Documentation
¶
Overview ¶
nolint:revive // prevent unused-parameter alert, disabled method obviously don't use args
Index ¶
Constants ¶
View Source
const ( MapName = "policy_filter_maps" CgroupMapName = "policy_filter_cgroup_maps" )
View Source
const ( // we reserve 0 as a special value to indicate no filtering NoFilterPolicyID = 0 NoFilterID = PolicyID(NoFilterPolicyID) FirstValidFilterPolicyID = NoFilterPolicyID + 1 )
View Source
const (
CgrpNsMapName = "tg_cgroup_namespace_map"
)
Variables ¶
This section is empty.
Functions ¶
func ErrorLabel ¶ added in v1.1.0
ErrorLabel returns an error label with a small cardinality so it can be used in metrics
func New ¶
New creates a new State of the policy filter code. Callers should call Close() to release allocated resources (namely the bpf map).
func TestingEnableAndReset ¶ added in v0.10.0
TestingEnableAndReset enables policy filter for tests (see ResetStateOnlyForTesting)
Types ¶
type NamespaceMap ¶ added in v1.2.0
type NamespaceMap struct {
// contains filtered or unexported fields
}
NamespaceMap is a simple wrapper for ebpf.Map so that we can write methods for it
type PfMap ¶
type PfMap struct {
// contains filtered or unexported fields
}
PfMap is a simple wrapper for ebpf.Map so that we can write methods for it
type State ¶
type State interface {
// AddPolicy adds a policy to the policyfilter state.
// This means that:
// - existing containers of pods that match this policy will be added to the policyfilter map (pfMap)
// - from now on, new containers of pods that match this policy will also be added to pfMap
// pods are matched with:
// - namespace for namespaced pilicies (if namespace == "", then policy is not namespaced)
// - label selector
// - container field selector
AddPolicy(polID PolicyID, namespace string, podSelector *slimv1.LabelSelector,
containerSelector *slimv1.LabelSelector) error
// DelPolicy removes a policy from the state
DelPolicy(polID PolicyID) error
// AddPodContainer informs policyfilter about a new container and its cgroup id in a pod.
// The pod might or might not have been encountered before.
// This method is intended to update policyfilter state from container hooks
AddPodContainer(podID PodID, namespace, workload, kind string, podLabels labels.Labels,
containerID string, cgID CgroupID, containerInfo podhelpers.ContainerInfo) error
// UpdatePod updates the pod state for a pod, where containerIDs contains all the container ids for the given pod.
// This method is intended to be used from k8s watchers (where no cgroup information is available)
UpdatePod(podID PodID, namespace, workload, kind string, podLabels labels.Labels,
containerIDs []string, containerInfo []podhelpers.ContainerInfo) error
// DelPodContainer informs policyfilter that a container was deleted from a pod
DelPodContainer(podID PodID, containerID string) error
// DelPod informs policyfilter that a pod has been deleted
DelPod(podID PodID) error
// Report opaque cgroup ID to nsId mapping. This method is intended to allow inspecting
// and reporting the state of the system to subsystems and tooling.
GetNsId(stateID StateID) (*NSID, bool)
GetIdNs(id NSID) (StateID, bool)
// RegisterPodHandlers can be used to register appropriate pod handlers to a pod informer
// that for keeping the policy filter state up-to-date.
RegisterPodHandlers(podInformer cache.SharedIndexInformer)
// Close releases resources allocated by the Manager. Specifically, we close and unpin the
// policy filter map.
Close() error
}
State is the policyfilter state interface It handles two things:
- policies being added and removed
- pod containers being added and deleted.
func DisabledState ¶ added in v0.10.0
func DisabledState() State
Source Files
¶
Directories
Click to show internal directories.
Click to hide internal directories.