diff --git a/bpf/include/common.h b/bpf/include/common.h index 5b9df15b9..49a9ebf91 100644 --- a/bpf/include/common.h +++ b/bpf/include/common.h @@ -67,6 +67,7 @@ struct kmesh_config { __u32 bpf_log_level; __u32 node_ip[4]; __u32 pod_gateway[4]; + __u32 authz_offload; }; static inline void *kmesh_map_lookup_elem(void *map, const void *key) @@ -137,6 +138,11 @@ struct { __type(value, struct buf); } tmp_buf SEC(".maps"); +/* + * This map is used to store different configuration options: + * - key 0: Stores the log level + * - key 1: Stores the authz (authorization) toggle + */ struct { __uint(type, BPF_MAP_TYPE_ARRAY); __uint(max_entries, 1); diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go index 72fa367dd..579369779 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfeb.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadBpfSockTuple struct { type KmeshCgroupSockWorkloadBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadLogEvent struct { @@ -133,6 +134,7 @@ type KmeshCgroupSockWorkloadMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +178,7 @@ type KmeshCgroupSockWorkloadMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadMaps) Close() error { @@ -202,6 +205,7 @@ func (m *KmeshCgroupSockWorkloadMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go index 65b7ded19..6824fe7b9 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkload_bpfel.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadBpfSockTuple struct { type KmeshCgroupSockWorkloadBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadLogEvent struct { @@ -133,6 +134,7 @@ type KmeshCgroupSockWorkloadMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +178,7 @@ type KmeshCgroupSockWorkloadMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadMaps) Close() error { @@ -202,6 +205,7 @@ func (m *KmeshCgroupSockWorkloadMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go index dc336585c..274244126 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadCompatBpfSockTuple struct { type KmeshCgroupSockWorkloadCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadCompatLogEvent struct { @@ -133,6 +134,7 @@ type KmeshCgroupSockWorkloadCompatMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadCompatObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +178,7 @@ type KmeshCgroupSockWorkloadCompatMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { @@ -202,6 +205,7 @@ func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go index ed1f37e84..63feccc98 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshcgroupsockworkloadcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshCgroupSockWorkloadCompatBpfSockTuple struct { type KmeshCgroupSockWorkloadCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockWorkloadCompatLogEvent struct { @@ -133,6 +134,7 @@ type KmeshCgroupSockWorkloadCompatMapSpecs struct { MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshCgroupSockWorkloadCompatObjects contains all objects after they have been loaded into the kernel. @@ -176,6 +178,7 @@ type KmeshCgroupSockWorkloadCompatMaps struct { MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` TmpBuf *ebpf.Map `ebpf:"tmp_buf"` TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { @@ -202,6 +205,7 @@ func (m *KmeshCgroupSockWorkloadCompatMaps) Close() error { m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go index d08ceaf0d..0e490c875 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSendmsgBpfSockTuple struct { type KmeshSendmsgBuf struct{ Data [40]int8 } type KmeshSendmsgKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go index 55298e174..b7455e686 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsg_bpfel.go @@ -25,9 +25,10 @@ type KmeshSendmsgBpfSockTuple struct { type KmeshSendmsgBuf struct{ Data [40]int8 } type KmeshSendmsgKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go index f57c72b13..8cb9fde03 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSendmsgCompatBpfSockTuple struct { type KmeshSendmsgCompatBuf struct{ Data [40]int8 } type KmeshSendmsgCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go index 28ab8db62..c89a25d76 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsendmsgcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshSendmsgCompatBpfSockTuple struct { type KmeshSendmsgCompatBuf struct{ Data [40]int8 } type KmeshSendmsgCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSendmsgCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go index 0448a1c77..1ba055e46 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadBpfSockTuple struct { type KmeshSockopsWorkloadBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go index f62f15133..3347ca527 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkload_bpfel.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadBpfSockTuple struct { type KmeshSockopsWorkloadBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go index d74c4ba9a..5453c7e12 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadCompatBpfSockTuple struct { type KmeshSockopsWorkloadCompatBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go index b70e08185..5e54ead06 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshsockopsworkloadcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshSockopsWorkloadCompatBpfSockTuple struct { type KmeshSockopsWorkloadCompatBuf struct{ Data [40]int8 } type KmeshSockopsWorkloadCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshSockopsWorkloadCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go index abe513c60..d0572379c 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfeb.go @@ -25,9 +25,10 @@ type KmeshXDPAuthBpfSockTuple struct { type KmeshXDPAuthBuf struct{ Data [40]int8 } type KmeshXDPAuthKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthLogEvent struct { @@ -89,31 +90,37 @@ type KmeshXDPAuthSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthMapSpecs contains maps before they are loaded into the kernel. // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthObjects contains all objects after they have been loaded into the kernel. @@ -135,24 +142,27 @@ func (o *KmeshXDPAuthObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthMaps) Close() error { @@ -168,13 +178,16 @@ func (m *KmeshXDPAuthMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +195,18 @@ func (m *KmeshXDPAuthMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthPrograms) Close() error { return _KmeshXDPAuthClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go index bd98514f6..949272a62 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauth_bpfel.go @@ -25,9 +25,10 @@ type KmeshXDPAuthBpfSockTuple struct { type KmeshXDPAuthBuf struct{ Data [40]int8 } type KmeshXDPAuthKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthLogEvent struct { @@ -89,31 +90,37 @@ type KmeshXDPAuthSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthMapSpecs contains maps before they are loaded into the kernel. // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthObjects contains all objects after they have been loaded into the kernel. @@ -135,24 +142,27 @@ func (o *KmeshXDPAuthObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthMaps) Close() error { @@ -168,13 +178,16 @@ func (m *KmeshXDPAuthMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +195,18 @@ func (m *KmeshXDPAuthMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthPrograms) Close() error { return _KmeshXDPAuthClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go index 40e2c8a51..2fc0dd85b 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfeb.go @@ -25,9 +25,10 @@ type KmeshXDPAuthCompatBpfSockTuple struct { type KmeshXDPAuthCompatBuf struct{ Data [40]int8 } type KmeshXDPAuthCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthCompatLogEvent struct { @@ -89,31 +90,37 @@ type KmeshXDPAuthCompatSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthCompatMapSpecs contains maps before they are loaded into the kernel. // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthCompatObjects contains all objects after they have been loaded into the kernel. @@ -135,24 +142,27 @@ func (o *KmeshXDPAuthCompatObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthCompatMaps) Close() error { @@ -168,13 +178,16 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +195,18 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthCompatPrograms) Close() error { return _KmeshXDPAuthCompatClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go index c183c3126..edf3b5b97 100644 --- a/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/dualengine/kmeshxdpauthcompat_bpfel.go @@ -25,9 +25,10 @@ type KmeshXDPAuthCompatBpfSockTuple struct { type KmeshXDPAuthCompatBuf struct{ Data [40]int8 } type KmeshXDPAuthCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshXDPAuthCompatLogEvent struct { @@ -89,31 +90,37 @@ type KmeshXDPAuthCompatSpecs struct { // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatProgramSpecs struct { - XdpShutdown *ebpf.ProgramSpec `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.ProgramSpec `ebpf:"policy_check"` + RuleCheck *ebpf.ProgramSpec `ebpf:"rule_check"` + XdpAuthz *ebpf.ProgramSpec `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.ProgramSpec `ebpf:"xdp_shutdown_in_userspace"` } // KmeshXDPAuthCompatMapSpecs contains maps before they are loaded into the kernel. // // It can be passed ebpf.CollectionSpec.Assign. type KmeshXDPAuthCompatMapSpecs struct { - KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` - KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` - MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.MapSpec `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.MapSpec `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.MapSpec `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.MapSpec `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.MapSpec `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.MapSpec `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.MapSpec `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.MapSpec `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.MapSpec `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.MapSpec `ebpf:"kmesh_map64"` + KmeshService *ebpf.MapSpec `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.MapSpec `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.MapSpec `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.MapSpec `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.MapSpec `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.MapSpec `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.MapSpec `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.MapSpec `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.MapSpec `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.MapSpec `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.MapSpec `ebpf:"xdp_tailcall_map"` } // KmeshXDPAuthCompatObjects contains all objects after they have been loaded into the kernel. @@ -135,24 +142,27 @@ func (o *KmeshXDPAuthCompatObjects) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatMaps struct { - KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` - KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` - KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` - KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` - KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` - KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` - KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` - KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` - KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` - KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` - KmeshService *ebpf.Map `ebpf:"kmesh_service"` - MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` - MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` - MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` - MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` - MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` - TmpBuf *ebpf.Map `ebpf:"tmp_buf"` - TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + KmeshBackend *ebpf.Map `ebpf:"kmesh_backend"` + KmeshConfigMap *ebpf.Map `ebpf:"kmesh_config_map"` + KmeshEndpoint *ebpf.Map `ebpf:"kmesh_endpoint"` + KmeshEvents *ebpf.Map `ebpf:"kmesh_events"` + KmeshFrontend *ebpf.Map `ebpf:"kmesh_frontend"` + KmeshManage *ebpf.Map `ebpf:"kmesh_manage"` + KmeshMap1600 *ebpf.Map `ebpf:"kmesh_map1600"` + KmeshMap192 *ebpf.Map `ebpf:"kmesh_map192"` + KmeshMap296 *ebpf.Map `ebpf:"kmesh_map296"` + KmeshMap64 *ebpf.Map `ebpf:"kmesh_map64"` + KmeshService *ebpf.Map `ebpf:"kmesh_service"` + KmeshTcArgs *ebpf.Map `ebpf:"kmesh_tc_args"` + MapOfAuth *ebpf.Map `ebpf:"map_of_auth"` + MapOfAuthz *ebpf.Map `ebpf:"map_of_authz"` + MapOfSockStorage *ebpf.Map `ebpf:"map_of_sock_storage"` + MapOfTailCallProg *ebpf.Map `ebpf:"map_of_tail_call_prog"` + MapOfTuple *ebpf.Map `ebpf:"map_of_tuple"` + MapOfWlPolicy *ebpf.Map `ebpf:"map_of_wl_policy"` + TmpBuf *ebpf.Map `ebpf:"tmp_buf"` + TmpLogBuf *ebpf.Map `ebpf:"tmp_log_buf"` + XdpTailcallMap *ebpf.Map `ebpf:"xdp_tailcall_map"` } func (m *KmeshXDPAuthCompatMaps) Close() error { @@ -168,13 +178,16 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { m.KmeshMap296, m.KmeshMap64, m.KmeshService, + m.KmeshTcArgs, m.MapOfAuth, m.MapOfAuthz, m.MapOfSockStorage, + m.MapOfTailCallProg, m.MapOfTuple, m.MapOfWlPolicy, m.TmpBuf, m.TmpLogBuf, + m.XdpTailcallMap, ) } @@ -182,12 +195,18 @@ func (m *KmeshXDPAuthCompatMaps) Close() error { // // It can be passed to LoadKmeshXDPAuthCompatObjects or ebpf.CollectionSpec.LoadAndAssign. type KmeshXDPAuthCompatPrograms struct { - XdpShutdown *ebpf.Program `ebpf:"xdp_shutdown"` + PolicyCheck *ebpf.Program `ebpf:"policy_check"` + RuleCheck *ebpf.Program `ebpf:"rule_check"` + XdpAuthz *ebpf.Program `ebpf:"xdp_authz"` + XdpShutdownInUserspace *ebpf.Program `ebpf:"xdp_shutdown_in_userspace"` } func (p *KmeshXDPAuthCompatPrograms) Close() error { return _KmeshXDPAuthCompatClose( - p.XdpShutdown, + p.PolicyCheck, + p.RuleCheck, + p.XdpAuthz, + p.XdpShutdownInUserspace, ) } diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go index 825374383..537a4bbd4 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfeb.go @@ -17,9 +17,10 @@ type KmeshCgroupSockBuf struct{ Data [40]int8 } type KmeshCgroupSockClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockLogEvent struct { diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go index 7ab3663b4..e03bab1a1 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsock_bpfel.go @@ -17,9 +17,10 @@ type KmeshCgroupSockBuf struct{ Data [40]int8 } type KmeshCgroupSockClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockLogEvent struct { diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go index 5775ba319..870f48cac 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfeb.go @@ -17,9 +17,10 @@ type KmeshCgroupSockCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockCompatClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockCompatLogEvent struct { diff --git a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go index aebada7a5..dadd56f5a 100644 --- a/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go +++ b/bpf/kmesh/bpf2go/kernelnative/normal/kmeshcgroupsockcompat_bpfel.go @@ -17,9 +17,10 @@ type KmeshCgroupSockCompatBuf struct{ Data [40]int8 } type KmeshCgroupSockCompatClusterSockData struct{ ClusterId uint32 } type KmeshCgroupSockCompatKmeshConfig struct { - BpfLogLevel uint32 - NodeIp [4]uint32 - PodGateway [4]uint32 + BpfLogLevel uint32 + NodeIp [4]uint32 + PodGateway [4]uint32 + AuthzOffload uint32 } type KmeshCgroupSockCompatLogEvent struct { diff --git a/bpf/kmesh/workload/include/authz.h b/bpf/kmesh/workload/include/authz.h index 693793e0c..c16cb7065 100644 --- a/bpf/kmesh/workload/include/authz.h +++ b/bpf/kmesh/workload/include/authz.h @@ -7,6 +7,7 @@ #include "workload_common.h" #include "bpf_log.h" #include "xdp.h" +#include "tail_call.h" #include "workloadapi/security/authorization.pb-c.h" #define AUTH_ALLOW 0 @@ -22,6 +23,26 @@ struct { __uint(max_entries, MAP_SIZE_OF_AUTH_POLICY); } map_of_authz SEC(".maps"); +struct match_context { + __u32 action; + __u8 policy_index; + __u8 n_rules; + wl_policies_v *policies; + void *rulesPtr; +}; + +/* + * This map is used to store the variable that + * xdp_auth needs to pass during the tail call + */ +struct { + __uint(type, BPF_MAP_TYPE_HASH); + __uint(key_size, sizeof(struct bpf_sock_tuple)); + __uint(value_size, sizeof(struct match_context)); + __uint(map_flags, BPF_F_NO_PREALLOC); + __uint(max_entries, MAP_SIZE_OF_AUTH_TAILCALL); +} kmesh_tc_args SEC(".maps"); + static inline Istio__Security__Authorization *map_lookup_authz(__u32 policyKey) { return (Istio__Security__Authorization *)kmesh_map_lookup_elem(&map_of_authz, &policyKey); @@ -32,19 +53,82 @@ static inline wl_policies_v *get_workload_policies_by_uid(__u32 workload_uid) return (wl_policies_v *)kmesh_map_lookup_elem(&map_of_wl_policy, &workload_uid); } -static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static inline int parser_xdp_info(struct xdp_md *ctx, struct xdp_info *info) +{ + void *begin = (void *)(long)(ctx->data); + void *end = (void *)(long)(ctx->data_end); + + // eth header + info->ethh = (struct ethhdr *)begin; + if ((void *)(info->ethh + 1) > end) + return PARSER_FAILED; + + // ip4|ip6 header + begin = info->ethh + 1; + if ((begin + 1) > end) + return PARSER_FAILED; + if (((struct iphdr *)begin)->version == 4) { + info->iph = (struct iphdr *)begin; + if ((void *)(info->iph + 1) > end || (info->iph->protocol != IPPROTO_TCP)) + return PARSER_FAILED; + begin = (info->iph + 1); + } else if (((struct iphdr *)begin)->version == 6) { + info->ip6h = (struct ipv6hdr *)begin; + if ((void *)(info->ip6h + 1) > end || (info->ip6h->nexthdr != IPPROTO_TCP)) + return PARSER_FAILED; + begin = (info->ip6h + 1); + } else + return PARSER_FAILED; + + info->tcph = (struct tcphdr *)begin; + if ((void *)(info->tcph + 1) > end) + return PARSER_FAILED; + return PARSER_SUCC; +} + +static inline void parser_tuple(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +{ + if (info->iph->version == 4) { + tuple_info->ipv4.saddr = info->iph->saddr; + tuple_info->ipv4.daddr = info->iph->daddr; + tuple_info->ipv4.sport = info->tcph->source; + tuple_info->ipv4.dport = info->tcph->dest; + } else { + bpf_memcpy((__u8 *)tuple_info->ipv6.saddr, info->ip6h->saddr.in6_u.u6_addr8, IPV6_ADDR_LEN); + bpf_memcpy((__u8 *)tuple_info->ipv6.daddr, info->ip6h->daddr.in6_u.u6_addr8, IPV6_ADDR_LEN); + tuple_info->ipv6.sport = info->tcph->source; + tuple_info->ipv6.dport = info->tcph->dest; + } +} + +static int construct_tuple_key(struct xdp_md *ctx, struct bpf_sock_tuple *tuple_info, struct xdp_info *info) +{ + int ret = parser_xdp_info(ctx, info); + if (ret != PARSER_SUCC) { + BPF_LOG(ERR, AUTH, "failed to parse xdp_info"); + return PARSER_FAILED; + } + + parser_tuple(info, tuple_info); + + return PARSER_SUCC; +} + +static int match_dst_ports(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { __u32 *notPorts = NULL; __u32 *ports = NULL; __u32 i; if (match->n_destination_ports == 0 && match->n_not_destination_ports == 0) { + BPF_LOG(DEBUG, AUTH, "no ports configured, matching by default"); return MATCHED; } if (match->n_not_destination_ports != 0) { notPorts = KMESH_GET_PTR_VAL(match->not_destination_ports, void *); if (!notPorts) { + BPF_LOG(ERR, AUTH, "failed to retrieve not_destination_ports pointer"); return UNMATCHED; } #pragma unroll @@ -54,10 +138,12 @@ static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info * } if (info->iph->version == 4) { if (bpf_htons(notPorts[i]) == tuple_info->ipv4.dport) { + BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]); return UNMATCHED; } } else { if (bpf_htons(notPorts[i]) == tuple_info->ipv6.dport) { + BPF_LOG(DEBUG, AUTH, "port %u in not_destination_ports, unmatched", notPorts[i]); return UNMATCHED; } } @@ -65,11 +151,13 @@ static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info * } // if not match not_destination_ports && has no destination_ports, return MATCHED if (match->n_destination_ports == 0) { + BPF_LOG(INFO, AUTH, "no destination_ports configured, matching by default"); return MATCHED; } ports = KMESH_GET_PTR_VAL(match->destination_ports, void *); if (!ports) { + BPF_LOG(ERR, AUTH, "failed to retrieve destination_ports pointer"); return UNMATCHED; } #pragma unroll @@ -79,29 +167,31 @@ static inline int matchDstPorts(Istio__Security__Match *match, struct xdp_info * } if (info->iph->version == 4) { if (bpf_htons(ports[i]) == tuple_info->ipv4.dport) { + BPF_LOG(INFO, AUTH, "port %u in destination_ports, matched", ports[i]); return MATCHED; } } else { if (bpf_htons(ports[i]) == tuple_info->ipv6.dport) { + BPF_LOG(INFO, AUTH, "port %u in destination_ports, matched", ports[i]); return MATCHED; } } } + BPF_LOG(DEBUG, AUTH, "no matching ports found, unmatched"); return UNMATCHED; } -static inline int match_check(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static int match_check(Istio__Security__Match *match, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { __u32 matchResult; // if multiple types are set, they are AND-ed, all matched is a match // todo: add other match types - matchResult = matchDstPorts(match, info, tuple_info); + matchResult = match_dst_ports(match, info, tuple_info); return matchResult; } -static inline int -clause_match_check(Istio__Security__Clause *cl, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static int clause_match_check(Istio__Security__Clause *cl, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { void *matchsPtr = NULL; Istio__Security__Match *match = NULL; @@ -132,16 +222,14 @@ clause_match_check(Istio__Security__Clause *cl, struct xdp_info *info, struct bp return UNMATCHED; } -static inline int -rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +static int rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { void *clausesPtr = NULL; Istio__Security__Clause *clause = NULL; __u32 i; if (rule->n_clauses == 0) { - BPF_LOG(ERR, AUTH, "rule has no clauses\n"); - return UNMATCHED; + return MATCHED; } // Clauses are AND-ed. clausesPtr = KMESH_GET_PTR_VAL(rule->clauses, void *); @@ -167,49 +255,146 @@ rule_match_check(Istio__Security__Rule *rule, struct xdp_info *info, struct bpf_ return MATCHED; } -static inline int -do_auth(Istio__Security__Authorization *policy, struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +SEC("xdp_auth") +int policy_check(struct xdp_md *ctx) { - void *rulesPtr = NULL; - Istio__Security__Rule *rule = NULL; - int matchFlag = 0; - __u32 i = 0; + struct match_context *match_ctx; + wl_policies_v *policies; + void *rulesPtr; + __u32 policyId; + Istio__Security__Authorization *policy; + struct bpf_sock_tuple tuple_key = {0}; + struct xdp_info info = {0}; + int ret; + + if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) { + BPF_LOG(ERR, AUTH, "policy_check, Failed to get tuple key"); + return XDP_PASS; + } + + match_ctx = bpf_map_lookup_elem(&kmesh_tc_args, &tuple_key); + if (!match_ctx) { + BPF_LOG(ERR, AUTH, "failed to retrieve tailcall context from kmesh_tc_args"); + return XDP_PASS; + } - if (policy->n_rules == 0) { - BPF_LOG(ERR, AUTH, "auth policy %s has no rules\n", KMESH_GET_PTR_VAL(policy->name, char *)); - return AUTH_ALLOW; + policies = match_ctx->policies; + if (!policies) { + return XDP_PASS; } - // Rules are OR-ed. - rulesPtr = KMESH_GET_PTR_VAL(policy->rules, void *); - if (!rulesPtr) { - BPF_LOG(ERR, AUTH, "failed to get rules from policy %s\n", KMESH_GET_PTR_VAL(policy->name, char *)); - return AUTH_DENY; + // Safely access policyId and check if the policy exists + if (bpf_probe_read_kernel(&policyId, sizeof(policyId), (void *)(policies->policyIds + match_ctx->policy_index)) + != 0) { + BPF_LOG(ERR, AUTH, "failed to read policyId, throw it to user auth"); + goto auth_in_user_space; + } + policy = map_lookup_authz(policyId); + if (!policy) { + // if no policy matches in xdp, throw it to user auth + BPF_LOG(INFO, AUTH, "no more policy, throw it to user auth"); + goto auth_in_user_space; + } else { + rulesPtr = KMESH_GET_PTR_VAL(policy->rules, void *); + if (!rulesPtr) { + BPF_LOG(ERR, AUTH, "failed to get rules from policies\n"); + return XDP_PASS; + } + match_ctx->rulesPtr = rulesPtr; + match_ctx->n_rules = policy->n_rules; + match_ctx->action = policy->action; + ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY); + if (ret < 0) { + BPF_LOG(ERR, AUTH, "failed to update map, error: %d", ret); + return XDP_PASS; + } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_RULE_CHECK); } + return XDP_PASS; +auth_in_user_space: + if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { + BPF_LOG(DEBUG, AUTH, "failed to delete context from map"); + } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + return XDP_PASS; +} + +SEC("xdp_auth") +int rule_check(struct xdp_md *ctx) +{ + struct match_context *match_ctx; + struct bpf_sock_tuple tuple_key = {0}; + struct xdp_info info = {0}; + void *rulesPtr; + __u64 rule_addr; + void *rule; + int ret; + int i; + + if (construct_tuple_key(ctx, &tuple_key, &info) != PARSER_SUCC) { + BPF_LOG(ERR, AUTH, "failed to get tuple key in rule_check"); + return XDP_PASS; + } + + match_ctx = bpf_map_lookup_elem(&kmesh_tc_args, &tuple_key); + if (!match_ctx) { + BPF_LOG(ERR, AUTH, "failed to retrieve match_context from map"); + return XDP_PASS; + } for (i = 0; i < MAX_MEMBER_NUM_PER_POLICY; i++) { - if (i >= policy->n_rules) { + if (i >= match_ctx->n_rules) { + BPF_LOG(DEBUG, AUTH, "rule index %d exceeds rule count %d, exiting loop", i, match_ctx->n_rules); break; } - rule = (Istio__Security__Rule *)KMESH_GET_PTR_VAL((void *)*((__u64 *)rulesPtr + i), Istio__Security__Rule); + if (!match_ctx) { + BPF_LOG(ERR, AUTH, "failed to retrieve match_ctx from map"); + return XDP_PASS; + } + rulesPtr = match_ctx->rulesPtr; + if (!rulesPtr) { + BPF_LOG(ERR, AUTH, "rulesPtr is null"); + return XDP_PASS; + } + if (bpf_probe_read_kernel(&rule_addr, sizeof(rule_addr), &rulesPtr[i]) != 0) { + BPF_LOG(ERR, AUTH, "failed to read rule address at index %d", i); + continue; + } + + rule = (Istio__Security__Rule *)KMESH_GET_PTR_VAL((void *)rule_addr, Istio__Security__Rule); if (!rule) { continue; } - if (rule_match_check(rule, info, tuple_info) == MATCHED) { - if (policy->action == ISTIO__SECURITY__ACTION__DENY) { - return AUTH_DENY; - } else { - return AUTH_ALLOW; + if (rule_match_check(rule, &info, &tuple_key) == MATCHED) { + BPF_LOG( + INFO, + AUTH, + "rule matched, action: %s", + match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? "DENY" : "ALLOW"); + if (bpf_map_delete_elem(&kmesh_tc_args, &tuple_key) != 0) { + BPF_LOG(INFO, AUTH, "failed to delete tail call context from map"); + } + __u32 auth_result = match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? AUTH_DENY : AUTH_ALLOW; + if (bpf_map_update_elem(&map_of_auth, &tuple_key, &auth_result, BPF_ANY) != 0) { + BPF_LOG(ERR, AUTH, "failed to update auth result in map_of_auth"); } + return match_ctx->action == ISTIO__SECURITY__ACTION__DENY ? XDP_DROP : XDP_PASS; } } - // no match rules - if (policy->action == ISTIO__SECURITY__ACTION__DENY) { - return AUTH_ALLOW; - } else { - return AUTH_DENY; + match_ctx->policy_index++; + if (match_ctx->policy_index >= MAX_MEMBER_NUM_PER_POLICY) { + BPF_LOG(ERR, AUTH, "policy index out of bounds"); + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + } + + ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, match_ctx, BPF_ANY); + if (ret < 0) { + BPF_LOG(ERR, AUTH, "failed to update map, error: %d", ret); + return XDP_PASS; } + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); + return XDP_PASS; } #endif \ No newline at end of file diff --git a/bpf/kmesh/workload/include/backend.h b/bpf/kmesh/workload/include/backend.h index 99037567c..760b9dc55 100644 --- a/bpf/kmesh/workload/include/backend.h +++ b/bpf/kmesh/workload/include/backend.h @@ -8,9 +8,6 @@ #include "encoder.h" #include "tail_call.h" -#define TAIL_CALL_CONNECT4_INDEX 0 -#define TAIL_CALL_CONNECT6_INDEX 1 - static inline backend_value *map_lookup_backend(const backend_key *key) { return kmesh_map_lookup_elem(&map_of_backend, key); diff --git a/bpf/kmesh/workload/include/config.h b/bpf/kmesh/workload/include/config.h index 5015b82dd..539fb80f1 100644 --- a/bpf/kmesh/workload/include/config.h +++ b/bpf/kmesh/workload/include/config.h @@ -5,13 +5,14 @@ #define _KMESH_CONFIG_H_ // map size -#define MAP_SIZE_OF_FRONTEND 105000 -#define MAP_SIZE_OF_SERVICE 5000 -#define MAP_SIZE_OF_ENDPOINT 105000 -#define MAP_SIZE_OF_BACKEND 100000 -#define MAP_SIZE_OF_AUTH 8192 -#define MAP_SIZE_OF_DSTINFO 8192 -#define MAP_SIZE_OF_AUTH_POLICY 512 +#define MAP_SIZE_OF_FRONTEND 105000 +#define MAP_SIZE_OF_SERVICE 5000 +#define MAP_SIZE_OF_ENDPOINT 105000 +#define MAP_SIZE_OF_BACKEND 100000 +#define MAP_SIZE_OF_AUTH 8192 +#define MAP_SIZE_OF_DSTINFO 8192 +#define MAP_SIZE_OF_AUTH_TAILCALL 100000 +#define MAP_SIZE_OF_AUTH_POLICY 512 // map name #define map_of_frontend kmesh_frontend diff --git