matcher

package
v0.5.5 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Oct 10, 2023 License: MIT Imports: 19 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

View Source 
var (
	AllPeersPorts = &AllPeersMatcher{}
)

Functions

func BuildIPBlockNamespacePodMatcher 

func BuildIPBlockNamespacePodMatcher(policyNamespace string, peer networkingv1.NetworkPolicyPeer) (*IPPeerMatcher, NamespaceMatcher, PodMatcher)

func BuildSinglePortMatcher added in v0.4.1 

func BuildSinglePortMatcher(npPort networkingv1.NetworkPolicyPort) (*PortProtocolMatcher, *PortRangeMatcher)

func BuildTarget 

func BuildTarget(netpol *networkingv1.NetworkPolicy) (*Target, *Target)

func PortMatcherTableLines added in v0.2.5 

func PortMatcherTableLines(pm PortMatcher) []string

func RunBuilderTests 

func RunBuilderTests()

func RunPolicyTests 

func RunPolicyTests()

func RunSimplifierTests added in v0.4.1 

func RunSimplifierTests()

Types

type AllNamespaceMatcher 

type AllNamespaceMatcher struct{}

func (*AllNamespaceMatcher) Allows 

func (a *AllNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*AllNamespaceMatcher) MarshalJSON 

func (a *AllNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*AllNamespaceMatcher) PrimaryKey 

func (a *AllNamespaceMatcher) PrimaryKey() string

type AllPeersMatcher added in v0.4.1 

type AllPeersMatcher struct{}

func (*AllPeersMatcher) Allows added in v0.4.1 

func (a *AllPeersMatcher) Allows(peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool

func (*AllPeersMatcher) MarshalJSON added in v0.4.1 

func (a *AllPeersMatcher) MarshalJSON() (b []byte, e error)

type AllPodMatcher 

type AllPodMatcher struct{}

func (*AllPodMatcher) Allows 

func (p *AllPodMatcher) Allows(podLabels map[string]string) bool

func (*AllPodMatcher) MarshalJSON 

func (p *AllPodMatcher) MarshalJSON() (b []byte, e error)

func (*AllPodMatcher) PrimaryKey 

func (p *AllPodMatcher) PrimaryKey() string

type AllPortMatcher 

type AllPortMatcher struct{}

func (*AllPortMatcher) Allows 

func (ap *AllPortMatcher) Allows(portInt int, portName string, protocol v1.Protocol) bool

func (*AllPortMatcher) MarshalJSON 

func (ap *AllPortMatcher) MarshalJSON() (b []byte, e error)

type AllowedResult 

type AllowedResult struct {
	Ingress *DirectionResult
	Egress  *DirectionResult
}

func (*AllowedResult) IsAllowed 

func (ar *AllowedResult) IsAllowed() bool

func (*AllowedResult) Table added in v0.2.0 

func (ar *AllowedResult) Table() string

type DirectionResult 

type DirectionResult struct {
	AllowingTargets []*Target
	DenyingTargets  []*Target
}

func (*DirectionResult) IsAllowed 

func (d *DirectionResult) IsAllowed() bool

type ExactNamespaceMatcher 

type ExactNamespaceMatcher struct {
	Namespace string
}

func (*ExactNamespaceMatcher) Allows 

func (p *ExactNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*ExactNamespaceMatcher) MarshalJSON 

func (p *ExactNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*ExactNamespaceMatcher) PrimaryKey 

func (p *ExactNamespaceMatcher) PrimaryKey() string

type IPPeerMatcher added in v0.4.1 

type IPPeerMatcher struct {
	IPBlock *networkingv1.IPBlock
	Port    PortMatcher
}

IPPeerMatcher models the case where IPBlock is not nil, and both PodSelector and NamespaceSelector are nil

func CombineIPPeerMatchers added in v0.4.1 

func CombineIPPeerMatchers(a *IPPeerMatcher, b *IPPeerMatcher) *IPPeerMatcher

func (*IPPeerMatcher) Allows added in v0.4.1 

func (i *IPPeerMatcher) Allows(peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool

func (*IPPeerMatcher) MarshalJSON added in v0.4.1 

func (i *IPPeerMatcher) MarshalJSON() (b []byte, e error)

func (*IPPeerMatcher) PrimaryKey added in v0.4.1 

func (i *IPPeerMatcher) PrimaryKey() string

PrimaryKey returns a content-based, deterministic key based on the IPBlock's CIDR and excepts.

type InternalPeer 

type InternalPeer struct {
	PodLabels map[string]string
	//Pod             string
	NamespaceLabels map[string]string
	Namespace       string
}

type LabelSelectorNamespaceMatcher 

type LabelSelectorNamespaceMatcher struct {
	Selector metav1.LabelSelector
}

func (*LabelSelectorNamespaceMatcher) Allows 

func (p *LabelSelectorNamespaceMatcher) Allows(namespace string, namespaceLabels map[string]string) bool

func (*LabelSelectorNamespaceMatcher) MarshalJSON 

func (p *LabelSelectorNamespaceMatcher) MarshalJSON() (b []byte, e error)

func (*LabelSelectorNamespaceMatcher) PrimaryKey 

func (p *LabelSelectorNamespaceMatcher) PrimaryKey() string

type LabelSelectorPodMatcher 

type LabelSelectorPodMatcher struct {
	Selector metav1.LabelSelector
}

func (*LabelSelectorPodMatcher) Allows 

func (p *LabelSelectorPodMatcher) Allows(podLabels map[string]string) bool

func (*LabelSelectorPodMatcher) MarshalJSON 

func (p *LabelSelectorPodMatcher) MarshalJSON() (b []byte, e error)

func (*LabelSelectorPodMatcher) PrimaryKey 

func (p *LabelSelectorPodMatcher) PrimaryKey() string

type NamespaceMatcher 

type NamespaceMatcher interface {
	Allows(namespace string, namespaceLabels map[string]string) bool
	PrimaryKey() string
}

type PeerMatcher 

type PeerMatcher interface {
	Allows(peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool
}

func BuildEgressMatcher 

func BuildEgressMatcher(policyNamespace string, egresses []networkingv1.NetworkPolicyEgressRule) []PeerMatcher

func BuildIngressMatcher 

func BuildIngressMatcher(policyNamespace string, ingresses []networkingv1.NetworkPolicyIngressRule) []PeerMatcher

func BuildPeerMatcher 

func BuildPeerMatcher(policyNamespace string, npPorts []networkingv1.NetworkPolicyPort, peers []networkingv1.NetworkPolicyPeer) []PeerMatcher

func GenerateSimplifiedMatchers added in v0.4.1 

func GenerateSimplifiedMatchers(matchesAll bool, portsForAllPeersMatcher *PortsForAllPeersMatcher, ips []*IPPeerMatcher, pods []*PodPeerMatcher) []PeerMatcher

func Simplify added in v0.4.1 

func Simplify(matchers []PeerMatcher) []PeerMatcher

type PodMatcher 

type PodMatcher interface {
	Allows(podLabels map[string]string) bool
	PrimaryKey() string
}

type PodPeerMatcher added in v0.4.1 

type PodPeerMatcher struct {
	Namespace NamespaceMatcher
	Pod       PodMatcher
	Port      PortMatcher
}

func CombinePodPeerMatchers added in v0.4.1 

func CombinePodPeerMatchers(a *PodPeerMatcher, b *PodPeerMatcher) *PodPeerMatcher

func (*PodPeerMatcher) Allows added in v0.4.1 

func (ppm *PodPeerMatcher) Allows(peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool

func (*PodPeerMatcher) PrimaryKey added in v0.4.1 

func (ppm *PodPeerMatcher) PrimaryKey() string

type Policy 

type Policy struct {
	Ingress map[string]*Target
	Egress  map[string]*Target
}

Policy is the root type

func BuildNetworkPolicies 

func BuildNetworkPolicies(simplify bool, netpols []*networkingv1.NetworkPolicy) *Policy

func NewPolicy 

func NewPolicy() *Policy

func NewPolicyWithTargets added in v0.2.0 

func NewPolicyWithTargets(ingress []*Target, egress []*Target) *Policy

func (*Policy) AddTarget 

func (p *Policy) AddTarget(isIngress bool, target *Target) *Target

func (*Policy) AddTargets added in v0.2.0 

func (p *Policy) AddTargets(isIngress bool, targets []*Target)

func (*Policy) ExplainTable added in v0.2.5 

func (p *Policy) ExplainTable() string

func (*Policy) IsIngressOrEgressAllowed 

func (p *Policy) IsIngressOrEgressAllowed(traffic *Traffic, isIngress bool) *DirectionResult

func (*Policy) IsTrafficAllowed 

func (p *Policy) IsTrafficAllowed(traffic *Traffic) *AllowedResult

IsTrafficAllowed returns: - whether the traffic is allowed - which rules allowed the traffic - which rules matched the traffic target

func (*Policy) Simplify added in v0.4.1 

func (p *Policy) Simplify()

func (*Policy) SortedTargets 

func (p *Policy) SortedTargets() ([]*Target, []*Target)

func (*Policy) TargetsApplyingToPod 

func (p *Policy) TargetsApplyingToPod(isIngress bool, namespace string, podLabels map[string]string) []*Target

type PortMatcher 

type PortMatcher interface {
	Allows(portInt int, portName string, protocol v1.Protocol) bool
}

func BuildPortMatcher 

func BuildPortMatcher(npPorts []networkingv1.NetworkPolicyPort) PortMatcher

func CombinePortMatchers 

func CombinePortMatchers(a PortMatcher, b PortMatcher) PortMatcher

func SubtractPortMatchers added in v0.4.1 

func SubtractPortMatchers(a PortMatcher, b PortMatcher) (bool, PortMatcher)

SubtractPortMatchers finds ports that are in `a` but not in `b`. The boolean return value is true if the return value is empty. TODO this doesn't handle "all but" cases correctly.

type PortProtocolMatcher 

type PortProtocolMatcher struct {
	Port     *intstr.IntOrString
	Protocol v1.Protocol
}

PortProtocolMatcher models a specific combination of port+protocol. If port is nil, all ports are matched.

func (*PortProtocolMatcher) AllowsPortProtocol added in v0.4.1 

func (p *PortProtocolMatcher) AllowsPortProtocol(portInt int, portName string, protocol v1.Protocol) bool

AllowsPortProtocol does not implement the PortMatcher interface, purposely!

func (*PortProtocolMatcher) Equals added in v0.0.10 

func (p *PortProtocolMatcher) Equals(other *PortProtocolMatcher) bool

type PortRangeMatcher added in v0.4.1 

type PortRangeMatcher struct {
	From     int
	To       int
	Protocol v1.Protocol
}

PortRangeMatcher works with endports to specify a range of matched numeric ports.

func (*PortRangeMatcher) AllowsPortProtocol added in v0.4.1 

func (prm *PortRangeMatcher) AllowsPortProtocol(portInt int, protocol v1.Protocol) bool

func (*PortRangeMatcher) MarshalJSON added in v0.4.1 

func (prm *PortRangeMatcher) MarshalJSON() (b []byte, e error)

type PortsForAllPeersMatcher added in v0.4.1 

type PortsForAllPeersMatcher struct {
	Port PortMatcher
}

func (*PortsForAllPeersMatcher) Allows added in v0.4.1 

func (a *PortsForAllPeersMatcher) Allows(peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool

func (*PortsForAllPeersMatcher) MarshalJSON added in v0.4.1 

func (a *PortsForAllPeersMatcher) MarshalJSON() (b []byte, e error)

type SliceBuilder added in v0.2.5 

type SliceBuilder struct {
	Prefix   []string
	Elements [][]string
}

func (*SliceBuilder) Append added in v0.2.5 

func (s *SliceBuilder) Append(items ...string)

func (*SliceBuilder) IPPeerMatcherTableLines added in v0.4.1 

func (s *SliceBuilder) IPPeerMatcherTableLines(ip *IPPeerMatcher)

func (*SliceBuilder) PodPeerMatcherTableLines added in v0.4.1 

func (s *SliceBuilder) PodPeerMatcherTableLines(nsPodMatcher *PodPeerMatcher)

func (*SliceBuilder) TargetsTableLines added in v0.2.5 

func (s *SliceBuilder) TargetsTableLines(targets []*Target, isIngress bool)

type SpecificPortMatcher 

type SpecificPortMatcher struct {
	Ports      []*PortProtocolMatcher
	PortRanges []*PortRangeMatcher
}

SpecificPortMatcher models the case where traffic must match a named or numbered port

func (*SpecificPortMatcher) Allows 

func (s *SpecificPortMatcher) Allows(portInt int, portName string, protocol v1.Protocol) bool

func (*SpecificPortMatcher) Combine added in v0.0.10 

func (s *SpecificPortMatcher) Combine(other *SpecificPortMatcher) *SpecificPortMatcher

func (*SpecificPortMatcher) MarshalJSON 

func (s *SpecificPortMatcher) MarshalJSON() (b []byte, e error)

func (*SpecificPortMatcher) Subtract added in v0.4.1 

func (s *SpecificPortMatcher) Subtract(other *SpecificPortMatcher) (bool, *SpecificPortMatcher)

type Target 

type Target struct {
	Namespace   string
	PodSelector metav1.LabelSelector
	Peers       []PeerMatcher
	SourceRules []*networkingv1.NetworkPolicy
	// contains filtered or unexported fields
}

Target represents a NetworkPolicySpec.PodSelector, which is in a namespace

func CombineTargetsIgnoringPrimaryKey 

func CombineTargetsIgnoringPrimaryKey(namespace string, podSelector metav1.LabelSelector, targets []*Target) *Target

CombineTargetsIgnoringPrimaryKey creates a new target from the given namespace and pod selector, and combines all the edges and source rules from the original targets into the new target.

func (*Target) Allows added in v0.4.1 

func (t *Target) Allows(peer *TrafficPeer, portInt int, portName string, protocol v1.Protocol) bool

func (*Target) Combine 

func (t *Target) Combine(other *Target) *Target

Combine creates a new Target combining the egress and ingress rules of the two original targets. Neither input is modified. The Primary Keys of the two targets must match.

func (*Target) GetPrimaryKey 

func (t *Target) GetPrimaryKey() string

GetPrimaryKey returns a deterministic combination of PodSelector and namespace

func (*Target) IsMatch 

func (t *Target) IsMatch(namespace string, podLabels map[string]string) bool

func (*Target) Simplify added in v0.4.1 

func (t *Target) Simplify()

func (*Target) String 

func (t *Target) String() string

type Traffic 

type Traffic struct {
	Source      *TrafficPeer
	Destination *TrafficPeer

	ResolvedPort     int
	ResolvedPortName string
	Protocol         v1.Protocol
}

func (*Traffic) Table added in v0.2.0 

func (t *Traffic) Table() string

type TrafficPeer 

type TrafficPeer struct {
	Internal *InternalPeer
	IP       string
}

func (*TrafficPeer) IsExternal 

func (p *TrafficPeer) IsExternal() bool

func (*TrafficPeer) Namespace 

func (p *TrafficPeer) Namespace() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.