policy

package
v1.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 3, 2026 License: Apache-2.0 Imports: 50 Imported by: 193

Documentation

Index

Constants

View Source 
const (
	LabelKeyPolicyDerivedFrom  = "io.cilium.policy.derived-from"
	LabelAllowLocalHostIngress = "allow-localhost-ingress"
	LabelAllowAnyIngress       = "allow-any-ingress"
	LabelAllowAnyEgress        = "allow-any-egress"
)
View Source 
const NoAuthRequirement = types.NoAuthRequirement

Variables

View Source 
var (
	LabelsAllowAnyIngress = labels.LabelArray{
		labels.NewLabel(LabelKeyPolicyDerivedFrom, LabelAllowAnyIngress, labels.LabelSourceReserved)}
	LabelsAllowAnyEgress = labels.LabelArray{
		labels.NewLabel(LabelKeyPolicyDerivedFrom, LabelAllowAnyEgress, labels.LabelSourceReserved)}
	LabelsLocalHostIngress = labels.LabelArray{
		labels.NewLabel(LabelKeyPolicyDerivedFrom, LabelAllowLocalHostIngress, labels.LabelSourceReserved)}
)
View Source 
var EmptyStringLabels = makeStringLabels(nil)
View Source 
var (
	ErrStaleSelectors = errors.New("stale selector snapshot")
)
View Source 
var ErrTooManyPriorityLevels = errors.New("endpoint policy direction has more than 2^24 distinct priorities")

ErrTooManyPriorityLevels is returned if an endpoint's policy results in more than 2^24 distinct priorities for a given direction; the datapath cannot support more than that.

View Source 
var ErrUnorderedRules = errors.New("Unordered policy entry priorities")

ErrUnorderedRules is returned if prioritites of policy entries are unordered when they are expected to be ordered.

View Source 
var ErrUnorderedTiers = errors.New("Unordered policy entry tiers")

ErrUnorderedTiers is returned if tiers of policy entries are unordered when they are expected to be ordered.

View Source 
var NilRuleOrigin = newRuleOrigin(RuleMeta{labels: "[]"})

Functions

func EgressKey added in v1.17.0 

func EgressKey() types.Key

func GetCIDRPrefixes added in v0.15.7 

func GetCIDRPrefixes(rules types.PolicyEntries) []netip.Prefix

GetCIDRPrefixes runs through the specified 'rules' to find every reference to a CIDR in the rules, and returns a slice containing all of these CIDRs.

Includes prefixes referenced solely by "ExceptCIDRs" entries.

Assumes that validation already occurred on 'rules'.

func GetPolicyEnabled added in v0.15.7 

func GetPolicyEnabled() string

GetPolicyEnabled returns the policy enablement configuration

func IngressKey added in v1.17.0 

func IngressKey() types.Key

func JSONMarshalRules added in v0.9.0 

func JSONMarshalRules(rules types.PolicyEntries) string

JSONMarshalRules returns a slice of policy rules as string in JSON representation

func JoinPath 

func JoinPath(a, b string) string

JoinPath returns a joined path from a and b.

func NewMapStateEntry added in v0.15.7 

func NewMapStateEntry(e MapStateEntry) mapStateEntry

func ParseProxyID added in v0.15.7 

func ParseProxyID(proxyID string) (endpointID uint16, ingress bool, protocol string, port uint16, listener string, err error)

ParseProxyID parses a proxy ID returned by ProxyID and returns its components.

func PassEntry added in v1.19.0 

func PassEntry(priority, nextTierPriority types.Priority, derivedFrom ruleOrigin) mapStateEntry

PassEntry returns a MapStateEntry with maximum precedence for a pass entry

func ProxyID added in v0.15.7 

func ProxyID(endpointID uint16, ingress bool, protocol string, port uint16, listener string) string

ProxyID returns a unique string to identify a proxy mapping.

func ProxyStatsKey added in v1.16.0 

func ProxyStatsKey(ingress bool, protocol string, port, proxyPort uint16) string

ProxyStatsKey returns a key for endpoint's proxy stats, which may aggregate stats from multiple proxy redirects on the same port.

func SetPolicyEnabled added in v0.15.7 

func SetPolicyEnabled(val string)

SetPolicyEnabled sets the policy enablement configuration. Valid values are: - endpoint.AlwaysEnforce - endpoint.NeverEnforce - endpoint.DefaultEnforcement

Types

type AddOptions added in v0.15.7 

type AddOptions struct {
	// Replace if true indicates that existing rules with identical labels should be replaced
	Replace bool
	// ReplaceWithLabels if present indicates that existing rules with the
	// given LabelArray should be deleted.
	ReplaceWithLabels labels.LabelArray

	// Generated should be set as true to signalize a the policy being inserted
	// was generated by cilium-agent, e.g. dns poller.
	Generated bool

	// The source of this policy, one of api, fqdn or k8s
	Source source.Source

	// The time the policy initially began to be processed in Cilium, such as when the
	// policy was received from the API server.
	ProcessingStartTime time.Time

	// Resource provides the object ID for the underlying object that backs
	// this information from 'source'.
	Resource ipcacheTypes.ResourceID

	// ReplaceByResource indicates the policy repository should replace any
	// rules owned by the given Resource with the new set of rules
	ReplaceByResource bool
}

AddOptions are options which can be passed to PolicyAdd

type AuthRequirement added in v1.17.0 

type AuthRequirement = types.AuthRequirement

type AuthType added in v0.15.7 

type AuthType = types.AuthType

type AuthTypes added in v0.15.7 

type AuthTypes = types.AuthTypes

type CachedSelectionUser added in v0.15.7 

type CachedSelectionUser = types.CachedSelectionUser

type CachedSelector added in v0.15.7 

type CachedSelector = types.CachedSelector

type CachedSelectorSlice added in v0.15.7 

type CachedSelectorSlice = types.CachedSelectorSlice

type ChangeState added in v0.15.7 

type ChangeState struct {
	Adds    Keys // Added or modified keys, if not nil
	Deletes Keys // deleted keys, if not nil
	// contains filtered or unexported fields
}

ChangeState allows caller to revert changes made by (multiple) toMapState call(s) All fields are maps so we can pass this by value.

func (*ChangeState) Empty added in v1.17.0 

func (c *ChangeState) Empty() bool

func (*ChangeState) Size added in v1.17.0 

func (c *ChangeState) Size() int

Size returns the total number of Adds minus the total number of true Deletes (Deletes that are not also in Adds). The return value can be negative.

