Documentation
¶
Index ¶
- Constants
- Variables
- func RemoteSNATDstAddrExclusionCIDRv4(localNode node.LocalNode) *cidr.CIDR
- func RemoteSNATDstAddrExclusionCIDRv6(localNode node.LocalNode) *cidr.CIDR
- type BandwidthConfig
- type BandwidthManager
- type BigTCPConfig
- type BigTCPUserConfig
- type CompilationLock
- type CompileTimeConfiguration
- type ConfigWriter
- type DeviceConfiguration
- type Endpoint
- type EndpointConfiguration
- type IPsecKeyCustodian
- type IptablesManager
- type LoadTimeConfiguration
- type Loader
- type LocalNodeConfiguration
- type MTUConfiguration
- type NodeAddressing
- type NodeAddressingFamily
- type NodeConfigChangeHandler
- type NodeHandler
- type NodeIDHandler
- type Orchestrator
- type PreFilter
- type Proxy
Constants ¶
View Source
const ( EnableBandwidthManagerFlag = "enable-bandwidth-manager" EnableBBRFlag = "enable-bbr" EnableBBRHostnsOnlyFlag = "enable-bbr-hostns-only" )
View Source
const ( EnableIPv4BIGTCPFlag = "enable-ipv4-big-tcp" EnableIPv6BIGTCPFlag = "enable-ipv6-big-tcp" )
Variables ¶
View Source
var DefaultBandwidthConfig = BandwidthConfig{ EnableBandwidthManager: false, EnableBBR: false, EnableBBRHostnsOnly: false, }
Functions ¶
func RemoteSNATDstAddrExclusionCIDRv4 ¶
RemoteSNATDstAddrExclusionCIDRv4 returns a CIDR for SNAT exclusion. Any packet sent from a local endpoint to an IP address belonging to the CIDR should not be SNAT'd.
Types ¶
type BandwidthConfig ¶ added in v1.16.0
type BandwidthConfig struct {
// EnableBandwidthManager enables EDT-based pacing
EnableBandwidthManager bool
// EnableBBR enables BBR TCP congestion control for the node including Pods
EnableBBR bool
// EnableBBRHostnsOnly enables BBR TCP congestion control for the node excluding Pods
EnableBBRHostnsOnly bool
}
func (BandwidthConfig) Flags ¶ added in v1.16.0
func (def BandwidthConfig) Flags(flags *pflag.FlagSet)
type BandwidthManager ¶ added in v1.15.8
type BandwidthManager interface {
BBREnabled() bool
Enabled() bool
UpdateBandwidthLimit(endpointID uint16, bytesPerSecond uint64, prio uint32)
DeleteBandwidthLimit(endpointID uint16)
UpdateIngressBandwidthLimit(endpointID uint16, bytesPerSecond uint64)
DeleteIngressBandwidthLimit(endpointID uint16)
}
type BigTCPConfig ¶ added in v1.14.19
type BigTCPUserConfig ¶ added in v1.14.19
type BigTCPUserConfig struct {
// EnableIPv6BIGTCP enables IPv6 BIG TCP (larger GSO/GRO limits) for the node including pods.
EnableIPv6BIGTCP bool
// EnableIPv4BIGTCP enables IPv4 BIG TCP (larger GSO/GRO limits) for the node including pods.
EnableIPv4BIGTCP bool
}
BigTCPUserConfig are the configuration flags that the user can modify.
func (BigTCPUserConfig) Flags ¶ added in v1.15.13
func (def BigTCPUserConfig) Flags(flags *pflag.FlagSet)
func (BigTCPUserConfig) IsIPv4Enabled ¶ added in v1.14.19
func (def BigTCPUserConfig) IsIPv4Enabled() bool
func (BigTCPUserConfig) IsIPv6Enabled ¶ added in v1.14.19
func (def BigTCPUserConfig) IsIPv6Enabled() bool
type CompilationLock ¶ added in v1.16.0
type CompilationLock interface {
Lock()
Unlock()
RLock()
RUnlock()
}
CompilationLock is a interface over a mutex, it is used by both the loader, daemon and endpoint manager to lock the compilation process. This is a bit of a layer violation since certain methods on the loader such as CompileAndLoad and CompileOrLoad expect the lock to be taken before being called.
