Documentation ¶
Overview ¶
Copyright 2022
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2022 ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2022 ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Copyright 2022 ¶
Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Index ¶
- Constants
- func Config() (*rest.Config, error)
- func New() (*kubernetes.Clientset, error)
- func PodNamespace() (string, error)
- type IPBlockPeer
- func (p *IPBlockPeer) GetPeerIPBlock() *common.IPBlock
- func (p *IPBlockPeer) GetPeerNamespace() *Namespace
- func (p *IPBlockPeer) GetPeerPod() *Pod
- func (p *IPBlockPeer) IP() string
- func (p *IPBlockPeer) IsPeerIPType() bool
- func (p *IPBlockPeer) Kind() string
- func (p *IPBlockPeer) Name() string
- func (p *IPBlockPeer) Namespace() string
- func (p *IPBlockPeer) PeerType() PeerType
- func (p *IPBlockPeer) String() string
- type Namespace
- type NetworkPolicy
- func (np *NetworkPolicy) EgressAllowedConn(dst Peer, protocol, port string) (bool, error)
- func (np *NetworkPolicy) GetEgressAllowedConns(dst Peer) (*common.ConnectionSet, error)
- func (np *NetworkPolicy) GetIngressAllowedConns(src, dst Peer) (*common.ConnectionSet, error)
- func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*common.IPBlock, error)
- func (np *NetworkPolicy) IngressAllowedConn(src Peer, protocol, port string, dst Peer) (bool, error)
- func (np *NetworkPolicy) Selects(p *Pod, direction netv1.PolicyType) (bool, error)
- type Owner
- type Peer
- type PeerType
- type Pod
- type PodPeer
- func (p *PodPeer) GetPeerIPBlock() *common.IPBlock
- func (p *PodPeer) GetPeerNamespace() *Namespace
- func (p *PodPeer) GetPeerPod() *Pod
- func (p *PodPeer) IP() string
- func (p *PodPeer) IsPeerIPType() bool
- func (p *PodPeer) Kind() string
- func (p *PodPeer) Name() string
- func (p *PodPeer) Namespace() string
- func (p *PodPeer) PeerType() PeerType
- func (p *PodPeer) String() string
- type WorkloadPeer
Constants ¶
const K8sNsNameLabelKey = "kubernetes.io/metadata.name"
The Kubernetes API server sets this label on all namespaces
Variables ¶
This section is empty.
Functions ¶
func New ¶
func New() (*kubernetes.Clientset, error)
New returns a new k8s client interface. It resolves whether it is running inside a k8s cluster or not. When running out of cluster, it'll attempt to load the default kubeconfig file (or an explicit config path if provided)
func PodNamespace ¶
Namespace returns the Pod namespace, either from environment or k8s files
Types ¶
type IPBlockPeer ¶
IPBlockPeer implements k8s.Peer interface and eval.Peer interface
func (*IPBlockPeer) GetPeerIPBlock ¶
func (p *IPBlockPeer) GetPeerIPBlock() *common.IPBlock
func (*IPBlockPeer) GetPeerNamespace ¶
func (p *IPBlockPeer) GetPeerNamespace() *Namespace
func (*IPBlockPeer) GetPeerPod ¶
func (p *IPBlockPeer) GetPeerPod() *Pod
func (*IPBlockPeer) IP ¶
func (p *IPBlockPeer) IP() string
func (*IPBlockPeer) IsPeerIPType ¶
func (p *IPBlockPeer) IsPeerIPType() bool
func (*IPBlockPeer) Kind ¶
func (p *IPBlockPeer) Kind() string
func (*IPBlockPeer) Name ¶
func (p *IPBlockPeer) Name() string
func (*IPBlockPeer) Namespace ¶
func (p *IPBlockPeer) Namespace() string
func (*IPBlockPeer) PeerType ¶
func (p *IPBlockPeer) PeerType() PeerType
func (*IPBlockPeer) String ¶
func (p *IPBlockPeer) String() string
type Namespace ¶
Namespace encapsulates k8s namespace fields that are relevant for evaluating network policies
type NetworkPolicy ¶
type NetworkPolicy netv1.NetworkPolicy
NetworkPolicy is an alias for k8s network policy object @todo is there a preprocessed form of the object that would make more sense?
for example, converting Spec.PodSelector to labels.Selector on initialization or preprocessing namespaces and pods that match selector in ingress/egress rules, etc
-> might help to preprocess and store peers that match policy selectors + selectors in rules + set of allowed connections per rule
func (*NetworkPolicy) EgressAllowedConn ¶
func (np *NetworkPolicy) EgressAllowedConn(dst Peer, protocol, port string) (bool, error)
GetEgressAllowedConns returns true if the given connection to dst from any of the pods captured by the policy is allowed
func (*NetworkPolicy) GetEgressAllowedConns ¶
func (np *NetworkPolicy) GetEgressAllowedConns(dst Peer) (*common.ConnectionSet, error)
GetEgressAllowedConns returns the set of allowed connetions from any captured pod to the destination peer
func (*NetworkPolicy) GetIngressAllowedConns ¶
func (np *NetworkPolicy) GetIngressAllowedConns(src, dst Peer) (*common.ConnectionSet, error)
GetIngressAllowedConns returns the set of allowed connections to a captured dst pod from the src peer
func (*NetworkPolicy) GetReferencedIPBlocks ¶
func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*common.IPBlock, error)
GetReferencedIPBlocks: return list of IPBlock objects referenced in the current network policy
func (*NetworkPolicy) IngressAllowedConn ¶
func (np *NetworkPolicy) IngressAllowedConn(src Peer, protocol, port string, dst Peer) (bool, error)
GetIngressAllowedConns returns true if the given connections from src to any of the pods captured by the policy is allowed
func (*NetworkPolicy) Selects ¶
func (np *NetworkPolicy) Selects(p *Pod, direction netv1.PolicyType) (bool, error)
Selects returns true if the network policy's Spec.PodSelector selects the Pod and if the required direction is in the policy types
type Owner ¶
type Owner struct { Kind string Name string APIVersion string Variant string // indicate the label set applied }
Owner encapsulates pod owner workload info
type Peer ¶
type Peer interface { // PeerType returns the PeerType of the Peer object PeerType() PeerType // String returns a string representation of the Peer object String() string // GetPeerPod returns a reference to the Pod object of the peer if it is a pod, else returns nil GetPeerPod() *Pod // GetPeerNamespace returns a reference to Namespace object of the peer's namespace if it is a pod, // else returns nil GetPeerNamespace() *Namespace // GetPeerIPBlock returns a reference to IPBlock if the peer is IP address, else returns nil GetPeerIPBlock() *common.IPBlock }
Peer represents a k8s pod or an ip address
type PeerType ¶
type PeerType int
PeerType is a type to indicate the type of a Peer object (Pod or IP address)
type Pod ¶
type Pod struct { Name string Namespace string FakePod bool // this flag is used to indicate if the pod is created from scanner objects or fake (ingress-controller) Labels map[string]string IPs []corev1.PodIP Ports []corev1.ContainerPort HostIP string Owner Owner }
Pod encapsulates k8s Pod fields that are relevant for evaluating network policies
func PodFromCoreObject ¶
PodFromCoreObject creates a PodRef by extracting relevant fields from the k8s Pod
func PodsFromWorkloadObject ¶
PodsFromWorkloadObject creates a slice of one or two Pod objects by extracting relevant fields from the k8s workload
func (*Pod) ConvertPodNamedPort ¶ added in v0.3.0
ConvertPodNamedPort returns the ContainerPort number that matches the named port if there is no match, returns -1
func (*Pod) PodExposedTCPConnections ¶ added in v0.3.0
func (pod *Pod) PodExposedTCPConnections() *common.ConnectionSet
PodExposedTCPConnections returns TCP connections exposed by a pod
type PodPeer ¶
PodPeer implements k8s.Peer interface and eval.Peer interface
func (*PodPeer) GetPeerIPBlock ¶
func (*PodPeer) GetPeerNamespace ¶
func (*PodPeer) GetPeerPod ¶
func (*PodPeer) IsPeerIPType ¶
type WorkloadPeer ¶
type WorkloadPeer struct {
Pod *Pod
}
WorkloadPeer implements eval.Peer interface
func (*WorkloadPeer) IP ¶
func (p *WorkloadPeer) IP() string
func (*WorkloadPeer) IsPeerIPType ¶
func (p *WorkloadPeer) IsPeerIPType() bool
func (*WorkloadPeer) Kind ¶
func (p *WorkloadPeer) Kind() string
func (*WorkloadPeer) Name ¶
func (p *WorkloadPeer) Name() string
//////////////////////////////////////////////////
func (*WorkloadPeer) Namespace ¶
func (p *WorkloadPeer) Namespace() string
func (*WorkloadPeer) String ¶
func (p *WorkloadPeer) String() string