type DeleteOptions added in v0.15.7 

type DeleteOptions struct {
	// The source of this policy, one of api, fqdn or k8s
	Source source.Source

	// Resource provides the object ID for the underlying object that backs
	// this information from 'source'.
	Resource ipcacheTypes.ResourceID

	// DeleteByResource should be true if the resource should be used to identify
	// which rules should be deleted.
	DeleteByResource bool
}

DeleteOptions are options which can be passed to PolicyDelete

type EndpointInfo added in v1.18.0 

type EndpointInfo struct {
	ID uint64

	TCPNamedPorts map[string]uint16
	UDPNamedPorts map[string]uint16

	Logger *slog.Logger
	// contains filtered or unexported fields
}

func (*EndpointInfo) GetID added in v1.18.0 

func (ei *EndpointInfo) GetID() uint64

func (*EndpointInfo) GetNamedPort added in v1.18.0 

func (ei *EndpointInfo) GetNamedPort(ingress bool, name string, proto u8proto.U8proto) uint16

GetNamedPort determines the named port of the *destination*. So, if ingress is false, then this looks up the peer.

func (*EndpointInfo) IsHost added in v1.18.0 

func (ei *EndpointInfo) IsHost() bool

func (*EndpointInfo) MapStateSize added in v1.18.0 

func (ei *EndpointInfo) MapStateSize() int

MapStateSize returns the size of the current desired policy map, used for preallocation of the new map. Return 0 here as this is only used for testing.

func (*EndpointInfo) PolicyDebug added in v1.18.0 

func (ei *EndpointInfo) PolicyDebug(msg string, attrs ...any)

func (*EndpointInfo) RegenerateIfAlive added in v1.18.0 

func (ei *EndpointInfo) RegenerateIfAlive(_ *regeneration.ExternalRegenerationMetadata) <-chan bool

RegenerateIfAlive returns immediately as there is nothing to regenerate

type EndpointPolicy added in v0.15.7 

type EndpointPolicy struct {
	// Note that all Endpoints sharing the same identity will be
	// referring to a shared selectorPolicy!
	SelectorPolicy *selectorPolicy

	// PolicyOwner describes any type which consumes this EndpointPolicy object.
	PolicyOwner PolicyOwner

	// Redirects contains the proxy ports needed for this EndpointPolicy.
	// If any redirects are missing a new policy will be computed to rectify it, so this is
	// constant for the lifetime of this EndpointPolicy.
	Redirects map[string]uint16
	// contains filtered or unexported fields
}

EndpointPolicy is a structure which contains the resolved policy across all layers (L3, L4, and L7), distilled against a set of identities.

func NewEndpointPolicy added in v0.15.7 

func NewEndpointPolicy(logger *slog.Logger, repo PolicyRepository) *EndpointPolicy

NewEndpointPolicy returns an empty EndpointPolicy stub. The returned stub is not modified.

func (*EndpointPolicy) ConsumeMapChanges added in v0.15.7 

func (p *EndpointPolicy) ConsumeMapChanges() (closer func(), changes ChangeState)

ConsumeMapChanges applies accumulated MapChanges to EndpointPolicy 'p' and returns a summary of changes. Caller is responsible for calling the returned 'closer' to release resources held for the new revision!

func (*EndpointPolicy) CopyMapStateFrom added in v1.17.9 

func (p *EndpointPolicy) CopyMapStateFrom(m MapStateMap)

CopyMapStateFrom copies the policy map entries from m.

func (*EndpointPolicy) Detach added in v0.15.7 

func (p *EndpointPolicy) Detach(logger *slog.Logger)

Detach removes EndpointPolicy references from selectorPolicy to allow the EndpointPolicy to be GC'd. PolicyOwner (aka Endpoint) is also locked during this call.

func (*EndpointPolicy) Diff added in v1.17.0 

func (p *EndpointPolicy) Diff(expected MapStateMap) string

func (*EndpointPolicy) Empty added in v1.17.0 

func (p *EndpointPolicy) Empty() bool

func (*EndpointPolicy) Entries added in v1.17.0 

func (p *EndpointPolicy) Entries() iter.Seq2[Key, MapStateEntry]

func (*EndpointPolicy) Equals added in v1.17.0 

func (p *EndpointPolicy) Equals(other MapStateMap) bool

func (*EndpointPolicy) Get added in v1.17.0 

func (p *EndpointPolicy) Get(key Key) (MapStateEntry, bool)

func (*EndpointPolicy) GetPolicySelectors added in v1.19.0 

func (p *EndpointPolicy) GetPolicySelectors() SelectorSnapshot

func (*EndpointPolicy) GetRuleMeta added in v1.18.0 

func (p *EndpointPolicy) GetRuleMeta(k Key) (RuleMeta, error)

GetRuleMeta returns the list of labels of the rules that contributed to the entry at this key.

func (*EndpointPolicy) Len added in v1.17.0 

func (p *EndpointPolicy) Len() int

func (*EndpointPolicy) Lookup added in v1.18.0 

func (p *EndpointPolicy) Lookup(key Key) (MapStateEntry, RuleMeta, bool)

Lookup finds the policy verdict applicable to the given 'key' using the same precedence logic between L3 and L4-only policies like the bpf datapath when both match the given 'key'. To be used in testing in place of the bpf datapath when full integration testing is not desired. Returns the closest matching covering policy entry, the labels of the rules that contributed to that verdict, and 'true' if found. Returns a deny entry when a match is not found, mirroring the datapath default deny behavior. 'key' must not have a wildcard identity or port.

func (*EndpointPolicy) LookupRedirectPort added in v1.17.0 

func (p *EndpointPolicy) LookupRedirectPort(ingress bool, protocol string, port uint16, listener string) (uint16, error)

LookupRedirectPort returns the redirect L4 proxy port for the given input parameters. Returns 0 if not found or the filter doesn't require a redirect. Returns an error if the redirect port can not be found. This is called when accumulating incremental map changes, endpoint lock must not be taken.

func (*EndpointPolicy) Missing added in v1.17.0 

func (p *EndpointPolicy) Missing(realized *EndpointPolicy) iter.Seq2[Key, MapStateEntry]

Missing returns an iterator for all key/entry pairs in 'realized' that missing from 'p'. Here 'realized' is another EndpointPolicy. This can be used to figure out which entries in 'realised' need to be deleted.

func (*EndpointPolicy) MissingMap added in v1.17.0 

func (p *EndpointPolicy) MissingMap(realized MapStateMap) iter.Seq2[Key, MapStateEntry]

Missing returns an iterator for all key/entry pairs in 'realized' that missing from 'p'. Here 'realized' is MapStateMap. This can be used to figure out which entries in 'realised' need to be deleted.

