Documentation
¶
Overview ¶
nolint:revive // prevent unused-parameter alert, disabled method obviously don't use args
Index ¶
Constants ¶
const ( // we reserve 0 as a special value to indicate no filtering NoFilterPolicyID = 0 NoFilterID = PolicyID(NoFilterPolicyID) // AllPodsID is a reserved synthetic policy id that tracks all pod cgroup ids. AllPodsPolicyID = 1 AllPodsID = PolicyID(AllPodsPolicyID) FirstValidFilterPolicyID = AllPodsPolicyID + 1 // Special CgroupID to store the hostSelector mode. HostSelectorMode = math.MaxUint64 )
const ( MapName = "policy_filter_maps" CgroupMapName = "policy_filter_cgroup_maps" )
Variables ¶
This section is empty.
Functions ¶
func ErrorLabel ¶ added in v1.1.0
ErrorLabel returns an error label with a small cardinality so it can be used in metrics
func New ¶
New creates a new State of the policy filter code. Callers should call Close() to release allocated resources (namely the bpf map).
func TestingEnableAndReset ¶ added in v0.10.0
TestingEnableAndReset enables policy filter for tests (see ResetStateOnlyForTesting)
Types ¶
type PfMap ¶
type PfMap struct {
// contains filtered or unexported fields
}
PfMap wraps policy filter maps using program.Map for consistent map lifecycle management and integration with Tetragon's sensor loading infrastructure.
func OpenMap ¶
OpenMap opens an existing pinned policy filter map for read-only access. This is used by CLI tools like `tetra policyfilter dump`.
type State ¶
type State interface {
// AddPolicy adds a policy to the policyfilter state.
// This means that:
// - existing containers of pods that match this policy will be added to the policyfilter map (pfMap)
// - from now on, new containers of pods that match this policy will also be added to pfMap
// pods are matched with:
// - namespace for namespaced pilicies (if namespace == "", then policy is not namespaced)
// - label selector
// - container field selector
AddPolicy(polID PolicyID, namespace string, podSelector *slimv1.LabelSelector,
containerSelector *slimv1.LabelSelector, hostSelector *slimv1.LabelSelector) error
// DelPolicy removes a policy from the state
DelPolicy(polID PolicyID) error
// AddPodContainer informs policyfilter about a new container and its cgroup id in a pod.
// The pod might or might not have been encountered before.
// This method is intended to update policyfilter state from container hooks
AddPodContainer(podID PodID, namespace string, podLabels labels.Labels,
containerID string, cgID CgroupID, containerInfo podhelpers.ContainerInfo) error
// UpdatePod updates the pod state for a pod, where containerIDs contains all the container ids for the given pod.
// This method is intended to be used from k8s watchers (where no cgroup information is available)
UpdatePod(podID PodID, namespace string, podLabels labels.Labels,
containerIDs []string, containerInfo []podhelpers.ContainerInfo) error
// DelPodContainer informs policyfilter that a container was deleted from a pod
DelPodContainer(podID PodID, containerID string) error
// DelPod informs policyfilter that a pod has been deleted
DelPod(podID PodID) error
// Close releases resources allocated by the Manager. Specifically, we close and unpin the
// policy filter map.
Close() error
}
State is the policyfilter state interface It handles two things:
- policies being added and removed
- pod containers being added and deleted.
func DisabledState ¶ added in v0.10.0
func DisabledState() State
Source Files
Directories