Once we have moved header file generation from the endpoint manager into the loader, we can remove this interface and have the loader manage the lock internally.
type CompileTimeConfiguration ¶
type CompileTimeConfiguration interface {
DeviceConfiguration
// RequireARPPassthrough returns true if the datapath must implement
// ARP passthrough for this endpoint
RequireARPPassthrough() bool
// RequireEgressProg returns true if the endpoint requires an egress
// program attached to the InterfaceName() invoking the section
// "to-container"
RequireEgressProg() bool
// RequireRouting returns true if the endpoint requires BPF routing to
// be enabled, when disabled, routing is delegated to Linux routing
RequireRouting() bool
// RequireEndpointRoute returns true if the endpoint wishes to have a
// per endpoint route installed in the host's routing table to point to
// the endpoint's interface
RequireEndpointRoute() bool
// IsHost returns true if the endpoint is the host endpoint.
IsHost() bool
}
CompileTimeConfiguration provides datapath implementations a clean interface to access endpoint-specific configuration that can only be changed at compile time.
type ConfigWriter ¶
type ConfigWriter interface {
// WriteNodeConfig writes the implementation-specific configuration of
// node-wide options into the specified writer.
WriteNodeConfig(io.Writer, *LocalNodeConfiguration) error
// WriteNetdevConfig writes the implementation-specific configuration
// of configurable options to the specified writer. Options specified
// here will apply to base programs and not to endpoints, though
// endpoints may have equivalent configurable options.
WriteNetdevConfig(io.Writer, *option.IntOptions) error
// WriteTemplateConfig writes the implementation-specific configuration
// of configurable options for BPF templates to the specified writer.
WriteTemplateConfig(w io.Writer, nodeCfg *LocalNodeConfiguration, cfg EndpointConfiguration) error
// WriteEndpointConfig writes the implementation-specific configuration
// of configurable options for the endpoint to the specified writer.
WriteEndpointConfig(w io.Writer, nodeCfg *LocalNodeConfiguration, cfg EndpointConfiguration) error
}
ConfigWriter is anything which writes the configuration for various datapath program types.
type DeviceConfiguration ¶
type DeviceConfiguration interface {
// GetOptions fetches the configurable datapath options from the owner.
GetOptions() *option.IntOptions
}
DeviceConfiguration is an interface for injecting configuration of datapath options that affect lookups and logic applied at a per-device level, whether those are devices associated with the endpoint or associated with the host.
type Endpoint ¶
type Endpoint interface {
EndpointConfiguration
InterfaceName() string
Logger(subsystem string) *slog.Logger
StateDir() string
}
Endpoint provides access endpoint configuration information that is necessary to compile and load the datapath.
type EndpointConfiguration ¶
type EndpointConfiguration interface {
CompileTimeConfiguration
LoadTimeConfiguration
}
EndpointConfiguration provides datapath implementations a clean interface to access endpoint-specific configuration when configuring the datapath.
type IPsecKeyCustodian ¶ added in v1.15.0
type IPsecKeyCustodian interface {
AuthKeySize() int
SPI() uint8
StartBackgroundJobs(NodeHandler) error
}
type IptablesManager ¶
type IptablesManager interface {
// InstallProxyRules creates the necessary datapath config (e.g., iptables
// rules for redirecting host proxy traffic on a specific ProxyPort)
InstallProxyRules(proxyPort uint16, name string)
// SupportsOriginalSourceAddr tells if the datapath supports
// use of original source addresses in proxy upstream
// connections.
SupportsOriginalSourceAddr() bool
// GetProxyPorts fetches the existing proxy ports configured in the
// datapath. Used early in bootstrap to reopen proxy ports.
GetProxyPorts() map[string]uint16
// InstallNoTrackRules is explicitly called when a pod has valid
// "policy.cilium.io/no-track-port" annotation. When
// InstallNoConntrackIptRules flag is set, a super set of v4 NOTRACK
// rules will be automatically installed upon agent bootstrap (via
// function addNoTrackPodTrafficRules) and this function will be
// skipped. When InstallNoConntrackIptRules is not set, this function
// will be executed to install NOTRACK rules. The rules installed by
// this function is very specific, for now, the only user is
// node-local-dns pods.
InstallNoTrackRules(ip netip.Addr, port uint16)
// See comments for InstallNoTrackRules.
RemoveNoTrackRules(ip netip.Addr, port uint16)
}
IptablesManager manages iptables rules.
type LoadTimeConfiguration ¶
type LoadTimeConfiguration interface {
// GetID returns a locally-significant endpoint identification number.
GetID() uint64
// StringID returns the string-formatted version of the ID from GetID().
StringID() string
// GetIdentity returns a globally-significant numeric security identity.
GetIdentity() identity.NumericIdentity
IPv4Address() netip.Addr
IPv6Address() netip.Addr
GetNodeMAC() mac.MAC
GetIfIndex() int
GetEndpointNetNsCookie() uint64
// GetPolicyVerdictLogFilter returns the PolicyVerdictLogFilter for the endpoint
GetPolicyVerdictLogFilter() uint32
}
LoadTimeConfiguration provides datapath implementations a clean interface to access endpoint-specific configuration that can be changed at load time.
type Loader ¶
type Loader interface {
CallsMapPath(id uint16) string
CustomCallsMapPath(id uint16) string
Unload(ep Endpoint)
HostDatapathInitialized() <-chan struct{}
ReloadDatapath(ctx context.Context, ep Endpoint, cfg *LocalNodeConfiguration, stats *metrics.SpanStat) (string, error)
ReinitializeXDP(ctx context.Context, cfg *LocalNodeConfiguration, extraCArgs []string) error
EndpointHash(cfg EndpointConfiguration, lnCfg *LocalNodeConfiguration) (string, error)
ReinitializeHostDev(ctx context.Context, mtu int) error
Reinitialize(ctx context.Context, cfg *LocalNodeConfiguration, tunnelConfig tunnel.Config, iptMgr IptablesManager, p Proxy) error
WriteEndpointConfig(w io.Writer, cfg EndpointConfiguration, lnCfg *LocalNodeConfiguration) error
}
Loader is an interface to abstract out loading of datapath programs.
type LocalNodeConfiguration ¶
type LocalNodeConfiguration struct {
// NodeIPv4 is the primary IPv4 address of this node.
// Mutable at runtime.
NodeIPv4 net.IP
// NodeIPv6 is the primary IPv6 address of this node.
// Mutable at runtime.
NodeIPv6 net.IP
// CiliumInternalIPv4 is the internal IP address assigned to the cilium_host
// interface.
// Immutable at runtime.
CiliumInternalIPv4 net.IP
// CiliumInternalIPv6 is the internal IP address assigned to the cilium_host
// interface.
// Immutable at runtime.
CiliumInternalIPv6 net.IP
// AllocCIDRIPv4 is the IPv4 allocation CIDR from which IP addresses for
// endpoints are allocated from.
// Immutable at runtime.
AllocCIDRIPv4 *cidr.CIDR
// AllocCIDRIPv6 is the IPv6 allocation CIDR from which IP addresses for
// endpoints are allocated from.
// Immutable at runtime.
AllocCIDRIPv6 *cidr.CIDR
// NativeRoutingCIDRIPv4 is the v4 CIDR in which pod IPs are routable.
NativeRoutingCIDRIPv4 *cidr.CIDR
// NativeRoutingCIDRIPv6 is the v4 CIDR in which pod IPs are routable.
NativeRoutingCIDRIPv6 *cidr.CIDR
// LoopbackIPv4 is the source address used for SNAT when a Pod talks to itself
// over a Service.
//
// Immutable at runtime.
ServiceLoopbackIPv4 net.IP
// Devices is the native network devices selected for datapath use.
// Mutable at runtime.