func (*EndpointPolicy) Ready added in v1.17.0 

func (p *EndpointPolicy) Ready() (err error)

Ready releases memory held for the selector snapshot. This should be called when the policy has been realized.

func (*EndpointPolicy) RevertChanges added in v1.17.0 

func (p *EndpointPolicy) RevertChanges(changes ChangeState)

func (*EndpointPolicy) Updated added in v1.17.0 

func (p *EndpointPolicy) Updated(realized *EndpointPolicy) iter.Seq2[Key, MapStateEntry]

Updated returns an iterator for all key/entry pairs in 'p' that are either new or updated compared to the entries in 'realized'. Here 'realized' is another EndpointPolicy. This can be used to figure out which entries need to be added to or updated in 'realised'.

func (*EndpointPolicy) UpdatedMap added in v1.17.0 

func (p *EndpointPolicy) UpdatedMap(realized MapStateMap) iter.Seq2[Key, MapStateEntry]

UpdatedMap returns an iterator for all key/entry pairs in 'p' that are either new or updated compared to the entries in 'realized'. Here 'realized' is MapStateMap. This can be used to figure out which entries need to be added to or updated in 'realised'.

type Flow added in v1.18.0 

type Flow struct {
	From, To *identity.Identity
	Proto    u8proto.U8proto
	Dport    uint16
}

type GetPolicyStatistics added in v1.17.0 

type GetPolicyStatistics interface {
	WaitingForPolicyRepository() *spanstat.SpanStat
	SelectorPolicyCalculation() *spanstat.SpanStat
}

type IDSet added in v1.5.0 

type IDSet map[identity.NumericIdentity]struct{}

type Key added in v0.15.7 

type Key = types.Key

Key and Keys are types used both internally and externally. The types have been lifted out, but an alias is being used so we don't have to change all the code everywhere.

Do not use these types outside of pkg/policy or pkg/endpoint, lest ye find yourself with hundreds of unnecessary imports.

func KeyForDirection added in v1.17.0 

func KeyForDirection(direction trafficdirection.TrafficDirection) Key

type Keys added in v0.15.7 

type Keys = types.Keys

type L4DirectionPolicy added in v0.15.7 

type L4DirectionPolicy struct {
	PortRules L4PolicyMaps
	// contains filtered or unexported fields
}

func (L4DirectionPolicy) Detach added in v0.15.7 

func (l4 L4DirectionPolicy) Detach(selectorCache *SelectorCache)

Detach removes the cached selectors held by L4PolicyMap from the selectorCache, allowing the map to be garbage collected when there are no more references to it.

func (L4DirectionPolicy) Filters added in v1.19.0 

func (l4 L4DirectionPolicy) Filters() iter.Seq[*L4Filter]

type L4Filter 

type L4Filter struct {
	Tier types.Tier `json:"tier,omitempty"`
	// U8Proto is the Protocol in numeric format, or 0 for NONE
	U8Proto u8proto.U8proto `json:"-"`
	// Port is the destination port to allow. Port 0 indicates that all traffic
	// is allowed at L4.
	Port uint16 `json:"port"`
	// EndPort is zero for a singular port
	EndPort uint16 `json:"endPort,omitempty"`
	// Protocol is the L4 protocol to allow or NONE
	Protocol api.L4Proto `json:"protocol"`
	PortName string      `json:"port-name,omitempty"`

	// PerSelectorPolicies is a map of policies for selectors, including any L7 rules passed to
	// the L7 proxy. nil values represent cached selectors that have selector-specific policy
	// restriction (such as no L7 rules). Holds references to the cached selectors, which must
	// be released!
	PerSelectorPolicies L7DataMap `json:"l7-rules,omitempty"`
	// Ingress is true if filter applies at ingress; false if it applies at egress.
	Ingress bool `json:"-"`
	// RuleOrigin is a set of rule labels tracking which policy rules are the origin for this
	// L3/L4 filter.
	RuleOrigin map[CachedSelector]ruleOrigin `json:"-"`
	// contains filtered or unexported fields
}

L4Filter represents the policy (allowed remote sources / destinations of traffic) that applies at a specific L4 port/protocol combination (including all ports and protocols), at either ingress or egress. The policy here is specified in terms of selectors that are mapped to security identities via the selector cache.

func (*L4Filter) Equals added in v1.16.0 

func (l4 *L4Filter) Equals(bL4 *L4Filter) bool

Equals returns true if two L4Filters are equal

func (*L4Filter) GetIngress added in v0.15.7 

func (l4 *L4Filter) GetIngress() bool

GetIngress returns whether the L4Filter applies at ingress or egress.

func (*L4Filter) GetPerSelectorPolicies added in v1.18.0 

func (l4 *L4Filter) GetPerSelectorPolicies() L7DataMap

CopyL7RulesPerEndpoint returns a shallow copy of the PerSelectorPolicies of the L4Filter.

func (*L4Filter) GetPort added in v0.15.7 

func (l4 *L4Filter) GetPort() uint16

GetPort returns the port at which the L4Filter applies as a uint16.

func (*L4Filter) IdentitySelectionCommit added in v1.17.0 

func (l4 *L4Filter) IdentitySelectionCommit(logger *slog.Logger, txn SelectorSnapshot)

func (*L4Filter) IdentitySelectionUpdated added in v0.15.7 

func (l4 *L4Filter) IdentitySelectionUpdated(logger *slog.Logger, cs types.CachedSelector, added, deleted []identity.NumericIdentity)

IdentitySelectionUpdated implements CachedSelectionUser interface This call is made from a single goroutine in FIFO order to keep add and delete events ordered properly. No locks are held.

The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.

func (*L4Filter) IsPeerSelector added in v1.17.0 

func (l4 *L4Filter) IsPeerSelector() bool

func (*L4Filter) Marshal added in v0.15.7 

func (l4 *L4Filter) Marshal() string

Marshal returns the `L4Filter` in a JSON string.

func (*L4Filter) SelectsAllEndpoints added in v0.15.7 

func (l4 *L4Filter) SelectsAllEndpoints() bool

SelectsAllEndpoints returns whether the L4Filter selects all endpoints, which is true if the wildcard endpoint selector is present in the map.

func (*L4Filter) String 

func (l4 *L4Filter) String() string

String returns the `L4Filter` in a human-readable string.

type L4Policy 

type L4Policy struct {
	Ingress L4DirectionPolicy
	Egress  L4DirectionPolicy

	// Revision is the repository revision used to generate this policy.
	Revision uint64
	// contains filtered or unexported fields
}

func NewL4Policy 

func NewL4Policy(revision uint64) L4Policy

NewL4Policy creates a new L4Policy

func (*L4Policy) AccumulateMapChanges added in v0.15.7 

func (l4Policy *L4Policy) AccumulateMapChanges(logger *slog.Logger, l4 *L4Filter, cs CachedSelector, adds, deletes []identity.NumericIdentity)

AccumulateMapChanges distributes the given changes to the registered users.

The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.

func (*L4Policy) Attach added in v0.15.7 

func (l4 *L4Policy) Attach(ctx PolicyContext)

Attach makes all the L4Filters to point back to the L4Policy that contains them. This is done before the L4Policy is exposed to concurrent access.

func (*L4Policy) GetModel 

func (l4 *L4Policy) GetModel() *models.L4Policy

GetModel returns the API model of the L4 policy.

func (*L4Policy) GetRuleOriginModel added in v1.19.0 

func (l4 *L4Policy) GetRuleOriginModel() *models.L4Policy

GetRuleOriginModel returns the API model of the L4 policy with the rule origins only.

func (*L4Policy) HasEnvoyRedirect added in v0.15.7 

func (l4 *L4Policy) HasEnvoyRedirect() bool

HasEnvoyRedirect returns true if the L4 policy contains at least one port redirection to Envoy

func (*L4Policy) HasProxylibRedirect added in v0.15.7 

func (l4 *L4Policy) HasProxylibRedirect() bool

HasProxylibRedirect returns true if the L4 policy contains at least one port redirection to Proxylib

func (*L4Policy) HasRedirect 

func (l4 *L4Policy) HasRedirect() bool

HasRedirect returns true if the L4 policy contains at least one port redirection

func (*L4Policy) SyncMapChanges added in v1.17.0 

func (l4Policy *L4Policy) SyncMapChanges(l4 *L4Filter, txn SelectorSnapshot)

SyncMapChanges marks earlier updates as completed

type L4PolicyMap 

type L4PolicyMap struct {
	// NamedPortMap represents the named ports (a Kubernetes feature)
	// that map to an L4Filter. They must be tracked at the selection
	// level, because they can only be resolved at the endpoint/identity
	// level. Named ports cannot have ranges.
	NamedPortMap map[string]*L4Filter
	// RangePortMap is a map of all L4Filters indexed by their port-
	// protocol.
	RangePortMap map[portProtoKey]*L4Filter
	// RangePortIndex is an index of all L4Filters so that
	// L4Filters that have overlapping port ranges can be looked up
	// by with a single port.
	RangePortIndex *bitlpm.UintTrie[uint32, map[portProtoKey]struct{}]
}

L4PolicyMap is the implementation of L4PolicyMap

func (*L4PolicyMap) Delete added in v1.16.0 

func (l4M *L4PolicyMap) Delete(port string, endPort uint16, protocol string)

Delete an L4Filter from the index by protocol/port-endPort

func (*L4PolicyMap) ExactLookup added in v1.16.0 

func (l4M *L4PolicyMap) ExactLookup(port string, endPort uint16, protocol string) *L4Filter

ExactLookup looks up an L4Filter by protocol/port-endPort and looks for an exact match.

func (*L4PolicyMap) ForEach added in v1.16.0 

func (l4M *L4PolicyMap) ForEach(fn func(l4 *L4Filter) bool)

ForEach iterates over all L4Filters in the l4PolicyMap.

func (*L4PolicyMap) Len added in v1.16.0 

func (l4M *L4PolicyMap) Len() int

Len returns the number of entries in the map.

func (*L4PolicyMap) Upsert added in v1.16.0 

func (l4M *L4PolicyMap) Upsert(port string, endPort uint16, protocol string, l4 *L4Filter)

Upsert L4Filter adds an L4Filter indexed by protocol/port-endPort.

type L4PolicyMaps added in v1.19.0 

type L4PolicyMaps []L4PolicyMap

L4PolicyMaps is a slice of L4PolicyMap, one for each tier in the policy

func NewL4PolicyMapWithValues added in v1.16.0 

func NewL4PolicyMapWithValues(initMap map[string]*L4Filter) L4PolicyMaps

NewL4PolicyMapWithValues creates an new L4PolicMap, with an initial set of values. The initMap argument does not support port ranges.

func (L4PolicyMaps) Filters added in v1.19.0 

func (ls L4PolicyMaps) Filters() iter.Seq[*L4Filter]

func (L4PolicyMaps) Len added in v1.19.0 

func (ls L4PolicyMaps) Len() int

type L7DataMap added in v0.15.7 

type L7DataMap map[CachedSelector]*PerSelectorPolicy

L7DataMap contains a map of L7 rules per endpoint where key is a CachedSelector

func (L7DataMap) MarshalJSON added in v0.15.7 

func (l7 L7DataMap) MarshalJSON() ([]byte, error)

type L7ParserType added in v0.15.7 

type L7ParserType string

L7ParserType is the type used to indicate what L7 parser to use. Consts are defined for all well known L7 parsers. Unknown string values are created for key-value pair policies, which are then transparently used in redirect configuration. 

const (
	// ParserTypeNone represents the case where no parser type is provided.
	ParserTypeNone L7ParserType = ""
	// ParserTypeTLS is used for TLS origination, termination, or SNI filtering without any L7
	// parsing. If TLS policies are used with HTTP rules, ParserTypeHTTP is used instead.
	ParserTypeTLS L7ParserType = "tls"
	// ParserTypeCRD is used with a custom CiliumEnvoyConfig redirection. Incompatible with any
	// parser type with L7 enforcement (HTTP, Kafka, proxylib), as the custom Listener generally
	// does not support them.
	ParserTypeCRD L7ParserType = "crd"
	// ParserTypeHTTP specifies a HTTP parser type
	ParserTypeHTTP L7ParserType = "http"
	// ParserTypeKafka specifies a Kafka parser type
	ParserTypeKafka L7ParserType = "kafka"
	// ParserTypeDNS specifies a DNS parser type
	ParserTypeDNS L7ParserType = "dns"
)

func (L7ParserType) Merge added in v0.15.7 

func (a L7ParserType) Merge(b L7ParserType) (L7ParserType, error)

