types

package
v1.19.0 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Feb 3, 2026 License: Apache-2.0 Imports: 28 Imported by: 0

Documentation

Index

Constants

View Source
const (
	MaxListenerPriority = 126

	MaxPriority Priority = 1<<precedencePriorityBits - 1

	// Precedence low byte values for entries on the same priority level (bytes 1-3)
	PrecedenceDeny  Precedence = 255 // all low 8 bits set
	PrecedenceAllow Precedence = 1   // Note: proxy redirects use higher values
	PrecedencePass  Precedence = 0

	MaxPrecedence         = ^Precedence(0)
	MaxDenyPrecedence     = MaxPrecedence
	MaxPriorityPrecedence = (MaxPrecedence & ^(PrecedenceDeny))
	MaxAllowPrecedence    = (MaxPrecedence & ^(PrecedenceDeny)) + PrecedenceAllow
)
View Source
const (
	// LabelSelectorClass indicates the class of selector being measured
	LabelSelectorClass = "class"

	// LabelValueSCFQDN is used for regular security identities
	// shared between all nodes in the cluster.
	LabelValueSCFQDN = "fqdn"

	// LabelValueSCCluster is used for the cluster entity.
	LabelValueSCCluster = "cluster"

	// LabelValueSCWorld is used for the world entity.
	LabelValueSCWorld = "world"

	// LabelValueSCOther is used for security identities allocated locally
	// on the current node.
	LabelValueSCOther = "other"

	// LabelValueSCTypePeer is used for the normal selector cache
	LabelValueSCTypePeer = "peer"

	// LabelValueSCOperationAddSelector is used for the operation that adds a new selector
	LabelValueSCOperationAddSelector = "add_selector"

	// LabelValueSCOperationRemoveSelector is used for the operation that removes a selector
	LabelValueSCOperationRemoveSelector = "remove_selector"

	// LabelValueSCOperationIdentityUpdates is used for the operation that updates one or more identities in the cache
	LabelValueSCOperationIdentityUpdates = "identity_updates"

	// LabelValueSCOperation is used for the actual Selector Cache Operation duration
	LabelValueSCOperation = "operation"

	// LabelValueSCOperationLock is used for the actual lock time during the Selector Cache Operation duration
	LabelValueSCOperationLock = "lock"
)
View Source
const MapStatePrefixLen = uint(32)

MapStatePrefixLen is the length, in bits, of the Key when converted to binary minus the sizeof the identity field (which is not indexed).

Variables

View Source
var (
	WildcardSelector  = NewLabelSelectorFromLabels()
	WildcardSelectors = Selectors{WildcardSelector}
)

Functions

func Matches added in v1.19.0

func Matches[T labels.LabelMatcher](s *LabelSelector, ls T) bool

func MatchesRequirement added in v1.19.0

func MatchesRequirement[T labels.LabelMatcher](r *Requirement, ls T) bool

Matches returns true if the Requirement matches the input Labels. This is structurally the same as k8sLbls.Requirement.Matches(), but takes LabelArray as an argument instead of a string.

MatchesRequirement is defined as a generic function on labels.LabelMatcher rather than taking the interface as the parameter due to the interface parameter causing Go compiler (1.25.2) to escape labels.LabelArray implementing the interface to the heap, causing large memory overhead. When the compiler specializes the generic type to a concrete type (not an interface), it can perform correct escape analysis and avoid unnecessary heap allocations.

func MatchesRequirements added in v1.19.0

func MatchesRequirements[T labels.LabelMatcher](reqs Requirements, ls T) bool

MatchesRequirements is defined as a generic function on labels.LabelMatcher rather than taking the interface as the parameter due to the interface parameter causing Go compiler (1.25.2) to escape labels.LabelArray implementing the interface to the heap, causing large memory overhead. When the compiler specializes the generic type to a concrete type (not an interface), it can perform correct escape analysis and avoid unnecessary heap allocations.

Types

type APISelector added in v1.19.0

type APISelector interface {
	// SelectorKey is a unique string for the given selector that is used as a key in
	// selector maps. Must never be an empty string.
	SelectorKey() string
}

APISelector is a marker for all API types that can be converted to Selectors.

type AuthRequirement added in v1.17.0

type AuthRequirement AuthType

AuthRequirement is a combination of an AuthType with an 'explicit' flag on the highest bit This is defined in order to keep MapStateEntry smaller and to simplify code wiring this to the bpf datapath.

NOTE: This type is part of the bpf policy API.

