k8s

package
v1.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Mar 5, 2024 License: Apache-2.0 Imports: 23 Imported by: 0

Documentation

Overview

Copyright 2022

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at 

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Index

Constants

View Source 
const K8sNsNameLabelKey = "kubernetes.io/metadata.name"

The Kubernetes API server sets this label on all namespaces

Variables

This section is empty.

Functions

func Config 

func Config() (*rest.Config, error)

Config returns a k8s REST configuration (in cluster or external)

func New 

func New() (*kubernetes.Clientset, error)

New returns a new k8s client interface. It resolves whether it is running inside a k8s cluster or not. When running out of cluster, it'll attempt to load the default kubeconfig file (or an explicit config path if provided)

func PodNamespace 

func PodNamespace() (string, error)

Namespace returns the Pod namespace, either from environment or k8s files

Types

type IPBlockPeer 

type IPBlockPeer struct {
	IPBlock *common.IPBlock
}

IPBlockPeer implements k8s.Peer interface and eval.Peer interface

func (*IPBlockPeer) GetPeerIPBlock 

func (p *IPBlockPeer) GetPeerIPBlock() *common.IPBlock

func (*IPBlockPeer) GetPeerNamespace 

func (p *IPBlockPeer) GetPeerNamespace() *Namespace

func (*IPBlockPeer) GetPeerPod 

func (p *IPBlockPeer) GetPeerPod() *Pod

func (*IPBlockPeer) IP 

func (p *IPBlockPeer) IP() string

func (*IPBlockPeer) IsPeerIPType 

func (p *IPBlockPeer) IsPeerIPType() bool

func (*IPBlockPeer) Kind 

func (p *IPBlockPeer) Kind() string

func (*IPBlockPeer) Name 

func (p *IPBlockPeer) Name() string

func (*IPBlockPeer) Namespace 

func (p *IPBlockPeer) Namespace() string

func (*IPBlockPeer) PeerType 

func (p *IPBlockPeer) PeerType() PeerType

func (*IPBlockPeer) String 

func (p *IPBlockPeer) String() string

type Namespace 

type Namespace struct {
	Name   string
	Labels map[string]string
}

Namespace encapsulates k8s namespace fields that are relevant for evaluating network policies

func NamespaceFromCoreObject 

func NamespaceFromCoreObject(ns *corev1.Namespace) (*Namespace, error)

FromCoreObject creates a PodRef by extracting relevant fields from the k8s Pod

type NetworkPolicy 

type NetworkPolicy netv1.NetworkPolicy

NetworkPolicy is an alias for k8s network policy object @todo is there a preprocessed form of the object that would make more sense? 

for example, converting Spec.PodSelector to labels.Selector on initialization
or preprocessing namespaces and pods that match selector in ingress/egress rules, etc

-> might help to preprocess and store peers that match policy selectors + selectors in rules + set of allowed connections per rule

func (*NetworkPolicy) EgressAllowedConn 

func (np *NetworkPolicy) EgressAllowedConn(dst Peer, protocol, port string) (bool, error)

GetEgressAllowedConns returns true if the given connection to dst from any of the pods captured by the policy is allowed

func (*NetworkPolicy) GetEgressAllowedConns 

func (np *NetworkPolicy) GetEgressAllowedConns(dst Peer) (*common.ConnectionSet, error)

GetEgressAllowedConns returns the set of allowed connetions from any captured pod to the destination peer

func (*NetworkPolicy) GetIngressAllowedConns 

func (np *NetworkPolicy) GetIngressAllowedConns(src, dst Peer) (*common.ConnectionSet, error)

GetIngressAllowedConns returns the set of allowed connections to a captured dst pod from the src peer

func (*NetworkPolicy) GetReferencedIPBlocks 

func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*common.IPBlock, error)

GetReferencedIPBlocks: return list of IPBlock objects referenced in the current network policy

func (*NetworkPolicy) IngressAllowedConn 

func (np *NetworkPolicy) IngressAllowedConn(src Peer, protocol, port string, dst Peer) (bool, error)

GetIngressAllowedConns returns true if the given connections from src to any of the pods captured by the policy is allowed

func (*NetworkPolicy) Selects 

func (np *NetworkPolicy) Selects(p *Pod, direction netv1.PolicyType) (bool, error)

Selects returns true if the network policy's Spec.PodSelector selects the Pod and if the required direction is in the policy types

type Owner 

type Owner struct {
	Kind       string
	Name       string
	APIVersion string
	Variant    string // indicate the label set applied
}

Owner encapsulates pod owner workload info

type Peer 

type Peer interface {
	// PeerType returns the PeerType of the Peer object
	PeerType() PeerType
	// String returns a string representation of the Peer object
	String() string
	// GetPeerPod returns a reference to the Pod object of the peer if it is a pod, else returns nil
	GetPeerPod() *Pod
	// GetPeerNamespace returns a reference to Namespace object of the peer's namespace if it is a pod,
	// else returns nil
	GetPeerNamespace() *Namespace
	// GetPeerIPBlock returns a reference to IPBlock if the peer is IP address, else returns nil
	GetPeerIPBlock() *common.IPBlock
}

Peer represents a k8s pod or an ip address

type PeerType 

type PeerType int

PeerType is a type to indicate the type of a Peer object (Pod or IP address) 

const (
	PodType PeerType = iota
	IPBlockType
)

type Pod 

type Pod struct {
	Name      string
	Namespace string
	FakePod   bool // this flag is used to indicate if the pod is created from scanner objects or fake (ingress-controller)
	Labels    map[string]string
	IPs       []corev1.PodIP
	Ports     []corev1.ContainerPort
	HostIP    string
	Owner     Owner
}

Pod encapsulates k8s Pod fields that are relevant for evaluating network policies

func PodFromCoreObject 

func PodFromCoreObject(p *corev1.Pod) (*Pod, error)

PodFromCoreObject creates a PodRef by extracting relevant fields from the k8s Pod

func PodsFromWorkloadObject 

func PodsFromWorkloadObject(workload interface{}, kind string) ([]*Pod, error)

PodsFromWorkloadObject creates a slice of one or two Pod objects by extracting relevant fields from the k8s workload

func (*Pod) ConvertPodNamedPort added in v0.3.0 

func (pod *Pod) ConvertPodNamedPort(namedPort string) int32

ConvertPodNamedPort returns the ContainerPort number that matches the named port if there is no match, returns -1

func (*Pod) PodExposedTCPConnections added in v0.3.0 

func (pod *Pod) PodExposedTCPConnections() *common.ConnectionSet

PodExposedTCPConnections returns TCP connections exposed by a pod

type PodPeer 

type PodPeer struct {
	Pod             *Pod
	NamespaceObject *Namespace
}

PodPeer implements k8s.Peer interface and eval.Peer interface

func (*PodPeer) GetPeerIPBlock 

func (p *PodPeer) GetPeerIPBlock() *common.IPBlock

func (*PodPeer) GetPeerNamespace 

func (p *PodPeer) GetPeerNamespace() *Namespace

func (*PodPeer) GetPeerPod 

func (p *PodPeer) GetPeerPod() *Pod

func (*PodPeer) IP 

func (p *PodPeer) IP() string

func (*PodPeer) IsPeerIPType 

func (p *PodPeer) IsPeerIPType() bool

func (*PodPeer) Kind 

func (p *PodPeer) Kind() string

func (*PodPeer) Name 

func (p *PodPeer) Name() string

func (*PodPeer) Namespace 

func (p *PodPeer) Namespace() string

func (*PodPeer) PeerType 

func (p *PodPeer) PeerType() PeerType

func (*PodPeer) String 

func (p *PodPeer) String() string

type WorkloadPeer 

type WorkloadPeer struct {
	Pod *Pod
}

WorkloadPeer implements eval.Peer interface

func (*WorkloadPeer) IP 

func (p *WorkloadPeer) IP() string

func (*WorkloadPeer) IsPeerIPType 

func (p *WorkloadPeer) IsPeerIPType() bool

func (*WorkloadPeer) Kind 

func (p *WorkloadPeer) Kind() string

func (*WorkloadPeer) Name 

func (p *WorkloadPeer) Name() string

//////////////////////////////////////////////////

func (*WorkloadPeer) Namespace 

func (p *WorkloadPeer) Namespace() string

func (*WorkloadPeer) String 

func (p *WorkloadPeer) String() string

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.