externalgroups

package
v1.20.0-pre.3 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jun 1, 2026 License: Apache-2.0 Imports: 26 Imported by: 0

Documentation

Index

Constants

View Source 
const AnnoGroupJSON = "cilium.io/external-group"
View Source 
const (
	ExternalGroupTableName = "policy-external-group-to-ccg"
)
View Source 
const FieldManager = "cilium.io/external-group-controller"
View Source 
const LabelGroupManaged = "cilium.io/external-group-controller"

Variables

View Source 
var (
	ExternalGroupByID = egIDIndex.Query

	ExternalGroupByCCG = ccgIndex.Query

	ExternalGroupByOwner = ownerIndex.Query
)
View Source 
var Cell = cell.Module(
	"network-policy-external-groups",
	"Translates external Groups references in polices to CiliumCIDRGroups",

	cell.Config(defaultExtGroupConfig),
	cell.Provide(NewExternalGroupTable),
	cell.Provide(NewGroupManager),
	cell.Invoke(registerPolicyToGroupController),
)

Functions

func NewExternalGroupTable 

func NewExternalGroupTable(db *statedb.DB) (statedb.RWTable[*ExternalGroup], error)

Types

type ExtGroupConfig 

type ExtGroupConfig struct {
	RegisterDummy bool `mapstructure:"register-dummy-external-group"`

	ExternalGroupSyncInterval time.Duration `mapstructure:"policy-external-group-sync-interval"`
}

func (ExtGroupConfig) Flags 

func (def ExtGroupConfig) Flags(flags *pflag.FlagSet)

type ExternalGroup 

type ExternalGroup struct {
	// ID is a unique identifier for this group.
	// This is currently the SHA256 hash of the group's JSON definition.
	// (We have to syntheize this as groups have no primary key)
	ID string

	// ExtGroup is the group definition
	// immutable!
	ExtGroup *api.Groups

	// CCGName is the name of the created CiliumCIDRGroup.
	// (It is generated by the APIServer so its useful to separate this for indexing purposes)
	CCGName string

	// CCG is the resulting CiliumCIDRGroup for this ExternalGroup
	CCG *apiv2.CiliumCIDRGroup

	// NextRefresh is the soft deadline for refreshing this group.
	NextRefresh time.Time

	// Owners is the set of upstream resources that reference this external group
	Owners part.Set[Owner]
}

ExternalGroup is information about a policy External Group (i.e. toGroups / fromGroups). It is a set of IPs provided by an external integration. Those IPs should be synchronized to a CiliumCIDRGroup.

func (*ExternalGroup) ShallowCopy 

func (g *ExternalGroup) ShallowCopy() *ExternalGroup

func (*ExternalGroup) TableHeader 

func (*ExternalGroup) TableHeader() []string

func (*ExternalGroup) TableRow 

func (eg *ExternalGroup) TableRow() []string

type ExternalGroupManager 

type ExternalGroupManager interface {
	SetResourceGroups(gk schema.GroupKind, namespace, name string, groups []*api.Groups)

	// RegisterResource tells the group manager about a resource that may provide external groups.
	//
	// It will not delete potentially-stale groups until all resources are marked as synced.
	RegisterResourceKind(gk schema.GroupKind)

	// ResourceSynced tells the group manager that all groups for a given kind have been
	// provided, and that it may be safe to GC stale groups.
	ResourceKindSynced(gk schema.GroupKind)
}

The ExternalGroupManager watches for external groups referenced in policies (i.e. ToGroups / FromGroups) and synchronizes them to CiliumCIDRGroups. At present, it can reference AWS VPCs when a cluster is deployed in AWS.

Because external Groups entities within policies are not named, we need to create an artificial key. We hash the JSON representation of the group and use this as label key.

For example, this ToGroups: 

  spec:
	   ingress:
	   - fromGroups:
	     - aws:
	       labels:
	         foo: bar

may result in this CCG: 

  apiVersion: cilium.io/v2
  kind: CiliumCIDRGroup
  metadata:
 	annotations:
	      cilium.io/group: '{"aws":{"labels":{"foo":"bar"}}}'
	labels:
	    app.kubernetes.io/part-of: cilium
	    cilium.io/policy-group: ""
	    extgrp.cilium.io/eyJhd3MiOnsibGFiZWxzIjp7ImZvbyI6ImJhciJ9fX3RSgKMKjoryUdhArsogjT: ""
  spec:
	   externalCIDRs:
	   - 1.1.1.1/32

func NewGroupManager 

func NewGroupManager(params ExternalGroupManagerParams) ExternalGroupManager

type ExternalGroupManagerParams 

type ExternalGroupManagerParams struct {
	cell.In

	Log *slog.Logger
	Cfg ExtGroupConfig

	DB      *statedb.DB
	EGTable statedb.RWTable[*ExternalGroup]

	Clientset   client.Clientset
	CCGResource resource.Resource[*cilium_v2.CiliumCIDRGroup]
	JG          job.Group
}

type Owner 

type Owner struct {
	Group     string // k8s api group
	Kind      string
	Namespace string
	Name      string
}

Owner is an upstream resource that references an external group.

func (Owner) String 

func (r Owner) String() string

type ToGroupCtlParams 

type ToGroupCtlParams struct {
	cell.In

	Logger *slog.Logger
	JG     job.Group
	GM     ExternalGroupManager

	CNPResource  resource.Resource[*cilium_v2.CiliumNetworkPolicy]
	CCNPResource resource.Resource[*cilium_v2.CiliumClusterwideNetworkPolicy]
}

Source Files

View all Source files

Directories

Path Synopsis

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.