a/bpf/kmesh/workload/include/tail_call.h b/bpf/kmesh/workload/include/tail_call.h index 0f9e921cb..5ae7cce0b 100644 --- a/bpf/kmesh/workload/include/tail_call.h +++ b/bpf/kmesh/workload/include/tail_call.h @@ -6,7 +6,17 @@ #include "workload_common.h" -#define MAP_SIZE_OF_TAIL_CALL_PROG 4 +#define MAP_SIZE_OF_TAIL_CALL_PROG 8 + +typedef struct bpf_sock_addr ctx_buff_t; + +typedef enum { + TAIL_CALL_CONNECT4_INDEX = 0, + TAIL_CALL_CONNECT6_INDEX, + TAIL_CALL_POLICY_CHECK, + TAIL_CALL_RULE_CHECK, + TAIL_CALL_AUTH_IN_USER_SPACE, +} workload_tail_call_index_t; struct { __uint(type, BPF_MAP_TYPE_PROG_ARRAY); @@ -16,6 +26,14 @@ struct { __uint(map_flags, 0); } map_of_tail_call_prog SEC(".maps"); +struct { + __uint(type, BPF_MAP_TYPE_PROG_ARRAY); + __uint(key_size, sizeof(__u32)); + __uint(value_size, sizeof(__u32)); + __uint(max_entries, MAP_SIZE_OF_TAIL_CALL_PROG); + __uint(map_flags, 0); +} xdp_tailcall_map SEC(".maps"); + static inline void kmesh_workload_tail_call(ctx_buff_t *ctx, const __u32 index) { bpf_tail_call(ctx, &map_of_tail_call_prog, index); diff --git a/bpf/kmesh/workload/xdp.c b/bpf/kmesh/workload/xdp.c index 71f4e5c08..30fa11989 100644 --- a/bpf/kmesh/workload/xdp.c +++ b/bpf/kmesh/workload/xdp.c @@ -15,21 +15,6 @@ #include "authz.h" #include "xdp.h" -static inline void parser_tuple(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) -{ - if (info->iph->version == 4) { - tuple_info->ipv4.saddr = info->iph->saddr; - tuple_info->ipv4.daddr = info->iph->daddr; - tuple_info->ipv4.sport = info->tcph->source; - tuple_info->ipv4.dport = info->tcph->dest; - } else { - bpf_memcpy((__u8 *)tuple_info->ipv6.saddr, info->ip6h->saddr.in6_u.u6_addr8, IPV6_ADDR_LEN); - bpf_memcpy((__u8 *)tuple_info->ipv6.daddr, info->ip6h->daddr.in6_u.u6_addr8, IPV6_ADDR_LEN); - tuple_info->ipv6.sport = info->tcph->source; - tuple_info->ipv6.dport = info->tcph->dest; - } -} - static inline void shutdown_tuple(struct xdp_info *info) { info->tcph->fin = 0; @@ -42,7 +27,7 @@ static inline void shutdown_tuple(struct xdp_info *info) static inline int should_shutdown(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { __u32 *value = bpf_map_lookup_elem(&map_of_auth, tuple_info); - if (value) { + if (value && *value == 1) { if (info->iph->version == 4) BPF_LOG( INFO, @@ -63,39 +48,6 @@ static inline int should_shutdown(struct xdp_info *info, struct bpf_sock_tuple * return AUTH_PASS; } -static inline int parser_xdp_info(struct xdp_md *ctx, struct xdp_info *info) -{ - void *begin = (void *)(long)(ctx->data); - void *end = (void *)(long)(ctx->data_end); - - // eth header - info->ethh = (struct ethhdr *)begin; - if ((void *)(info->ethh + 1) > end) - return PARSER_FAILED; - - // ip4|ip6 header - begin = info->ethh + 1; - if ((begin + 1) > end) - return PARSER_FAILED; - if (((struct iphdr *)begin)->version == 4) { - info->iph = (struct iphdr *)begin; - if ((void *)(info->iph + 1) > end || (info->iph->protocol != IPPROTO_TCP)) - return PARSER_FAILED; - begin = (info->iph + 1); - } else if (((struct iphdr *)begin)->version == 6) { - info->ip6h = (struct ipv6hdr *)begin; - if ((void *)(info->ip6h + 1) > end || (info->ip6h->nexthdr != IPPROTO_TCP)) - return PARSER_FAILED; - begin = (info->ip6h + 1); - } else - return PARSER_FAILED; - - info->tcph = (struct tcphdr *)begin; - if ((void *)(info->tcph + 1) > end) - return PARSER_FAILED; - return PARSER_SUCC; -} - static inline int xdp_deny_packet(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { if (info->iph != NULL && info->iph->version == 4) { @@ -118,6 +70,16 @@ static inline int xdp_deny_packet(struct xdp_info *info, struct bpf_sock_tuple * return XDP_DROP; } +static bool is_authz_offload_enabled() +{ + int kmesh_config_key = 0; + struct kmesh_config *value = {0}; + value = kmesh_map_lookup_elem(&kmesh_config_map, &kmesh_config_key); + if (!value) + return false; + return ((*value).authz_offload == 1); +} + static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) { frontend_key frontend_k = {}; @@ -140,41 +102,51 @@ static inline wl_policies_v *get_workload_policies(struct xdp_info *info, struct return get_workload_policies_by_uid(workload_uid); } -static inline int match_workload_policy(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) +SEC("xdp_auth") +int xdp_authz(struct xdp_md *ctx) { - int ret = 0; + if (!is_authz_offload_enabled()) { + BPF_LOG(INFO, AUTH, "authz is not enabled, tail call to user auth"); + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_AUTH_IN_USER_SPACE); + return XDP_PASS; + } + BPF_LOG(INFO, AUTH, "authz is enabled, processing"); + struct match_context match_ctx; + struct bpf_sock_tuple tuple_key = {0}; + struct xdp_info info = {0}; wl_policies_v *policies; - __u32 policyId; - Istio__Security__Authorization *policy; + int ret; - policies = get_workload_policies(info, tuple_info); - if (!policies) { - return AUTH_ALLOW; - } + if (parser_xdp_info(ctx, &info) == PARSER_FAILED) + return XDP_PASS; + if (info.iph->version != 4 && info.iph->version != 6) + return XDP_PASS; - for (int i = 0; i < MAX_MEMBER_NUM_PER_POLICY; i++) { - policyId = policies->policyIds[i]; - if (policyId != 0) { - policy = map_lookup_authz(policyId); - if (!policy) { - continue; - } - if (do_auth(policy, info, tuple_info) == AUTH_DENY) { - BPF_LOG(ERR, AUTH, "policy %u manage result deny\n", policyId); - return AUTH_DENY; - } + // never failed + parser_tuple(&info, &tuple_key); + int *value = bpf_map_lookup_elem(&map_of_auth, &tuple_key); + if (!value) { + policies = get_workload_policies(&info, &tuple_key); + if (!policies) { + return XDP_PASS; + } + match_ctx.policies = policies; + match_ctx.policy_index = 0; + ret = bpf_map_update_elem(&kmesh_tc_args, &tuple_key, &match_ctx, BPF_ANY); + if (ret < 0) { + BPF_LOG(ERR, AUTH, "Failed to update map, error: %d", ret); + return XDP_PASS; } - } - return