Merge ParserTypes 'a' to 'b' if possible

func (L7ParserType) String added in v0.15.7 

func (l7 L7ParserType) String() string

type ListenerPriority added in v1.18.0 

type ListenerPriority = types.ListenerPriority
const (
	ListenerPriorityNone     ListenerPriority = 0
	ListenerPriorityHTTP     ListenerPriority = 101
	ListenerPriorityKafka    ListenerPriority = 106
	ListenerPriorityProxylib ListenerPriority = 111
	ListenerPriorityTLS      ListenerPriority = 116
	ListenerPriorityDNS      ListenerPriority = 121
	ListenerPriorityCRD      ListenerPriority = 126
)

API listener priorities and corresponding defaults for L7 parser types 0 - default (low) priority for all proxy redirects 1 - highest listener priority .. 100 - lowest (non-default) listener priority 101 - priority for HTTP parser type 106 - priority for the Kafka parser type 111 - priority for the proxylib parsers 116 - priority for TLS interception parsers (can be promoted to HTTP/Kafka/proxylib) 121 - priority for DNS parser type 126 - default priority for CRD parser type 127 - reserved (listener priority passed as 0)

MapStateEntry stores this reverted in the low 8 bits of 'Precedence' where higher numbers have higher precedence

type MapChange added in v0.15.7 

type MapChange struct {
	Add   bool // false deletes
	Key   Key
	Value MapStateEntry
}

type MapChanges added in v0.15.7 

type MapChanges struct {
	// contains filtered or unexported fields
}

MapChanges collects updates to the endpoint policy on the granularity of individual mapstate key-value pairs for both adds and deletes. 'mutex' must be held for any access.

func (*MapChanges) AccumulateMapChanges added in v0.15.7 

func (mc *MapChanges) AccumulateMapChanges(tier types.Tier, basePriority types.Priority, adds, deletes []identity.NumericIdentity, keys []Key, value mapStateEntry)

AccumulateMapChanges accumulates the given changes to the MapChanges.

The caller is responsible for making sure the same identity is not present in both 'adds' and 'deletes'.

If an identity is present in 'adds' or 'deletes', then the caller must make sure all keys that need to be added/deleted for that identity are accumulated before 'SyncMapChanges' is called, so that when the changes are applied, all keys for that identity are applied at the same time.

func (*MapChanges) SyncMapChanges added in v1.17.0 

func (mc *MapChanges) SyncMapChanges(selectors SelectorSnapshot)

SyncMapChanges moves the current batch of changes to 'synced' to be consumed as a unit

type MapStateEntry added in v0.15.7 

type MapStateEntry = types.MapStateEntry

type MapStateMap added in v1.17.0 

type MapStateMap = types.MapStateMap

type MaskedPort added in v1.16.0 

type MaskedPort struct {
	// contains filtered or unexported fields
}

MaskedPort is a port with a wild card mask value. The port range is represented by a masked port because we need to use masks for policy Keys that are indexed in the datapath by a bitwise longest-prefix-match trie.

func PortRangeToMaskedPorts added in v1.16.0 

func PortRangeToMaskedPorts(start uint16, end uint16) (ports []MaskedPort)

PortRangeToMaskedPorts returns a slice of masked ports for the given port range. If the end port is equal to or less then the start port than the start port is returned, as a fully masked port. Ports are not returned in any particular order, so testing code needs to sort them for consistency.

func (MaskedPort) String added in v1.16.0 

func (m MaskedPort) String() string

type PerSelectorPolicy added in v0.15.7 

type PerSelectorPolicy struct {
	// L7Parser specifies the L7 protocol parser (optional). If specified as
	// an empty string, then means that no L7 proxy redirect is performed.
	L7Parser L7ParserType `json:"-"`

	// Priority is the priority level for this rule. Defaults to 0. Rules with lower priority
	// values take precedence over rules with later priority values.
	Priority types.Priority `json:"priority,omitempty"`

	// PolicyVerdict specifies if traffic matching this policy should be allowed, denied, or if
	// the verdict should be determined by lower priority rules (pass).
	Verdict types.Verdict `json:"verdict,omitempty"`

	// ListenerPriority of the listener used when multiple listeners would apply to the same
	// MapStateEntry.
	// Lower numbers indicate higher priority. Except for the default 0, which indicates the
	// lowest priority.  If higher priority desired, a low unique number like 1, 2, or 3 should
	// be explicitly specified here.
	ListenerPriority ListenerPriority `json:"listenerPriority,omitempty"`

	// Listener is an optional fully qualified name of a Envoy Listner defined in a
	// CiliumEnvoyConfig CRD that should be used for this traffic instead of the default
	// listener
	Listener string `json:"listener,omitempty"`

	// TerminatingTLS is the TLS context for the connection terminated by
	// the L7 proxy.  For egress policy this specifies the server-side TLS
	// parameters to be applied on the connections originated from the local
	// POD and terminated by the L7 proxy. For ingress policy this specifies
	// the server-side TLS parameters to be applied on the connections
	// originated from a remote source and terminated by the L7 proxy.
	TerminatingTLS *TLSContext `json:"terminatingTLS,omitempty"`

	// OriginatingTLS is the TLS context for the connections originated by
	// the L7 proxy.  For egress policy this specifies the client-side TLS
	// parameters for the upstream connection originating from the L7 proxy
	// to the remote destination. For ingress policy this specifies the
	// client-side TLS parameters for the connection from the L7 proxy to
	// the local POD.
	OriginatingTLS *TLSContext `json:"originatingTLS,omitempty"`

	// ServerNames is a list of allowed TLS SNI values. If not empty, then
	// TLS must be present and one of the provided SNIs must be indicated in the
	// TLS handshake.
	ServerNames StringSet `json:"serverNames,omitempty"`

	api.L7Rules

	// Authentication is the kind of cryptographic authentication required for the traffic to be
	// allowed at L3, if any.
	Authentication *api.Authentication `json:"auth,omitempty"`
	// contains filtered or unexported fields
}

PerSelectorPolicy contains policy rules for a CachedSelector, i.e. for a selection of numerical identities.

func (*PerSelectorPolicy) CanShortCircuit added in v0.15.7 

func (a *PerSelectorPolicy) CanShortCircuit() bool

CanShortCircuit returns true if EnvoyHTTPRules enforcement can take the first match as the final verdict.

func (*PerSelectorPolicy) EnvoyHTTPRules added in v0.15.7 

func (a *PerSelectorPolicy) EnvoyHTTPRules() *cilium.HttpNetworkPolicyRules

EnvoyHTTPRules returns pre-computed Envoy HTTP rules.

func (*PerSelectorPolicy) Equal added in v0.15.7 

func (a *PerSelectorPolicy) Equal(b *PerSelectorPolicy) bool

Equal returns true if 'a' and 'b' represent the same L7 Rules

func (*PerSelectorPolicy) GetListener added in v1.16.0 

func (a *PerSelectorPolicy) GetListener() string

GetListener returns the listener of the PerSelectorPolicy.

func (*PerSelectorPolicy) GetListenerPriority added in v1.19.0 

func (a *PerSelectorPolicy) GetListenerPriority() ListenerPriority

GetListenerPriority returns the pritority of the listener of the PerSelectorPolicy.

func (*PerSelectorPolicy) GetPriority added in v1.16.0 

func (a *PerSelectorPolicy) GetPriority() types.Priority

GetPriority returns the priority of the PerSelectorPolicy.

func (*PerSelectorPolicy) GetVerdict added in v1.19.0 

func (a *PerSelectorPolicy) GetVerdict() types.Verdict

func (*PerSelectorPolicy) HasL7Rules added in v0.15.7 

func (sp *PerSelectorPolicy) HasL7Rules() bool

HasL7Rules returns whether the `L7Rules` contains any L7 rules.

func (*PerSelectorPolicy) IsDeny added in v0.15.7 

func (a *PerSelectorPolicy) IsDeny() bool

func (*PerSelectorPolicy) IsRedirect added in v0.15.7 

func (sp *PerSelectorPolicy) IsRedirect() bool

IsRedirect returns true if the L7Rules are a redirect.

type PerSelectorPolicyTuple added in v1.18.0 

type PerSelectorPolicyTuple struct {
	Policy   *PerSelectorPolicy
	Selector CachedSelector
}

type PolicyContext added in v0.15.7 

type PolicyContext interface {
	// AllowLocalhost returns true if policy should allow ingress from local host.
	// Always returns false for egress.
	AllowLocalhost() bool

	// return the namespace in which the policy rule is being resolved
	GetNamespace() string

	// return the SelectorCache
	GetSelectorCache() *SelectorCache

	// GetTLSContext resolves the given 'api.TLSContext' into CA
	// certs and the public and private keys, using secrets from
	// k8s or from the local file system.
	GetTLSContext(tls *api.TLSContext) (ca, public, private string, inlineSecrets bool, err error)

	// GetEnvoyHTTPRules translates the given 'api.L7Rules' into
	// the protobuf representation the Envoy can consume. The bool
	// return parameter tells whether the rule enforcement can
	// be short-circuited upon the first allowing rule. This is
	// false if any of the rules has side-effects, requiring all
	// such rules being evaluated.
	GetEnvoyHTTPRules(l7Rules *api.L7Rules) (*cilium.HttpNetworkPolicyRules, bool)

	// SetPriority sets the priority level for the first rule being processed.
	SetPriority(tier types.Tier, priority types.Priority)

	// Priority returns the priority level for the current rule.
	Priority() (tier types.Tier, priority types.Priority)

	// DefaultDenyIngress returns true if default deny is enabled for ingress
	DefaultDenyIngress() bool

	// DefaultDenyEgress returns true if default deny is enabled for egress
	DefaultDenyEgress() bool

	SetOrigin(ruleOrigin)
	Origin() ruleOrigin

	GetLogger() *slog.Logger

	PolicyTrace(format string, a ...any)
}

PolicyContext is an interface policy resolution functions use to access the Repository. This way testing code can run without mocking a full Repository.

type PolicyOwner added in v0.15.7 

type PolicyOwner interface {
	GetID() uint64
	GetNamedPort(ingress bool, name string, proto u8proto.U8proto) uint16
	PolicyDebug(msg string, attrs ...any)
	IsHost() bool
	MapStateSize() int
	RegenerateIfAlive(regenMetadata *regeneration.ExternalRegenerationMetadata) <-chan bool
}

PolicyOwner is anything which consumes a EndpointPolicy.

type PolicyRepository added in v1.17.0 

type PolicyRepository interface {
	BumpRevision() uint64
	GetAuthTypes(localID identity.NumericIdentity, remoteID identity.NumericIdentity) AuthTypes
	GetEnvoyHTTPRules(l7Rules *api.L7Rules, ns string) (*cilium.HttpNetworkPolicyRules, bool)

	// GetSelectorPolicy computes the SelectorPolicy for a given identity.
	//
	// It returns nil if skipRevision is >= than the already calculated version.
	// This is used to skip policy calculation when a certain revision delta is
	// known to not affect the given identity. Pass a skipRevision of 0 to force
	// calculation.
	GetSelectorPolicy(id *identity.Identity, skipRevision uint64, stats GetPolicyStatistics, endpointID uint64) (SelectorPolicy, uint64, error)

	// GetPolicySnapshot returns a map of all the SelectorPolicies in the repository.
	GetPolicySnapshot() map[identity.NumericIdentity]SelectorPolicy
	GetRevision() uint64
	GetRulesList() *models.Policy
	GetSelectorCache() *SelectorCache
	GetSubjectSelectorCache() *SelectorCache
	Iterate(f func(rule *types.PolicyEntry))
	ReplaceByResource(rules types.PolicyEntries, resource ipcachetypes.ResourceID) (affectedIDs *set.Set[identity.NumericIdentity], rev uint64, oldRevCnt int)
	Search() (types.PolicyEntries, uint64)
}

type ProxyPolicy added in v0.15.7 

type ProxyPolicy interface {
	GetPerSelectorPolicies() L7DataMap
	GetL7Parser() L7ParserType
	GetIngress() bool
	GetPort() uint16
	GetProtocol() u8proto.U8proto
	GetListener() string
}

ProxyPolicy is any type which encodes state needed to redirect to an L7 proxy.

type Repository added in v0.9.0 

type Repository struct {
	// contains filtered or unexported fields
}

Repository is a list of policy rules which in combination form the security policy. A policy repository can be

func NewPolicyRepository added in v0.9.0 

func NewPolicyRepository(
	logger *slog.Logger,
	initialIDs identity.IdentityMap,
	certManager certificatemanager.CertificateManager,
	l7RulesTranslator envoypolicy.EnvoyL7RulesTranslator,
	idmgr identitymanager.IDManager,
	metricsManager types.PolicyMetrics,
) *Repository

NewPolicyRepository creates a new policy repository.

func (*Repository) BumpRevision added in v0.15.7 

func (p *Repository) BumpRevision() uint64

BumpRevision allows forcing policy regeneration

func (*Repository) GetAuthTypes added in v0.15.7 

func (p *Repository) GetAuthTypes(localID, remoteID identity.NumericIdentity) AuthTypes