Devices []*tables.Device
// DirectRoutingDevice is the device used in direct routing mode.
// Mutable at runtime.
DirectRoutingDevice *tables.Device
// NodeAddresses are the IP addresses of the local node that are considered
// as this node's addresses. From this set we pick the addresses that are
// used as NodePort frontends and the addresses to use for BPF masquerading.
// Mutable at runtime.
NodeAddresses []tables.NodeAddress
// DeriveMasqIPAddrFromDevice overrides the interface name to use for deriving
// the masquerading IP address for the node.
DeriveMasqIPAddrFromDevice string
// HostEndpointID is the endpoint ID assigned to the host endpoint.
// Immutable at runtime.
HostEndpointID uint64
// DeviceMTU is the MTU used on workload facing devices.
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
DeviceMTU int
// RouteMTU is the MTU used on the network.
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
RouteMTU int
// RoutePostEncryptMTU is the MTU without the encryption overhead
// included.
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
RoutePostEncryptMTU int
// AuxiliaryPrefixes is the list of auxiliary prefixes that should be
// configured in addition to the node PodCIDR
//
// This field is mutable. The implementation of
// NodeConfigurationChanged() must adjust the routes accordingly.
AuxiliaryPrefixes []*cidr.CIDR
// EnableIPv4 enables use of IPv4. Routing to the IPv4 allocation CIDR
// of other nodes must be enabled.
//
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
EnableIPv4 bool
// EnableIPv6 enables use of IPv6. Routing to the IPv6 allocation CIDR
// of other nodes must be enabled.
//
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
EnableIPv6 bool
// EnableEncapsulation enables use of encapsulation in communication
// between nodes.
//
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
EnableEncapsulation bool
// EnableAutoDirectRouting enables the use of direct routes for
// communication between nodes if two nodes have direct L2
// connectivity.
//
// EnableAutoDirectRouting must be compatible with EnableEncapsulation
// and must provide a fallback to use encapsulation if direct routing
// is not feasible and encapsulation is enabled.
//
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
EnableAutoDirectRouting bool
// DirectRoutingSkipUnreachable will skip any direct routes between
// nodes if they have different L2 connectivity, only adding L2 routes
// if the underlying L2 shares the same gateway.
//
// This field is immutable at runtime. The value will not change in
// subsequent calls to NodeConfigurationChanged().
DirectRoutingSkipUnreachable bool
// EnableLocalNodeRoute enables installation of the route which points
// the allocation prefix of the local node. Disabling this option is
// useful when another component is responsible for the routing of the
// allocation CIDR IPs into Cilium endpoints.
EnableLocalNodeRoute bool
// EnableIPSec enables IPSec routes
EnableIPSec bool
// EnableIPSecEncryptedOverlay enables IPSec routes for overlay traffic
EnableIPSecEncryptedOverlay bool
// EncryptNode enables encrypting NodeIP traffic
EncryptNode bool
// IPv4PodSubnets is a list of IPv4 subnets that pod IPs are assigned from
// these are then used when encryption is enabled to configure the node
// for encryption over these subnets at node initialization.
IPv4PodSubnets []*cidr.CIDR
// IPv6PodSubnets is a list of IPv6 subnets that pod IPs are assigned from
// these are then used when encryption is enabled to configure the node
// for encryption over these subnets at node initialization.
IPv6PodSubnets []*cidr.CIDR
// XDPConfig holds configuration options to determine how the node should
// handle XDP programs.
XDPConfig xdp.Config
// LBConfig holds the configuration options for load-balancing
LBConfig loadbalancer.Config
// Maglev configuration provides the maglev table sizes and seeds for
// the BPF programs.
MaglevConfig maglev.Config
KPRConfig kpr.KPRConfig
}
LocalNodeConfiguration represents the configuration of the local node
This configuration struct is immutable even when passed by reference. When the configuration is changed at runtime a new instance is allocated and passed down.
+deepequal-gen=true
func (*LocalNodeConfiguration) DeepEqual ¶ added in v1.17.0
func (in *LocalNodeConfiguration) DeepEqual(other *LocalNodeConfiguration) bool
DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.
func (*LocalNodeConfiguration) DeviceNames ¶ added in v1.16.0
func (cfg *LocalNodeConfiguration) DeviceNames() []string
func (*LocalNodeConfiguration) GetIPv4PodSubnets ¶ added in v1.17.0
func (cfg *LocalNodeConfiguration) GetIPv4PodSubnets() []*net.IPNet
func (*LocalNodeConfiguration) GetIPv6PodSubnets ¶ added in v1.17.0
func (cfg *LocalNodeConfiguration) GetIPv6PodSubnets() []*net.IPNet
type MTUConfiguration ¶ added in v1.15.0
type NodeAddressing ¶
type NodeAddressing interface {
IPv6() NodeAddressingFamily
IPv4() NodeAddressingFamily
}
NodeAddressing implements addressing of a node
type NodeAddressingFamily ¶
type NodeAddressingFamily interface {
// Router is the address that will act as the router on each node where
// an agent is running on. Endpoints have a default route that points
// to this address.
Router() net.IP
// PrimaryExternal is the primary external address of the node. Nodes
// must be able to reach each other via this address.
PrimaryExternal() net.IP
// AllocationCIDR is the CIDR used for IP allocation of all endpoints
// on the node
AllocationCIDR() *cidr.CIDR
}
NodeAddressingFamily is the node addressing information for a particular address family
type NodeConfigChangeHandler ¶ added in v1.18.0
type NodeConfigChangeHandler interface {
// NodeConfigurationChanged is called when the local node configuration
// has changed
NodeConfigurationChanged(config LocalNodeConfiguration) error
}
type NodeHandler ¶
type NodeHandler interface {
// Name identifies the handler, this is used in logging/reporting handler
// reconciliation errors.
Name() string
// NodeAdd is called when a node is discovered for the first time.
NodeAdd(newNode nodeTypes.Node) error
// NodeUpdate is called when a node definition changes. Both the old
// and new node definition is provided. NodeUpdate() is never called
// before NodeAdd() is called for a particular node.
NodeUpdate(oldNode, newNode nodeTypes.Node) error
// NodeDelete is called after a node has been deleted
NodeDelete(node nodeTypes.Node) error
// AllNodeValidateImplementation is called to validate the implementation
// of all nodes in the node cache.
AllNodeValidateImplementation()
// NodeValidateImplementation is called to validate the implementation of
// the node in the datapath. This function is intended to be run on an
// interval to ensure that the datapath is consistently converged.
NodeValidateImplementation(node nodeTypes.Node) error
}
NodeHandler handles node related events such as addition, update or deletion of nodes or changes to the local node configuration.
Node events apply to the local node as well as to remote nodes. The implementation can differ between the own local node and remote nodes by calling node.IsLocal().
type NodeIDHandler ¶
type NodeIDHandler interface {
// GetNodeIP returns the string node IP that was previously registered as the given node ID.
GetNodeIP(uint16) string
// GetNodeID gets the node ID for the given node IP. If none is found, exists is false.
GetNodeID(nodeIP net.IP) (nodeID uint16, exists bool)
// DumpNodeIDs returns all node IDs and their associated IP addresses.
DumpNodeIDs() []*models.NodeID
// RestoreNodeIDs restores node IDs and their associated IP addresses from the
// BPF map and into the node handler in-memory copy.
RestoreNodeIDs()
}
type Orchestrator ¶ added in v1.16.0
type Orchestrator interface {
Reinitialize(ctx context.Context) error
DatapathInitialized() <-chan struct{}
ReloadDatapath(ctx context.Context, ep Endpoint, stats *metrics.SpanStat) (string, error)
ReinitializeXDP(ctx context.Context, extraCArgs []string) error
EndpointHash(cfg EndpointConfiguration) (string, error)
WriteEndpointConfig(w io.Writer, cfg EndpointConfiguration) error
Unload(ep Endpoint)
}
Source Files
Click to show internal directories.
Click to hide internal directories.