This type reflects the layout of the 'auth_type' field in the bpf policy map and is used in pkg/maps/policymap. This layout must not be changed!

const (
	NoAuthRequirement  AuthRequirement = 0
	AuthTypeIsExplicit AuthRequirement = 1 << 7
)

func (AuthRequirement) AsDerived added in v1.17.0

func (a AuthRequirement) AsDerived() AuthRequirement

asDerived returns the auth requirement with the 'explicit' flag cleared.

func (AuthRequirement) AuthType added in v1.17.0

func (a AuthRequirement) AuthType() AuthType

func (AuthRequirement) IsExplicit added in v1.17.0

func (a AuthRequirement) IsExplicit() bool

type AuthType added in v1.17.0

type AuthType uint8

AuthType enumerates the supported authentication types in api. Numerically higher type takes precedence in case of conflicting auth types.

const (
	// AuthTypeDisabled means no authentication required
	AuthTypeDisabled AuthType = iota
	// AuthTypeSpire is a mutual auth type that uses SPIFFE identities with a SPIRE server
	AuthTypeSpire
	// AuthTypeAlwaysFail is a simple auth type that always denies the request
	AuthTypeAlwaysFail
)

func (AuthType) AsDerivedRequirement added in v1.17.0

func (a AuthType) AsDerivedRequirement() AuthRequirement

func (AuthType) AsExplicitRequirement added in v1.17.0

func (a AuthType) AsExplicitRequirement() AuthRequirement

func (AuthType) String added in v1.17.0

func (a AuthType) String() string

String returns AuthType as a string. This must return the strings accepted for api.AuthType

func (AuthType) Uint8 added in v1.17.0

func (a AuthType) Uint8() uint8

Uint8 returns AuthType as a uint8

type AuthTypes added in v1.17.0

type AuthTypes map[AuthType]struct{}

AuthTypes is a set of AuthTypes, usually nil if empty

type CIDRSelector added in v1.19.0

type CIDRSelector struct {
	// contains filtered or unexported fields
}

+deepequal-gen=true

func NewCIDRSelector added in v1.19.0

func NewCIDRSelector(key string, cidr api.CIDR, except []api.CIDR) *CIDRSelector

func (*CIDRSelector) DeepEqual added in v1.19.0

func (in *CIDRSelector) DeepEqual(other *CIDRSelector) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*CIDRSelector) GetCIDRPrefixes added in v1.19.0

func (p *CIDRSelector) GetCIDRPrefixes() (prefixes []netip.Prefix)

Includes prefixes referenced solely by "ExceptCIDRs" entries.

func (*CIDRSelector) GetFQDNSelector added in v1.19.0

func (p *CIDRSelector) GetFQDNSelector() (*api.FQDNSelector, bool)

func (*CIDRSelector) IsWildcard added in v1.19.0

func (p *CIDRSelector) IsWildcard() bool

func (*CIDRSelector) Key added in v1.19.0

func (p *CIDRSelector) Key() string

func (*CIDRSelector) MarshalJSON added in v1.19.0

func (p *CIDRSelector) MarshalJSON() ([]byte, error)

func (*CIDRSelector) Matches added in v1.19.0

func (p *CIDRSelector) Matches(ls labels.LabelArray) bool

func (*CIDRSelector) MetricsClass added in v1.19.0

func (p *CIDRSelector) MetricsClass() string

func (*CIDRSelector) SelectedNamespaces added in v1.19.0

func (p *CIDRSelector) SelectedNamespaces() []string

func (*CIDRSelector) String added in v1.19.0

func (p *CIDRSelector) String() string

type CachedSelectionUser added in v1.17.0

type CachedSelectionUser interface {
	// The caller is responsible for making sure the same identity is not
	// present in both 'added' and 'deleted'.
	IdentitySelectionUpdated(logger *slog.Logger, selector CachedSelector, added, deleted []identity.NumericIdentity)

	// IdentitySelectionCommit tells the user that all IdentitySelectionUpdated calls relating
	// to a specific added or removed identity have been made.
	IdentitySelectionCommit(*slog.Logger, SelectorSnapshot)

	// IsPeerSelector returns true if the selector is used by the policy
	// engine for selecting traffic for remote peers. False if used for
	// selecting policy subjects.
	IsPeerSelector() bool
}

CachedSelectionUser inserts selectors into the cache and gets update callbacks whenever the set of selected numeric identities change for the CachedSelectors pushed by it. Callbacks are executed from a separate goroutine that does not take the selector cache lock, so the implemenations generally may call back to the selector cache.

type CachedSelector added in v1.17.0

type CachedSelector interface {
	// GetSelections returns the cached set of numeric identities
	// selected by the CachedSelector for the latest revision of the
	// selector cache.  The retuned slice must NOT be modified, as it
	// is shared among multiple users.
	GetSelections() identity.NumericIdentitySlice