GetAuthTypes returns the AuthTypes required by the policy between the localID and remoteID

func (*Repository) GetEnvoyHTTPRules added in v0.15.7 

func (p *Repository) GetEnvoyHTTPRules(l7Rules *api.L7Rules, ns string) (*cilium.HttpNetworkPolicyRules, bool)

func (*Repository) GetPolicySnapshot added in v1.18.0 

func (p *Repository) GetPolicySnapshot() map[identity.NumericIdentity]SelectorPolicy

GetPolicySnapshot returns a map of all the SelectorPolicies in the repository.

func (*Repository) GetRevision added in v0.10.0 

func (p *Repository) GetRevision() uint64

GetRevision returns the revision of the policy repository

func (*Repository) GetRulesList added in v0.15.7 

func (p *Repository) GetRulesList() *models.Policy

GetRulesList returns the current policy

func (*Repository) GetSelectorCache added in v0.15.7 

func (p *Repository) GetSelectorCache() *SelectorCache

GetSelectorCache() returns the selector cache used by the Repository

func (*Repository) GetSelectorPolicy added in v1.17.0 

func (r *Repository) GetSelectorPolicy(id *identity.Identity, skipRevision uint64, stats GetPolicyStatistics, endpointID uint64) (SelectorPolicy, uint64, error)

GetSelectorPolicy computes the SelectorPolicy for a given identity.

It returns nil if skipRevision is >= than the already calculated version. This is used to skip policy calculation when a certain revision delta is known to not affect the given identity. Pass a skipRevision of 0 to force calculation.

func (*Repository) GetSubjectSelectorCache added in v1.19.0 

func (p *Repository) GetSubjectSelectorCache() *SelectorCache

GetSubjectSelectorCache returns the selector cache used by the Repository for indexing policies

func (*Repository) Iterate added in v0.15.7 

func (p *Repository) Iterate(f func(rule *types.PolicyEntry))

Iterate iterates the policy repository, calling f for each rule. It is safe to execute Iterate concurrently.

func (*Repository) MustAddList added in v1.16.0 

func (p *Repository) MustAddList(rules api.Rules) (ruleSlice, uint64)

MustAddList inserts a rule into the policy repository. It is used for unit-testing purposes only. Panics if the rule is invalid

func (*Repository) MustAddPolicyEntries added in v1.19.0 

func (p *Repository) MustAddPolicyEntries(entries types.PolicyEntries) (ruleSlice, uint64)

MustAddList inserts a PolicyEntry into the policy repository. It is used for unit-testing purposes only.

func (*Repository) ReplaceByResource added in v1.17.0 

func (p *Repository) ReplaceByResource(rules types.PolicyEntries, resource ipcachetypes.ResourceID) (affectedIDs *set.Set[identity.NumericIdentity], rev uint64, oldRuleCnt int)

ReplaceByResource replaces all rules by resource, returning the complete set of affected endpoints.

func (*Repository) Search added in v1.17.0 

func (p *Repository) Search() (types.PolicyEntries, uint64)

type RuleMeta added in v1.18.0 

type RuleMeta struct {
	// contains filtered or unexported fields
}

RuleMeta is the set of meta-information from the owning rules. To save memory, it is an interned type. Thus all the struct members are strings (but are really delimited lists)

func LookupFlow added in v1.18.0 

func LookupFlow(logger *slog.Logger, repo PolicyRepository, identityManager identitymanager.IDManager, flow Flow, srcEP, dstEP *EndpointInfo) (verdict api.Decision, egress, ingress RuleMeta, err error)

LookupFlow determines the policy verdict for a given flow.

The flow's identities must have been loaded in to the repository's SelectorCache, or policy will not be correctly computed.

This function is only used for testing, but in multiple packages.

TODO: add support for redirects

func (RuleMeta) LabelArray added in v1.18.0 

func (rm RuleMeta) LabelArray() labels.LabelArrayList

func (RuleMeta) LabelArrayListString added in v1.18.0 

func (rm RuleMeta) LabelArrayListString() labels.LabelArrayListString

func (RuleMeta) Log added in v1.18.0 

func (rm RuleMeta) Log() []string

type Selector added in v1.19.0 

type Selector = types.Selector

type SelectorCache added in v0.15.7 

type SelectorCache struct {
	// contains filtered or unexported fields
}

SelectorCache caches identities, identity selectors, and the subsets of identities each selector selects.

func NewSelectorCache added in v0.15.7 

func NewSelectorCache(logger *slog.Logger, ids identity.IdentityMap) *SelectorCache

NewSelectorCache creates a new SelectorCache with the given identities.

func (*SelectorCache) AddIdentitySelectorForTest added in v1.19.0 

func (sc *SelectorCache) AddIdentitySelectorForTest(user CachedSelectionUser, lbls stringLabels, es api.EndpointSelector) (cachedSelector CachedSelector, added bool)

AddIdentitySelectorForTest adds the given api.EndpointSelector in to the selector cache. If an identical EndpointSelector has already been cached, the corresponding CachedSelector is returned, otherwise one is created and added to the cache. NOTE: Only used for testing, but from multiple packages

func (*SelectorCache) AddSelectors added in v1.19.0 

func (sc *SelectorCache) AddSelectors(user CachedSelectionUser, lbls stringLabels, selectors ...Selector) (CachedSelectorSlice, bool)

AddSelectors adds Selectors in to the selector cache, and returns the corresponding slice of cached selectors. Selections of new selectors are visible to readers right after this call.

func (*SelectorCache) AddSelectorsTxn added in v1.19.0 

func (sc *SelectorCache) AddSelectorsTxn(user CachedSelectionUser, lbls stringLabels, selectors ...Selector) (CachedSelectorSlice, bool)

AddSelectorsTxn adds Selectors in to the selector cache, and returns the corresponding slice of cached selectors. Commit() must be called aftewards to make the selections of new selectors observable by readers.

func (*SelectorCache) CanSkipUpdate added in v1.17.0 

func (sc *SelectorCache) CanSkipUpdate(added, deleted identity.IdentityMap) bool

CanSkipUpdate returns true if a proposed update is already known to the SelectorCache and thus a no-op. Is used to de-dup an ID update stream, because identical updates may come from multiple sources.

func (*SelectorCache) ChangeUser added in v0.15.7 

func (sc *SelectorCache) ChangeUser(selector CachedSelector, from, to CachedSelectionUser)

ChangeUser changes the CachedSelectionUser that gets updates on the updates on the cached selector.

func (*SelectorCache) Commit added in v1.19.0 

func (sc *SelectorCache) Commit()

Commit makes the selections of new selectors added via AddSelectors visible via CachedSelector.GetSelections() and CachedSelector.GetSelectionsAt().

