocator) WithholdLocalIdentities(nids []identity.NumericIdentity)

type IdentitiesModel 

type IdentitiesModel []*models.Identity

IdentitiesModel is a wrapper so that we can implement the sort.Interface to sort the slice by ID

func (IdentitiesModel) FromIdentityCache 

func (s IdentitiesModel) FromIdentityCache(cache identity.IdentityMap) IdentitiesModel

FromIdentityCache populates the provided model from an identity cache.

func (IdentitiesModel) Less 

func (s IdentitiesModel) Less(i, j int) bool

Less returns true if the element in index `i` is lower than the element in index `j`

type IdentityAllocator 

type IdentityAllocator interface {
	// Identity changes are observable.
	stream.Observable[IdentityChange]

	// WaitForInitialGlobalIdentities waits for the initial set of global
	// security identities to have been received.
	WaitForInitialGlobalIdentities(context.Context) error

	// AllocateIdentity allocates an identity described by the specified labels.
	// A possible previously used numeric identity for these labels can be passed
	// in as the last parameter; identity.InvalidIdentity must be passed if no
	// previous numeric identity exists.
	AllocateIdentity(context.Context, labels.Labels, bool, identity.NumericIdentity) (*identity.Identity, bool, error)

	// AllocateLocalIdentity allocates an identity, returning error if the set of
	// labels would not result in a locally-scoped identity.
	//
	// If notifyOwner is true, then the SelectorCache is directly updated with this identity. If not,
	// the caller *must* ensure the SelectorCache learns about this identity.
	AllocateLocalIdentity(lbls labels.Labels, notifyOwner bool, oldNID identity.NumericIdentity) (*identity.Identity, bool, error)

	// Release is the reverse operation of AllocateIdentity() and releases the
	// specified identity.
	Release(context.Context, *identity.Identity, bool) (released bool, err error)

	// ReleaseLocalIdentities releases a slice of locally-scoped identities. It always
	// updates the SelectorCache.
	//
	// Returns the list of released (refcount = 0) identities
	ReleaseLocalIdentities(...identity.NumericIdentity) ([]identity.NumericIdentity, error)

	// LookupIdentityByID returns the identity that corresponds to the given
	// labels.
	LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity

	// LookupIdentityByID returns the identity that corresponds to the given
	// numeric identity.
	LookupIdentityByID(ctx context.Context, id identity.NumericIdentity) *identity.Identity

	// GetIdentityCache returns the current cache of identities that the
	// allocator has allocated. The caller should not modify the resulting
	// identities by pointer.
	GetIdentityCache() identity.IdentityMap

	// GetIdentities returns a copy of the current cache of identities.
	GetIdentities() IdentitiesModel

	// WithholdLocalIdentities holds a set of numeric identities out of the local
	// allocation pool(s). Once withheld, a numeric identity can only be used
	// when explicitly requested via AllocateIdentity(..., oldNID).
	WithholdLocalIdentities(nids []identity.NumericIdentity)

	// UnwithholdLocalIdentities removes numeric identities from the withheld set,
	// freeing them for general allocation.
	UnwithholdLocalIdentities(nids []identity.NumericIdentity)
}

IdentityAllocator is any type which is responsible for allocating security identities based of sets of labels, and caching information about identities locally.

type IdentityAllocatorOwner 

type IdentityAllocatorOwner interface {
	// UpdateIdentities will be called when identities have changed
	//
	// The caller is responsible for making sure the same identity
	// is not present in both 'added' and 'deleted', so that they
	// can be processed in either order.
	UpdateIdentities(added, deleted identity.IdentityMap) <-chan struct{}

	// GetSuffix must return the node specific suffix to use
	GetNodeSuffix() string
}

IdentityAllocatorOwner is the interface the owner of an identity allocator must implement

type IdentityChange 

type IdentityChange struct {
	Kind   IdentityChangeKind
	ID     identity.NumericIdentity
	Labels labels.Labels
}

type IdentityChangeKind 

type IdentityChangeKind string
const (
	IdentityChangeSync   IdentityChangeKind = IdentityChangeKind(allocator.AllocatorChangeSync)
	IdentityChangeUpsert IdentityChangeKind = IdentityChangeKind(allocator.AllocatorChangeUpsert)
	IdentityChangeDelete IdentityChangeKind = IdentityChangeKind(allocator.AllocatorChangeDelete)
)

type NoopIdentityAllocator added in v1.17.0 

type NoopIdentityAllocator struct {
	// contains filtered or unexported fields
}

func NewNoopIdentityAllocator added in v1.17.0 

func NewNoopIdentityAllocator(logger *slog.Logger) *NoopIdentityAllocator

func (*NoopIdentityAllocator) AllocateIdentity added in v1.17.0 

func (n *NoopIdentityAllocator) AllocateIdentity(ctx context.Context, lbls labels.Labels, notifyOwner bool, oldNID identity.NumericIdentity) (*identity.Identity, bool, error)

func (*NoopIdentityAllocator) AllocateLocalIdentity added in v1.18.0 

func (n *NoopIdentityAllocator) AllocateLocalIdentity(lbls labels.Labels, notifyOwner bool, oldNID identity.NumericIdentity) (*identity.Identity, bool, error)

func (*NoopIdentityAllocator) Close added in v1.17.0 

func (n *NoopIdentityAllocator) Close()

func (*NoopIdentityAllocator) GetIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) GetIdentities() IdentitiesModel

func (*NoopIdentityAllocator) GetIdentityCache added in v1.17.0 

func (n *NoopIdentityAllocator) GetIdentityCache() identity.IdentityMap

func (*NoopIdentityAllocator) InitIdentityAllocator added in v1.17.0 

func (n *NoopIdentityAllocator) InitIdentityAllocator(versioned.Interface, kvstore.Client) <-chan struct{}

func (*NoopIdentityAllocator) LocalIdentityChanges added in v1.18.0 

func (m *NoopIdentityAllocator) LocalIdentityChanges() stream.Observable[IdentityChange]

Noop identity allocator is itself a noop observable, just return itself as the local identity observable.

func (*NoopIdentityAllocator) LookupIdentity added in v1.17.0 

func (n *NoopIdentityAllocator) LookupIdentity(ctx context.Context, lbls labels.Labels) *identity.Identity

func (*NoopIdentityAllocator) LookupIdentityByID added in v1.17.0 

func (n *NoopIdentityAllocator) LookupIdentityByID(ctx context.Context, id identity.NumericIdentity) *identity.Identity

func (*NoopIdentityAllocator) Observe added in v1.17.0 

func (m *NoopIdentityAllocator) Observe(ctx context.Context, next func(IdentityChange), complete func(error))

func (*NoopIdentityAllocator) Release added in v1.17.0 

func (n *NoopIdentityAllocator) Release(context.Context, *identity.Identity, bool) (released bool, err error)

func (*NoopIdentityAllocator) ReleaseLocalIdentities added in v1.18.0 

func (n *NoopIdentityAllocator) ReleaseLocalIdentities(...identity.NumericIdentity) ([]identity.NumericIdentity, error)

func (*NoopIdentityAllocator) ReleaseRestoredIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) ReleaseRestoredIdentities()

func (*NoopIdentityAllocator) RemoveRemoteIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) RemoveRemoteIdentities(name string)

func (*NoopIdentityAllocator) RestoreLocalIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) RestoreLocalIdentities() (map[identity.NumericIdentity]*identity.Identity, error)

func (*NoopIdentityAllocator) UnwithholdLocalIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) UnwithholdLocalIdentities(nids []identity.NumericIdentity)

func (*NoopIdentityAllocator) WaitForInitialGlobalIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) WaitForInitialGlobalIdentities(context.Context) error

func (*NoopIdentityAllocator) WatchRemoteIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) WatchRemoteIdentities(remoteName string, remoteID uint32, backend kvstore.BackendOperations, cachedPrefix bool) (allocator.RemoteIDCache, error)

func (*NoopIdentityAllocator) WithholdLocalIdentities added in v1.17.0 

func (n *NoopIdentityAllocator) WithholdLocalIdentities(nids []identity.NumericIdentity)

type NoopRemoteIDCache added in v1.17.0 

type NoopRemoteIDCache struct{}

func (*NoopRemoteIDCache) NumEntries added in v1.17.0 

func (n *NoopRemoteIDCache) NumEntries() int

func (*NoopRemoteIDCache) Synced added in v1.17.0 

func (n *NoopRemoteIDCache) Synced() bool

func (*NoopRemoteIDCache) Watch added in v1.17.0 

func (n *NoopRemoteIDCache) Watch(ctx context.Context, onSync func(context.Context))

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.