	// GetSelectionsAt returns the cached set of numeric identities
	// selected by the CachedSelector.  The retuned slice must NOT
	// be modified, as it is shared among multiple users.
	GetSelectionsAt(SelectorSnapshot) identity.NumericIdentitySlice

	// GetMetadataLabels returns metadata labels for additional context
	// surrounding the selector. These are typically the labels associated with
	// Cilium rules.
	GetMetadataLabels() labels.LabelArray

	// Selects return 'true' if the CachedSelector selects the given
	// numeric identity on the latest version of the selector.
	Selects(identity.NumericIdentity) bool

	// IsWildcard returns true if the endpoint selector selects
	// all endpoints.
	IsWildcard() bool

	// IsNone returns true if the selector never selects anything
	IsNone() bool

	// String returns the string representation of this selector.
	// Used as a map key.
	String() string
}

CachedSelector represents an identity selector owned by the selector cache

type CachedSelectorSlice added in v1.17.0

type CachedSelectorSlice []CachedSelector

CachedSelectorSlice is a slice of CachedSelectors that can be sorted.

func (CachedSelectorSlice) Len added in v1.17.0

func (s CachedSelectorSlice) Len() int

func (CachedSelectorSlice) Less added in v1.17.0

func (s CachedSelectorSlice) Less(i, j int) bool

func (CachedSelectorSlice) MarshalJSON added in v1.17.0

func (s CachedSelectorSlice) MarshalJSON() ([]byte, error)

MarshalJSON returns the CachedSelectors as JSON formatted buffer

func (CachedSelectorSlice) SelectsAllEndpoints added in v1.17.0

func (s CachedSelectorSlice) SelectsAllEndpoints() bool

SelectsAllEndpoints returns whether the CachedSelectorSlice selects all endpoints, which is true if the wildcard endpoint selector is present in the slice.

func (CachedSelectorSlice) Swap added in v1.17.0

func (s CachedSelectorSlice) Swap(i, j int)

type FQDNSelector added in v1.19.0

type FQDNSelector struct {
	// contains filtered or unexported fields
}

+deepequal-gen=true

func (*FQDNSelector) DeepEqual added in v1.19.0

func (in *FQDNSelector) DeepEqual(other *FQDNSelector) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*FQDNSelector) GetCIDRPrefixes added in v1.19.0

func (p *FQDNSelector) GetCIDRPrefixes() []netip.Prefix

func (*FQDNSelector) GetFQDNSelector added in v1.19.0

func (p *FQDNSelector) GetFQDNSelector() (*api.FQDNSelector, bool)

func (*FQDNSelector) IsWildcard added in v1.19.0

func (p *FQDNSelector) IsWildcard() bool

func (*FQDNSelector) Key added in v1.19.0

func (p *FQDNSelector) Key() string

func (*FQDNSelector) MarshalJSON added in v1.19.0

func (p *FQDNSelector) MarshalJSON() ([]byte, error)

func (*FQDNSelector) Matches added in v1.19.0

func (p *FQDNSelector) Matches(lbls labels.LabelArray) bool

matches returns true if the identity contains at least one label that matches the FQDNSelector's IdentityLabel string

func (*FQDNSelector) MetricsClass added in v1.19.0

func (p *FQDNSelector) MetricsClass() string

func (*FQDNSelector) SelectedNamespaces added in v1.19.0

func (p *FQDNSelector) SelectedNamespaces() []string

func (*FQDNSelector) String added in v1.19.0

func (p *FQDNSelector) String() string

type Key

type Key struct {
	LPMKey
	// Identity is the numeric identity to / from which traffic is allowed.
	Identity identity.NumericIdentity
}

func EgressKey added in v1.17.0

func EgressKey() Key

func IngressKey added in v1.17.0

func IngressKey() Key

func KeyForDirection added in v1.17.0

func KeyForDirection(direction trafficdirection.TrafficDirection) Key

func (Key) PortProtoIsBroader

func (k Key) PortProtoIsBroader(c Key) bool

PortProtoIsBroader returns true if the receiver Key has broader port-protocol than the argument Key. That is a port-protocol that covers the argument Key's port-protocol and is larger. An equal port-protocol will return false.