func (*SelectorCache) GetModel added in v0.15.7 

func (sc *SelectorCache) GetModel() models.SelectorCache

GetModel returns the API model of the SelectorCache.

func (*SelectorCache) GetSelectorSnapshot added in v1.19.0 

func (sc *SelectorCache) GetSelectorSnapshot() SelectorSnapshot

GetReadTxn returns a read-only state of the current selectors in the selector cache. The returned SelectorReadTxn should be Close()d as soon as possible to limit memory use.

func (*SelectorCache) RegisterMetrics added in v1.17.0 

func (sc *SelectorCache) RegisterMetrics()

func (*SelectorCache) RemoveSelector added in v0.15.7 

func (sc *SelectorCache) RemoveSelector(selector CachedSelector, user CachedSelectionUser)

RemoveSelector removes CachedSelector for the user.

func (*SelectorCache) RemoveSelectors added in v0.15.7 

func (sc *SelectorCache) RemoveSelectors(selectors CachedSelectorSlice, user CachedSelectionUser)

RemoveSelectors removes CachedSelectorSlice for the user.

func (*SelectorCache) SetLocalIdentityNotifier added in v0.15.7 

func (sc *SelectorCache) SetLocalIdentityNotifier(pop identityNotifier)

SetLocalIdentityNotifier injects the provided identityNotifier into the SelectorCache. Currently, this is used to inject the FQDN subsystem into the SelectorCache so the SelectorCache can notify the FQDN subsystem when it should be aware of a given FQDNSelector for which CIDR identities need to be provided upon DNS lookups which corespond to said FQDNSelector.

func (*SelectorCache) Stats added in v1.17.0 

func (sc *SelectorCache) Stats() selectorStats

func (*SelectorCache) UpdateIdentities added in v0.15.7 

func (sc *SelectorCache) UpdateIdentities(added, deleted identity.IdentityMap, wg *sync.WaitGroup) (mutated bool)

UpdateIdentities propagates identity updates to selectors

The caller is responsible for making sure the same identity is not present in both 'added' and 'deleted'.

Caller should Wait() on the returned sync.WaitGroup before triggering any policy updates. Policy updates may need Endpoint locks, so this Wait() can deadlock if the caller is holding any endpoint locks.

Incremental deletes of mutated identities are not sent to the users, as that could lead to deletion of policy map entries while other selectors may still select the mutated identity. In this case the return value is 'true' and the caller should trigger policy updates on all endpoints to remove the affected identity only from selectors that no longer select the mutated identity.

func (*SelectorCache) WithRLock added in v1.19.0 

func (sc *SelectorCache) WithRLock(f func(sc *SelectorCache))

WithRLock calls the given function with the selector cache locked for reading, so that the caller may get ready for getting incremental updates (by registering as a user) that are possible right after the lock is released. This should only be used with trivial functions that can not lock or sleep.

type SelectorPolicy added in v0.15.7 

type SelectorPolicy interface {
	// CreateRedirects is used to ensure the endpoint has created all the needed redirects
	// before a new EndpointPolicy is created.
	RedirectFilters() iter.Seq2[*L4Filter, PerSelectorPolicyTuple]

	// DistillPolicy returns the policy in terms of connectivity to peer
	// Identities.
	DistillPolicy(logger *slog.Logger, owner PolicyOwner, redirects map[string]uint16) *EndpointPolicy
}

SelectorPolicy represents a selectorPolicy, previously resolved from the policy repository and ready to be distilled against a set of identities to compute datapath-level policy configuration.

type SelectorRevision added in v1.19.0 

type SelectorRevision = types.SelectorRevision

type SelectorSnapshot added in v1.19.0 

type SelectorSnapshot = types.SelectorSnapshot

type Selectors added in v1.19.0 

type Selectors = types.Selectors

type StringSet added in v0.15.7 

type StringSet map[string]struct{}

func NewStringSet added in v0.15.7 

func NewStringSet(from []string) StringSet

NewStringSet returns a StringSet initialized from slice of strings. Returns nil for an empty slice

func (StringSet) Equal added in v0.15.7 

func (a StringSet) Equal(b StringSet) bool

func (StringSet) Merge added in v0.15.7 

func (a StringSet) Merge(b StringSet) StringSet

Merge returns StringSet with strings from both a and b. Returns a or b, possibly with modifications.

type TLSContext added in v0.15.7 

type TLSContext struct {
	TrustedCA        string `json:"trustedCA,omitempty"`
	CertificateChain string `json:"certificateChain,omitempty"`
	PrivateKey       string `json:"privateKey,omitempty"`
	// Secret holds the name of the Secret that was referenced in the Policy
	Secret k8sTypes.NamespacedName
	// FromFile is true if the values in the keys above were read from the filesystem
	// and not a Kubernetes Secret
	FromFile bool
}

TLS context holds the secret values resolved from an 'api.TLSContext'

func (*TLSContext) Equal added in v0.15.7 

func (a *TLSContext) Equal(b *TLSContext) bool

Equal returns true if 'a' and 'b' have the same contents.

func (*TLSContext) MarshalJSON added in v0.15.7 

func (t *TLSContext) MarshalJSON() ([]byte, error)

MarshalJSON marsahls a redacted version of the TLSContext. We want to see which fields are present, but not reveal their values in any logs, etc.

func (*TLSContext) String added in v1.16.13 

func (t *TLSContext) String() string

type TLSDirection added in v0.15.7 

type TLSDirection string
const (
	TerminatingTLS TLSDirection = "terminating"
	OriginatingTLS TLSDirection = "originating"
)

type Updater added in v0.15.7 

type Updater struct {
	// contains filtered or unexported fields
}

Updater is responsible for triggering policy updates, in order to perform policy recalculation.

func NewUpdater added in v0.15.7 

func NewUpdater(logger *slog.Logger, r PolicyRepository, regen regenerator) *Updater

NewUpdater returns a new Updater instance to handle triggering policy updates ready for use.

func (*Updater) TriggerPolicyUpdates added in v0.15.7 

func (u *Updater) TriggerPolicyUpdates(reason string)

TriggerPolicyUpdates force full policy recomputation before regenerating all endpoints. This artificially bumps the policy revision, invalidating all cached policies. This is done when an additional resource used in policy calculation has changed.

Source Files

View all Source files

Directories

Path Synopsis
Package api defines the API of the Cilium network policy interface +groupName=policy
 Package api defines the API of the Cilium network policy interface +groupName=policy
aws
package trafficdirection specifies the directionality of policy in a numeric representation.
 package trafficdirection specifies the directionality of policy in a numeric representation.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.