AUTH_ALLOW; -} -static inline int xdp_rbac_manage(struct xdp_info *info, struct bpf_sock_tuple *tuple_info) -{ - return match_workload_policy(info, tuple_info); + bpf_tail_call(ctx, &xdp_tailcall_map, TAIL_CALL_POLICY_CHECK); + return XDP_PASS; + } else { + return *value ? XDP_DROP : XDP_PASS; + } } SEC("xdp_auth") -int xdp_shutdown(struct xdp_md *ctx) +int xdp_shutdown_in_userspace(struct xdp_md *ctx) { struct xdp_info info = {0}; struct bpf_sock_tuple tuple_info = {0}; @@ -186,12 +158,6 @@ int xdp_shutdown(struct xdp_md *ctx) // never failed parser_tuple(&info, &tuple_info); - // Before the authentication types supported by eBPF XDP are fully implemented, - // this section only processes AUTH_DENY. If get AUTH_ALLOW, - // it will still depend on the user-space authentication process to match other rule types. - if (xdp_rbac_manage(&info, &tuple_info) == AUTH_DENY) { - return xdp_deny_packet(&info, &tuple_info); - } if (should_shutdown(&info, &tuple_info) == AUTH_FORBID) shutdown_tuple(&info); diff --git a/ctl/authz/authz.go b/ctl/authz/authz.go new file mode 100644 index 000000000..84b5fc2cc --- /dev/null +++ b/ctl/authz/authz.go @@ -0,0 +1,124 @@ +/* + * Copyright The Kmesh Authors. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at: + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package authz + +import ( + "context" + "fmt" + "net/http" + "os" + + "github.com/spf13/cobra" + + "kmesh.net/kmesh/ctl/utils" + "kmesh.net/kmesh/pkg/kube" + "kmesh.net/kmesh/pkg/logger" +) + +const ( + patternAuthz = "/authz" +) + +var log = logger.NewLoggerScope("kmeshctl/authz") + +func NewCmd() *cobra.Command { + cmd := &cobra.Command{ + Use: "authz", + Short: "Enable or disable Kmesh's authz", + Example: `# Enable Kmesh's authz: + kmeshctl authz enable + + # Disable Kmesh's authz: + kmeshctl authz authz`, + Args: cobra.MinimumNArgs(1), + Run: func(cmd *cobra.Command, args []string) { + SetAuthz(cmd, args) + }, + } + return cmd +} + +func SetAuthz(cmd *cobra.Command, args []string) { + var info string + authzFlag := args[len(args)-1] + if authzFlag == "enable" { + info = "true" + } else if authzFlag == "disable" { + info = "false" + } else { + log.Errorf("Error: Argument must be 'enable' or 'disable'") + os.Exit(1) + } + + cli, err := utils.CreateKubeClient() + if err != nil { + log.Errorf("failed to create cli client: %v", err) + os.Exit(1) + } + + if len(args) == 1 { + // Perform operations on all kmesh daemons. + podList, err := cli.PodsForSelector(context.TODO(), utils.KmeshNamespace, utils.KmeshLabel) + if err != nil { + log.Errorf("failed to get kmesh podList: %v", err) + os.Exit(1) + } + for _, pod := range podList.Items { + SetAuthzPerKmeshDaemon(cli, pod.GetName(), info) + } + } else { + // Processes authz triggers for specified kmesh daemon. + for _, podname := range args[:len(args)-1] { + SetAuthzPerKmeshDaemon(cli, podname, info) + } + } +} + +func SetAuthzPerKmeshDaemon(cli kube.CLIClient, podName, info string) { + fw, err := utils.CreateKmeshPortForwarder(cli, podName) + if err != nil { + log.Errorf("failed to create port forwarder for Kmesh daemon pod %s: %v", podName, err) + os.Exit(1) + } + if err := fw.Start(); err != nil { + log.Errorf("failed to start port forwarder for Kmesh daemon pod %s: %v", podName, err) + os.Exit(1) + } + defer fw.Close() + + url := fmt.Sprintf("http://%s%s?enable=%s", fw.Address(), patternAuthz, info) + + req, err := http.NewRequest(http.MethodPost, url, nil) + if err != nil { + log.Errorf("Error creating request: %v", err) + return + } + + req.Header.Set("Content-Type", "application/json") + client := &http.Client{} + resp, err := client.Do(req) + if err != nil { + log.Errorf("failed to make HTTP request: %v", err) + return + } + defer resp.Body.Close() + + if resp.StatusCode != http.StatusOK { + log.Errorf("Error: received status code %d", resp.StatusCode) + return + } +} diff --git a/ctl/common/common.go b/ctl/common/common.go index ffb335b63..271f6e7eb 100644 --- a/ctl/common/common.go +++ b/ctl/common/common.go @@ -20,6 +20,7 @@ import ( "github.com/spf13/cobra" "kmesh.net/kmesh/ctl/accesslog" + "kmesh.net/kmesh/ctl/authz" "kmesh.net/kmesh/ctl/dump" logcmd "kmesh.net/kmesh/ctl/log" "kmesh.net/kmesh/ctl/version" @@ -41,6 +42,7 @@ func GetRootCommand() *cobra.Command { rootCmd.AddCommand(waypoint.NewCmd()) rootCmd.AddCommand(version.NewCmd()) rootCmd.AddCommand(accesslog.NewCmd()) + rootCmd.AddCommand(authz.NewCmd()) return rootCmd } diff --git a/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml b/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml index 1df85c3a6..dbc575371 100644 --- a/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml +++ b/deploy/charts/kmesh-helm/templates/kmesh-rbac.yaml @@ -13,6 +13,7 @@ rules: - pods - services - namespaces + - nodes verbs: - get - update diff --git a/docs/ctl/kmeshctl.md b/docs/ctl/kmeshctl.md index be12de5f2..bccfdc0ab 100644 --- a/docs/ctl/kmeshctl.md +++ b/docs/ctl/kmeshctl.md @@ -11,6 +11,7 @@ Kmesh command line tools to operate and debug Kmesh ### SEE ALSO * [kmeshctl accesslog](kmeshctl_accesslog.md) - Enable or disable Kmesh's accesslog +* [kmeshctl authz](kmeshctl_authz.md) - Enable or disable Kmesh's authz * [kmeshctl dump](kmeshctl_dump.md) - Dump config of kernel-native or dual-engine mode * [kmeshctl log](kmeshctl_log.md) - Get or set kmesh-daemon's logger level * [kmeshctl version](kmeshctl_version.md) - Prints out build version info diff --git a/docs/ctl/kmeshctl_authz.md b/docs/ctl/kmeshctl_authz.md new file mode 100644 index 000000000..b64dadafd --- /dev/null +++ b/docs/ctl/kmeshctl_authz.md @@ -0,0 +1,28 @@ +## kmeshctl authz + +Enable or disable Kmesh's authz + +``` +kmeshctl authz [flags] +``` + +### Examples + +``` +# Enable Kmesh's authz: + kmeshctl authz enable + + # Disable Kmesh's authz: + kmeshctl authz authz +``` + +### Options + +``` + -h, --help help for authz +``` + +### SEE ALSO + +* [kmeshctl](kmeshctl.md) - Kmesh command line tools to operate and debug Kmesh + diff --git a/pkg/bpf/bpf.go b/pkg/bpf/bpf.go index ba810c90a..8bc7c80d8 100644 --- a/pkg/bpf/bpf.go +++ b/pkg/bpf/bpf.go @@ -60,9 +60,10 @@ type BpfLoader struct { } type KmeshBpfConfig struct { - BpfLogLevel uint32 - NodeIP [16]byte - PodGateway [16]byte + BpfLogLevel uint32 + NodeIP [16]byte + PodGateway [16]byte + AuthzOffload uint32 } func NewBpfLoader(config *options.BpfConfig) *BpfLoader { @@ -305,9 +306,10 @@ func (l *BpfLoader) setBpfProgOptions() { keyOfKmeshBpfConfig := uint32(0) ValueOfKmeshBpfConfig := KmeshBpfConfig{ // Write this map only when the kmesh daemon starts, so set bpfloglevel to the default value. - BpfLogLevel: constants.BPF_LOG_INFO, - NodeIP: nodeIP, - PodGateway: gateway, + BpfLogLevel: constants.BPF_LOG_INFO, + NodeIP: nodeIP, + PodGateway: gateway, + AuthzOffload: uint32(0), } if l.kmeshConfig != nil { diff --git a/pkg/bpf/workload/xdp.go b/pkg/bpf/workload/xdp.go index ad885c687..fe9e32c19 100644 --- a/pkg/bpf/workload/xdp.go +++ b/pkg/bpf/workload/xdp.go @@ -96,6 +96,27 @@ func (xa *BpfXdpAuthWorkload) LoadXdpAuth() error { xa.Info.Type = prog.Type xa.Info.AttachType = prog.AttachType + if err = xa.XdpTailcallMap.Update( + uint32(constants.TailCallPolicyCheck), + uint32(xa.PolicyCheck.FD()), + ebpf.UpdateAny); err != nil { + return err + } + + if err = xa.XdpTailcallMap.Update( + uint32(constants.TailCallRuleCheck), + uint32(xa.RuleCheck.FD()), + ebpf.UpdateAny); err != nil { + return err + } + + if err = xa.XdpTailcallMap.Update( + uint32(constants.TailCallAuthInUserSpace), + uint32(xa.XdpShutdownInUserspace.FD()), + ebpf.UpdateAny); err != nil { + return err + } + return nil } diff --git a/pkg/constants/constants.go b/pkg/constants/constants.go index ac8568196..44aae9ef9 100644 --- a/pkg/constants/constants.go +++ b/pkg/constants/constants.go @@ -27,7 +27,9 @@ const ( // This annotation is used to indicate traffic redirection settings specific to Kmesh KmeshRedirectionAnnotation = "kmesh.net/redirection" - XDP_PROG_NAME = "xdp_shutdown" + XDP_PROG_NAME = "xdp_authz" + XDP_AUTHZ_ENABLED = 1 + XDP_AUTHZ_DISABLED = 0 RootCertPath = "/var/run/secrets/istio/root-cert.pem" TrustDomain = "cluster.local" @@ -49,8 +51,11 @@ const ( OperDisableControl = 930 // tail call index in tail call prog map - TailCallConnect4Index = 0 - TailCallConnect6Index = 1 + TailCallConnect4Index = 0 + TailCallConnect6Index = 1 + TailCallPolicyCheck = 2 + TailCallRuleCheck = 3 + TailCallAuthInUserSpace = 4 INBOUND = uint32(1) OUTBOUND = uint32(2) diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go index 1f2da7eee..8a68a266b 100644 --- a/pkg/controller/controller.go +++ b/pkg/controller/controller.go @@ -76,7 +76,7 @@ func (c *Controller) Start(stopCh <-chan struct{}) error { } go secertManager.Run(stopCh) } - kmeshManageController, err = manage.NewKmeshManageController(clientset, secertManager, c.bpfWorkloadObj.XdpAuth.XdpShutdown.FD(), c.mode) + kmeshManageController, err = manage.NewKmeshManageController(clientset, secertManager, c.bpfWorkloadObj.XdpAuth.XdpAuthz.FD(), c.mode) } else { kmeshManageController, err = manage.NewKmeshManageController(clientset, nil, -1, c.mode) } diff --git a/pkg/status/status_server.go b/pkg/status/status_server.go index 9b650c8df..39c6a8704 100644 --- a/pkg/status/status_server.go +++ b/pkg/status/status_server.go @@ -60,6 +60,7 @@ const ( patternReadyProbe = "/debug/ready" patternLoggers = "/debug/loggers" patternAccesslog = "/accesslog" + patternAuthz = "/authz" bpfLoggerName = "bpf" @@ -99,6 +100,7 @@ func NewServer(c *controller.XdsClient, configs *options.BootstrapConfigs, confi s.mux.HandleFunc(patternConfigDumpWorkload, s.configDumpWorkload) s.mux.HandleFunc(patternLoggers, s.loggersHandler) s.mux.HandleFunc(patternAccesslog, s.accesslogHandler) + s.mux.HandleFunc(patternAuthz, s.authzHandler) // TODO: add dump certificate, authorizationPolicies and services s.mux.HandleFunc(patternReadyProbe, s.readyProbe) @@ -264,6 +266,43 @@ func (s *Server) accesslogHandler(w http.ResponseWriter, r *http.Request) { } } +func (s *Server) authzHandler(w http.ResponseWriter, r *http.Request) { + if r.Method != http.MethodPost { + http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed) + return + } + + authzInfo := r.URL.Query().Get("enable") + enabled, err := strconv.ParseBool(authzInfo) + if err != nil { + w.WriteHeader(http.StatusBadRequest) + _, _ = w.Write([]byte(fmt.Sprintf("invalid authz enable=%s", authzInfo))) + return + } + + key := uint32(0) + value := bpf.KmeshBpfConfig{} + if s.kmeshConfigMap == nil { + http.Error(w, fmt.Sprintf("update authz error: %v", "kmeshConfigMap is nil"), http.StatusBadRequest) + return + } + if err = s.kmeshConfigMap.Lookup(&key, &value); err != nil { + http.Error(w, fmt.Sprintf("get kmesh config error: %v", err), http.StatusBadRequest) + return + } + if enabled { + value.AuthzOffload = constants.XDP_AUTHZ_ENABLED + } else { + value.AuthzOffload = constants.XDP_AUTHZ_DISABLED + } + if err = s.kmeshConfigMap.Update(&key, &value, ebpf.UpdateAny); err != nil { + http.Error(w, fmt.Sprintf("update authz error: %v", err), http.StatusBadRequest) + return + } + + w.WriteHeader(http.StatusOK) +} + func (s *Server) getLoggerNames(w http.ResponseWriter) { loggerNames := append(logger.GetLoggerNames(), bpfLoggerName) data, err := json.MarshalIndent(&loggerNames, "", " ") @@ -423,7 +462,7 @@ func (s *Server) getBpfLogLevel() (*LoggerInfo, error) { loggerLevel, exists := logLevelMap[int(logLevel)] if !exists { - return nil, fmt.Errorf("unexpected invalid log level: %d", value) + return nil, fmt.Errorf("unexpected invalid log level: %d", value.BpfLogLevel) } return &LoggerInfo{