func (Key) String

func (k Key) String() string

String returns a string representation of the Key

func (Key) WithIdentity added in v1.17.0

func (k Key) WithIdentity(nid identity.NumericIdentity) Key

func (Key) WithPort added in v1.17.0

func (k Key) WithPort(port uint16) Key

func (Key) WithPortPrefix added in v1.17.0

func (k Key) WithPortPrefix(port uint16, prefixLen uint8) Key

func (Key) WithPortProto added in v1.17.0

func (k Key) WithPortProto(proto u8proto.U8proto, port uint16) Key

func (Key) WithPortProtoPrefix added in v1.17.0

func (k Key) WithPortProtoPrefix(proto u8proto.U8proto, port uint16, prefixLen uint8) Key

func (Key) WithProto added in v1.17.0

func (k Key) WithProto(proto u8proto.U8proto) Key

func (Key) WithSCTPPort added in v1.17.0

func (k Key) WithSCTPPort(port uint16) Key

func (Key) WithSCTPPortPrefix added in v1.17.0

func (k Key) WithSCTPPortPrefix(port uint16, prefixLen uint8) Key

func (Key) WithTCPPort added in v1.17.0

func (k Key) WithTCPPort(port uint16) Key

func (Key) WithTCPPortPrefix added in v1.17.0

func (k Key) WithTCPPortPrefix(port uint16, prefixLen uint8) Key

func (Key) WithUDPPort added in v1.17.0

func (k Key) WithUDPPort(port uint16) Key

func (Key) WithUDPPortPrefix added in v1.17.0

func (k Key) WithUDPPortPrefix(port uint16, prefixLen uint8) Key

type Keys

type Keys map[Key]struct{}

type LPMKey added in v1.17.0

type LPMKey struct {

	// NextHdr is the protocol which is allowed.
	Nexthdr u8proto.U8proto
	// DestPort is the port at L4 to / from which traffic is allowed, in
	// host-byte order.
	DestPort uint16
	// contains filtered or unexported fields
}

Key is the userspace representation of a policy key in BPF. It is intentionally duplicated from pkg/maps/policymap to avoid pulling in the BPF dependency to this package.

func (LPMKey) BitValueAt added in v1.17.0

func (k LPMKey) BitValueAt(i uint) uint8

BitValueAt implements the BitValueAt method for the bitlpm.Key interface.

func (LPMKey) CommonPrefix added in v1.17.0

func (k LPMKey) CommonPrefix(b LPMKey) uint

CommonPrefix implements the CommonPrefix method for the bitlpm.Key interface. Identity is not indexed and is instead, saved as a simple map per TrafficDirection-Protocol-Port index key.

func (LPMKey) EndPort added in v1.17.0

func (k LPMKey) EndPort() uint16

EndPort returns the end-port of the Key based on the Mask.

func (LPMKey) HasPortWildcard added in v1.17.0

func (k LPMKey) HasPortWildcard() bool

func (LPMKey) IsEgress added in v1.17.0

func (k LPMKey) IsEgress() bool

IsEgress returns true if the key refers to an egress policy key

func (LPMKey) IsIngress added in v1.17.0

func (k LPMKey) IsIngress() bool

IsIngress returns true if the key refers to an ingress policy key

func (LPMKey) PortIsBroader added in v1.17.0

func (k LPMKey) PortIsBroader(c Key) bool

PortIsBroader returns true if the receiver Key's port range covers the argument Key's port range, but returns false if they are equal.

func (LPMKey) PortIsEqual added in v1.17.0

func (k LPMKey) PortIsEqual(c Key) bool

PortIsEqual returns true if the port ranges between the two keys are exactly equal.

func (LPMKey) PortPrefixLen added in v1.17.0

func (k LPMKey) PortPrefixLen() uint8

PortPrefixLen returns the length of the bitwise mask that should be applied to the DestPort.

func (LPMKey) PortProtoIsEqual added in v1.17.0

func (k LPMKey) PortProtoIsEqual(c Key) bool

PortProtoIsEqual returns true if the port-protocols of the two keys are exactly equal.

func (LPMKey) PrefixLength added in v1.17.0

func (k LPMKey) PrefixLength() uint

PrefixLength returns the prefix lenth of the key for indexing it for the userspace cache (not the BPF map or datapath).

func (LPMKey) TrafficDirection added in v1.17.0

func (k LPMKey) TrafficDirection() trafficdirection.TrafficDirection

TrafficDirection() returns the direction of the Key, 0 == ingress, 1 == egress

type LabelSelector added in v1.19.0

type LabelSelector struct {
	// contains filtered or unexported fields
}

+deepequal-gen=true

func NewLabelSelector added in v1.19.0

func NewLabelSelector(es api.EndpointSelector) *LabelSelector

func NewLabelSelectorFromLabels added in v1.19.0

func NewLabelSelectorFromLabels(lbls ...labels.Label) *LabelSelector

func (*LabelSelector) DeepEqual added in v1.19.0

func (in *LabelSelector) DeepEqual(other *LabelSelector) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*LabelSelector) GetCIDRPrefixes added in v1.19.0

func (p *LabelSelector) GetCIDRPrefixes() []netip.Prefix

func (*LabelSelector) GetFQDNSelector added in v1.19.0

func (p *LabelSelector) GetFQDNSelector() (*api.FQDNSelector, bool)

func (*LabelSelector) HasKeyPrefix added in v1.19.0

func (p *LabelSelector) HasKeyPrefix(prefix string) bool

HasKeyPrefix checks if the label selector contains the given key prefix in its MatchLabels map and MatchExpressions slice.

func (*LabelSelector) IsWildcard added in v1.19.0

func (p *LabelSelector) IsWildcard() bool

func (*LabelSelector) Key added in v1.19.0

func (p *LabelSelector) Key() string

func (*LabelSelector) MarshalJSON added in v1.19.0

func (p *LabelSelector) MarshalJSON() ([]byte, error)

func (*LabelSelector) Matches added in v1.19.0

func (p *LabelSelector) Matches(lbls labels.LabelArray) bool

matchesLabels returns true if the CachedSelector matches given labels.

func (*LabelSelector) MetricsClass added in v1.19.0

func (p *LabelSelector) MetricsClass() string

func (*LabelSelector) SelectedNamespaces added in v1.19.0

func (p *LabelSelector) SelectedNamespaces() []string

func (*LabelSelector) String added in v1.19.0

func (p *LabelSelector) String() string

type ListenerPriority added in v1.18.0

type ListenerPriority uint8 // Lower values take precedence

type MapStateEntry added in v1.17.0

type MapStateEntry struct {
	// Precedence encodes the relative order in which policy entries are selected
	// Higher values have higher precedence.
	// Deny and Listener priority are encoded into the precedence field.
	Precedence Precedence

	// The proxy port, in host byte order.
	// If 0 (default), there is no proxy redirection for the corresponding
	// Key. Any other value signifies proxy redirection.
	ProxyPort uint16

	// AuthRequirement is non-zero when authentication is required for the traffic to be
	// allowed, except for when it explicitly defines authentication is not required.
	AuthRequirement AuthRequirement

	// Cookie is the policy log cookie. It is non-zero, datapath will pass up the cookie on any
	// policy verdict.
	Cookie uint32
	// contains filtered or unexported fields
}

MapStateEntry is the configuration associated with a Key in a MapState. This is a minimized version of policymap.PolicyEntry.

func AllowEntry added in v1.17.0

func AllowEntry() MapStateEntry

AllowEntry returns a MapStateEntry with maximum precedence for an allow entry without a proxy redirect

func DenyEntry added in v1.17.0

func DenyEntry() MapStateEntry

DenyEntry returns a MapStateEntry with maximum precedence for a deny entry

func InvalidEntry added in v1.19.0

func InvalidEntry() MapStateEntry

InvalidEntry returns an invalid MapStateEntry with max precedence that translates to 0 priority

func NewMapStateEntry added in v1.17.0

func NewMapStateEntry(
	priority Priority,
	deny bool,
	proxyPort uint16,
	listenerPriority ListenerPriority,
	authReq AuthRequirement,
) MapStateEntry

NewMapStateEntry creeates a new MapStateEntry Lower incoming "API" priority and proxy port listener priority indicate higher precedence. The integrated 'Precedence' field has inverted semantics: - the higher numbers have higher precedence. - 'priority' gets shifted into the highest 24 bits of 'Precedence', inverted - 'verdict' deny status is also encoded into the PrecedenceDeny bit - Proxy port 'priority' is encoded in to the low 7 bits of 'Precedence', inverted

func (MapStateEntry) AllowPrecedence added in v1.19.0

func (e MapStateEntry) AllowPrecedence() Precedence

AllowPrecedence masks away the impact of redirect (priority) on the precedence

func (*MapStateEntry) Invalidate added in v1.19.0

func (e *MapStateEntry) Invalidate()

func (MapStateEntry) IsAllow added in v1.19.0

func (e MapStateEntry) IsAllow() bool

func (MapStateEntry) IsDeny added in v1.17.0

func (e MapStateEntry) IsDeny() bool

func (MapStateEntry) IsRedirectEntry added in v1.17.0

func (e MapStateEntry) IsRedirectEntry() bool

IsRedirectEntry returns true if the entry redirects to a proxy port

func (MapStateEntry) IsValid added in v1.19.0

func (e MapStateEntry) IsValid() bool

func (*MapStateEntry) Merge added in v1.17.0

func (e *MapStateEntry) Merge(entry MapStateEntry)

Merge is only called for entries whose precedence may differ only for the proxy port priority value.

func (MapStateEntry) String added in v1.17.0

func (e MapStateEntry) String() string

String returns a string representation of the MapStateEntry

func (MapStateEntry) WithDeny added in v1.17.0

func (e MapStateEntry) WithDeny(isDeny bool) MapStateEntry

WithDeny returns the entry 'e' with the precedence set to deny, or allow preserving proxy port precedence, if any, depending on the value of 'isDeny' parameter

func (MapStateEntry) WithListenerPriority added in v1.18.0

func (e MapStateEntry) WithListenerPriority(priority ListenerPriority) MapStateEntry

WithListenerPriority returns a MapStateEntry with the given listener priority: 0 - default (low) priority for all proxy redirects 1 - highest listener priority .. 100 - lowest (non-default) listener priority 101 - priority for HTTP parser type 106 - priority for the Kafka parser type 111 - priority for the proxylib parsers 116 - priority for TLS interception parsers (can be promoted to HTTP/Kafka/proxylib) 121 - priority for DNS parser type 126 - default priority for CRD parser type

Note: Only to be called for allow entries where the low byte of the precedence field is initialized to PrecedenceAllow. Does nothing if proxy port is not set.

func (MapStateEntry) WithPriority added in v1.19.0

func (e MapStateEntry) WithPriority(priority Priority) MapStateEntry

WithPriority is only used for testing

func (MapStateEntry) WithProxyPort added in v1.17.0

func (e MapStateEntry) WithProxyPort(proxyPort uint16) MapStateEntry

WithProxyPort return the MapStateEntry with proxy port set at the default precedence Only used for testing

type MapStateMap added in v1.18.0

type MapStateMap map[Key]MapStateEntry

func (MapStateMap) Diff added in v1.18.0

func (obtained MapStateMap) Diff(expected MapStateMap) (res string)

Diff returns the string of differences between 'obtained' and 'expected' prefixed with '+ ' or '- ' for obtaining something unexpected, or not obtaining the expected, respectively. For use in debugging from other packages.

type PolicyCorrelationInfo added in v1.18.0

type PolicyCorrelationInfo struct {
	// RuleLabels are the rule labels.
	RuleLabels labels.LabelArrayListString

	// Log is the set of custom Log strings. Policies without a Spec.Log.Value will have
	// no entry here. Duplicate strings are coalesced.
	Log []string

	// Revision is the policy revision.
	Revision uint64
}

PolicyCorrelationInfo is the information about a policy required for policy correlation.

type PolicyEntries added in v1.19.0

type PolicyEntries []*PolicyEntry

PolicyEntries is a slice of pointers to PolicyEntry

type PolicyEntry added in v1.19.0

type PolicyEntry struct {
	Tier Tier

	// Priority defines the precedence of this rule in relation to other rules.  Lower values
	// take precedence over higher values. Rules having the default priority level 0 are
	// considered first, then the rest of the rules, from the earliest to later priority levels.
	Priority float64

	// Authentication specifies the cryptographic authentication required for the traffic to be
	// allowed
	Authentication *api.Authentication

	// Log specifies custom policy-specific Hubble logging configuration.
	Log api.LogConfig

	// Subject specifies the endpoint that this rule applies to
	Subject *LabelSelector

	// L3 specifies the source/destination peers.
	// Nil selects nothing.
	// Non-nil but empty L3 is implicitly treated as a wildcard selector if
	// any L4 PortRules are/ also specified.
	L3 Selectors

	// L4 specifies the source/destination port rules or none if empty
	L4 api.PortRules

	// Labels stores optional metadata.
	Labels labels.LabelArray

	// DefaultDeny is true if affected subjects should have non-selected traffic denied
	DefaultDeny bool

	// Verdict is true if this rule should deny traffic
	Verdict Verdict

	// Ingress is true if rule should affect ingress traffic, false otherwise
	Ingress bool

	// Node is true if Subject refers to a node
	Node bool
}

PolicyEntry specifies the L3/L4 details of a single policy rule

+deepequal-gen=true

func (*PolicyEntry) DeepEqual added in v1.19.0

func (in *PolicyEntry) DeepEqual(other *PolicyEntry) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*PolicyEntry) IsAllow added in v1.19.0

func (entry *PolicyEntry) IsAllow() bool

func (*PolicyEntry) IsDeny added in v1.19.0

func (entry *PolicyEntry) IsDeny() bool

type PolicyMetrics added in v1.18.0

type PolicyMetrics interface {
	AddRule(r PolicyEntry)
	DelRule(r PolicyEntry)
}

type PolicyUpdate added in v1.17.0

type PolicyUpdate struct {
	// The set of rules to be added.
	// Set to nil to delete for the given resource or labels.
	Rules PolicyEntries

	// Resource provides the object ID for the underlying object that backs
	// this information from 'source'.
	Resource ipcacheTypes.ResourceID

	// The source of this policy, used for prefix allocation
	Source source.Source

	// The time the policy initially began to be processed in Cilium, such as when the
	// policy was received from the API server.
	ProcessingStartTime time.Time

	// DoneChan, if not nil, will have a single value emitted: the revision of the
	// policy repository when the update has been processed.
	// Thus must be a buffered channel!
	DoneChan chan<- uint64
}

PolicyUpdate is a proposed change to a policy in the PolicyRepository.

type Precedence added in v1.19.0

type Precedence uint32 // Higher values take precedence

func (Precedence) IsAllow added in v1.19.0

func (p Precedence) IsAllow() bool

func (Precedence) IsDeny added in v1.19.0

func (p Precedence) IsDeny() bool

func (Precedence) IsPass added in v1.19.0

func (p Precedence) IsPass() bool

func (Precedence) Priority added in v1.19.0

func (p Precedence) Priority() Priority

func (Precedence) ProxyPortPrecedenceMayDiffer added in v1.19.0

func (p Precedence) ProxyPortPrecedenceMayDiffer(o Precedence) bool

ProxyPortPrecedenceMayDiffer returns true if the non-proxy port precedence bits are the same

type Priority added in v1.19.0

type Priority uint32 // Lower values take precedence, only lower 24 bits are used

func (*Priority) Add added in v1.19.0

func (p *Priority) Add(add Priority) bool

func (*Priority) IncrementWithRoundup added in v1.19.0

func (p *Priority) IncrementWithRoundup(to Priority) bool

func (Priority) ToPassPrecedence added in v1.19.0

func (priority Priority) ToPassPrecedence() Precedence

PassPrecedence is the precedence with lower 8 bits cleared

type Requirement added in v1.19.0

type Requirement struct {
	// contains filtered or unexported fields
}

Version of k8sLbls.Requirement where the key is pre-parsed and values are stored as a Set optimal for single-valued values. +deepequal-gen=true

func NewEqualsRequirement added in v1.19.0

func NewEqualsRequirement(lbl labels.Label) Requirement

func NewExceptRequirement added in v1.19.0

func NewExceptRequirement(lbl labels.Label) Requirement

func NewExistRequirement added in v1.19.0

func NewExistRequirement(lbl labels.Label) Requirement

func NewRequirement added in v1.19.0

func NewRequirement(key string, op selection.Operator, values []string) Requirement

func (*Requirement) DeepEqual added in v1.19.0

func (in *Requirement) DeepEqual(other *Requirement) bool

DeepEqual is an autogenerated deepequal function, deeply comparing the receiver with other. in must be non-nil.

func (*Requirement) GetKeyPrefix added in v1.19.0

func (r *Requirement) GetKeyPrefix() *netip.Prefix

func (*Requirement) HasKeySource added in v1.19.0

func (r *Requirement) HasKeySource(source string) bool

func (*Requirement) HasValue added in v1.19.0

func (r *Requirement) HasValue(value string) bool

func (Requirement) WriteString added in v1.19.0

func (r Requirement) WriteString(sb *strings.Builder)

type Requirements added in v1.19.0

type Requirements []Requirement

Requirements is AND of all requirements.

func LabelSelectorToRequirements added in v1.19.0

func LabelSelectorToRequirements(labelSelector *slim_metav1.LabelSelector) Requirements

LabelSelectorToRequirements turns a kubernetes Selector into a slice of requirements equivalent to the selector. These are cached internally in the EndpointSelector to speed up Matches().

This validates the labels, which can be expensive (and may fail..) If there's an error, the selector will be nil and the Matches() implementation will refuse to match any labels.

func NewExistRequirements added in v1.19.0

func NewExistRequirements(lbls labels.LabelArray) (reqs Requirements)

func RequirementsFromK8s added in v1.19.0

func RequirementsFromK8s(k8sReqs k8sLbls.Requirements) Requirements

func (Requirements) GetFirstK8sMatch added in v1.19.0

func (reqs Requirements) GetFirstK8sMatch(key string) ([]string, bool)

GetFirstK8sMatch checks for a match on the specified k8s key, and returns the values that the key must match, and true. If a match cannot be found, or is with operator other than "In", "Equals", or "DoubleEquals", returns nil, false. Note: The values of first requirement with the given k8s key are returned. If there are multiple requirements with the same key, technically we should return the intersection of all them. The caller must perform a full match operation to prune out values not in such intersection.

func (Requirements) KeyOnlyRequirements added in v1.19.0

func (reqs Requirements) KeyOnlyRequirements() iter.Seq2[labels.Label, bool]

func (Requirements) WriteString added in v1.19.0

func (rs Requirements) WriteString(sb *strings.Builder)

type SelectionsMap added in v1.19.0

type Selector added in v1.19.0

type Selector interface {
	Key() string

	String() string

	IsWildcard() bool

	SelectedNamespaces() []string // allowed namespaces, or nil for no requirement

	Matches(labels labels.LabelArray) bool

	GetFQDNSelector() (*api.FQDNSelector, bool)

	GetCIDRPrefixes() []netip.Prefix

	MetricsClass() string
}

Selector is a generic representation of a policy selector.

func ToSelector added in v1.19.0

func ToSelector[T APISelector](peer T) Selector

ToSelector converts any supported concrete type that implements PeerSelector into a Selector.

type SelectorId added in v1.19.0

type SelectorId uint64

type SelectorRevision added in v1.19.0

type SelectorRevision uint64

type SelectorSnapshot added in v1.19.0

type SelectorSnapshot struct {
	Revision SelectorRevision
	// contains filtered or unexported fields
}

SelectorSnapshot contains state needed to observe a coherent set of selectors

func GetSelectorSnapshot added in v1.19.0

func GetSelectorSnapshot(selections SelectionsMap, rev SelectorRevision) SelectorSnapshot

func MockSelectorSnapshot added in v1.19.0

func MockSelectorSnapshot() SelectorSnapshot

used for testing only

func (*SelectorSnapshot) After added in v1.19.0

func (s *SelectorSnapshot) After(rev SelectorRevision) bool

func (*SelectorSnapshot) Get added in v1.19.0

func (*SelectorSnapshot) Invalidate added in v1.19.0

func (s *SelectorSnapshot) Invalidate()

Invalidate should be called on any SelectorReadTxn values that are stored in the heap. This allows GC to reclaim the memory held for old versions of the selections map. Invalidating local variables going out-of-scope does nothing useful.

func (*SelectorSnapshot) IsValid added in v1.19.0

func (s *SelectorSnapshot) IsValid() bool

func (*SelectorSnapshot) String added in v1.19.0

func (s *SelectorSnapshot) String() string

type SelectorWriteTxn added in v1.19.0

type SelectorWriteTxn = part.MapTxn[SelectorId, identity.NumericIdentitySlice]

type Selectors added in v1.19.0

type Selectors []Selector

Selectors is a slice of Selectors.

func ToSelectors added in v1.19.0

func ToSelectors[T APISelector](peers ...T) Selectors

ToSelectors converts a slice of any supported concrete type that implements PeerSelector into a Selectors slice.

func (Selectors) CIDRRules added in v1.19.0

func (ps Selectors) CIDRRules() api.CIDRRuleSlice

CIDRRules returns a slice of api.CIDRRule for Selectors.

Note: Only used in unit tests, but in multiple packages Minimal implementation to cover the needs of current tests.

func (*Selectors) DeepEqual added in v1.19.0

func (s *Selectors) DeepEqual(other *Selectors) bool

DeepEqual returns true if both Selectors slices are deeply equal. As the elements of the slice are interfaces, we have to implement a type switch and call DeepEqual on each possible concrete type.

func (Selectors) GetRuleTypes added in v1.19.0

func (s Selectors) GetRuleTypes() (fqdn, host, cidrGroup bool)

GetRuleTypes returns booleans for some features used in Selectors. Only used from pkg/metrics/features/policy.go

func (Selectors) Matches added in v1.19.0

func (ps Selectors) Matches(lbls labels.LabelArray) bool

func (Selectors) SelectsAllEndpoints added in v1.19.0

func (s Selectors) SelectsAllEndpoints() bool

SelectsAllEndpoints returns true if the Selectors selects all endpoints. This is the case if the slice is empty, or if any of the Selectors is a wildcard EndpointSelector.

func (Selectors) WithRequirements added in v1.19.0

func (s Selectors) WithRequirements(requirements []slim_metav1.LabelSelectorRequirement) Selectors

WithRequirements returns a copy of the Selectors with the specified label requirements applied to all EndpointSelectors.

type Tier added in v1.19.0

type Tier uint8
const (
	Admin Tier = iota
	Normal
	Baseline
)

type Verdict added in v1.19.0

type Verdict uint8
const (
	Allow Verdict = iota
	Deny
	Pass
)

func (Verdict) String added in v1.19.0

func (v Verdict) String() string

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL