forked from projectcalico/calico
/
policy.go
174 lines (152 loc) · 7.07 KB
/
policy.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
// Copyright (c) 2016,2020 Tigera, Inc. All rights reserved.
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package v1
import (
"fmt"
"github.com/dtest11/calico/libcalico-go/lib/apis/v1/unversioned"
)
// Policy contains information about a security Policy resource. This contains a set of
// security rules to apply. Security policies allow a selector-based security model which can override
// the security profiles directly referenced by an endpoint.
//
// Each policy must do one of the following:
//
// - Match the packet and apply an "allow" action; this immediately accepts the packet, skipping
// all further policies and profiles. This is not recommended in general, because it prevents
// further policy from being executed.
// - Match the packet and apply a "deny" action; this drops the packet immediately, skipping all
// further policy and profiles.
// - Fail to match the packet; in which case the packet proceeds to the next policy. If there
// are no more policies then the packet is dropped.
//
// Calico implements the security policy for each endpoint individually and only the policies that
// have matching selectors are implemented. This ensures that the number of rules that actually need
// to be inserted into the kernel is proportional to the number of local endpoints rather than the
// total amount of policy.
type Policy struct {
unversioned.TypeMetadata
Metadata PolicyMetadata `json:"metadata,omitempty"`
Spec PolicySpec `json:"spec,omitempty"`
}
func (t Policy) GetResourceMetadata() unversioned.ResourceMetadata {
return t.Metadata
}
// String() returns the human-readable string representation of a Policy instance
// which is defined by its Name.
func (t Policy) String() string {
return fmt.Sprintf("Policy(Name=%s)", t.Metadata.Name)
}
// PolicyMetadata contains the metadata for a selector-based security Policy resource.
type PolicyMetadata struct {
unversioned.ObjectMetadata
// The name of the selector-based security policy.
Name string `json:"name,omitempty" validate:"omitempty,namespacedName"`
// Arbitrary key-value information to be used by clients.
Annotations map[string]string `json:"annotations,omitempty" validate:"omitempty"`
}
// PolicySpec contains the specification for a selector-based security Policy resource.
type PolicySpec struct {
// Order is an optional field that specifies the order in which the policy is applied.
// Policies with higher "order" are applied after those with lower
// order. If the order is omitted, it may be considered to be "infinite" - i.e. the
// policy will be applied last. Policies with identical order will be applied in
// alphanumerical order based on the Policy "Name".
Order *float64 `json:"order,omitempty"`
// The ordered set of ingress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
IngressRules []Rule `json:"ingress,omitempty" validate:"omitempty,dive"`
// The ordered set of egress rules. Each rule contains a set of packet match criteria and
// a corresponding action to apply.
EgressRules []Rule `json:"egress,omitempty" validate:"omitempty,dive"`
// The selector is an expression used to pick pick out the endpoints that the policy should
// be applied to.
//
// Selector expressions follow this syntax:
//
// label == "string_literal" -> comparison, e.g. my_label == "foo bar"
// label != "string_literal" -> not equal; also matches if label is not present
// label in { "a", "b", "c", ... } -> true if the value of label X is one of "a", "b", "c"
// label not in { "a", "b", "c", ... } -> true if the value of label X is not one of "a", "b", "c"
// has(label_name) -> True if that label is present
// ! expr -> negation of expr
// expr && expr -> Short-circuit and
// expr || expr -> Short-circuit or
// ( expr ) -> parens for grouping
// all() or the empty selector -> matches all endpoints.
//
// Label names are allowed to contain alphanumerics, -, _ and /. String literals are more permissive
// but they do not support escape characters.
//
// Examples (with made-up labels):
//
// type == "webserver" && deployment == "prod"
// type in {"frontend", "backend"}
// deployment != "dev"
// ! has(label_name)
Selector string `json:"selector" validate:"selector"`
// DoNotTrack indicates whether packets matched by the rules in this policy should go through
// the data plane's connection tracking, such as Linux conntrack. If True, the rules in
// this policy are applied before any data plane connection tracking, and packets allowed by
// this policy are marked as not to be tracked.
DoNotTrack bool `json:"doNotTrack,omitempty"`
// PreDNAT indicates to apply the rules in this policy before any DNAT.
PreDNAT bool `json:"preDNAT,omitempty"`
// Types indicates whether this policy applies to ingress, or to egress, or to both. When
// not explicitly specified (and so the value on creation is empty or nil), Calico defaults
// Types according to what IngressRules and EgressRules are present in the policy. The
// default is:
//
// - [ PolicyTypeIngress ], if there are no EgressRules (including the case where there are
// also no IngressRules)
//
// - [ PolicyTypeEgress ], if there are EgressRules but no IngressRules
//
// - [ PolicyTypeIngress, PolicyTypeEgress ], if there are both IngressRules and EgressRules.
//
// When the policy is read back again, Types will always be one of these values, never empty
// or nil.
Types []PolicyType `json:"types,omitempty" validate:"omitempty,dive,policyType"`
}
// PolicyType enumerates the possible values of the PolicySpec Types field.
type PolicyType string
const (
PolicyTypeIngress PolicyType = "ingress"
PolicyTypeEgress PolicyType = "egress"
)
// NewPolicy creates a new (zeroed) Policy struct with the TypeMetadata initialised to the current
// version.
func NewPolicy() *Policy {
return &Policy{
TypeMetadata: unversioned.TypeMetadata{
Kind: "policy",
APIVersion: unversioned.VersionCurrent,
},
}
}
// PolicyList contains a list of selector-based security Policy resources. List types are returned from List()
// enumerations on the client interface.
type PolicyList struct {
unversioned.TypeMetadata
Metadata unversioned.ListMetadata `json:"metadata,omitempty"`
Items []Policy `json:"items" validate:"dive"`
}
// NewPolicyList creates a new (zeroed) PolicyList struct with the TypeMetadata initialised to the current
// version.
func NewPolicyList() *PolicyList {
return &PolicyList{
TypeMetadata: unversioned.TypeMetadata{
Kind: "policyList",
APIVersion: unversioned.VersionCurrent,
},
}
}