authmap

package

v1.18.5 Latest Latest Go to latest Published: Dec 17, 2025 License: Apache-2.0 Imports: 9 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/cilium/cilium

Links

Documentation ¶

Overview ¶

Package auth represents the BPF map used to keep track of authentication state between security identities. +groupName=maps

Index ¶

Constants
Variables
type AuthInfo
- func (r *AuthInfo) String() string
type AuthKey
- func (r *AuthKey) New() bpf.MapKey
- func (r *AuthKey) String() string
type IterateCallback
type Map
- func LoadAuthMap(logger *slog.Logger) (Map, error)

Constants ¶

View Source

const (
	MapName = "cilium_auth_map"
)

Variables ¶

View Source

var Cell = cell.Module(
	"auth-map",
	"eBPF map which manages authenticated connections between identities",

	cell.Provide(newAuthMap),
)

Cell provides the auth.Map which contains the authentication state between Cilium security identities. Datapath checks the map for a valid authentication entry whenever authentication is demanded by a policy. If no or an expired entry is found the packet gets dropped and an authentication gets requested via auth.Manager.

Functions ¶

This section is empty.

Types ¶

type AuthInfo ¶

type AuthInfo struct {
	Expiration utime.UTime `align:"expiration"`
}

AuthInfo implements the bpf.MapValue interface.

Must be in sync with struct auth_info in <bpf/lib/common.h>

func (*AuthInfo) String ¶

func (r *AuthInfo) String() string

type AuthKey ¶

type AuthKey struct {
	LocalIdentity  uint32 `align:"local_sec_label"`
	RemoteIdentity uint32 `align:"remote_sec_label"`
	RemoteNodeID   uint16 `align:"remote_node_id"`
	AuthType       uint8  `align:"auth_type"`
	Pad            uint8  `align:"pad"`
}

AuthKey implements the bpf.MapKey interface.

Must be in sync with struct auth_key in <bpf/lib/common.h>

func (*AuthKey) New ¶

func (r *AuthKey) New() bpf.MapKey

func (*AuthKey) String ¶

func (r *AuthKey) String() string

type IterateCallback ¶

type IterateCallback func(*AuthKey, *AuthInfo)

IterateCallback represents the signature of the callback function expected by the IterateWithCallback method, which in turn is used to iterate all the keys/values of an auth map.

type Map ¶

type Map interface {
	// Lookup returns the auth map object associated with the provided
	// (local identity, remote identity, remote host id, auth type) quadruple.
	Lookup(key AuthKey) (AuthInfo, error)

	// Update inserts or updates the auth map object associated with the provided
	// (local identity, remote identity, remote host id, auth type) quadruple.
	Update(key AuthKey, expiration utime.UTime) error

	// Delete deletes the auth map object associated with the provided
	// (local identity, remote identity, remote host id, auth type) quadruple.
	Delete(key AuthKey) error

	// IterateWithCallback iterates through all the keys/values of an auth map,
	// passing each key/value pair to the cb callback.
	IterateWithCallback(cb IterateCallback) error

	// MaxEntries returns the maximum number of entries the auth map can hold.
	MaxEntries() uint32
}

Map provides access to the eBPF map auth.

func LoadAuthMap ¶

func LoadAuthMap(logger *slog.Logger) (Map, error)

LoadAuthMap loads the pre-initialized auth map for access. This should only be used from components which aren't capable of using hive - mainly the Cilium CLI. It needs to initialized beforehand via the Cilium Agent.

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
fake

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL