github.com/cilium/cilium@v1.16.2/pkg/policy/api/entity.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package api 5 6 import ( 7 k8sapi "github.com/cilium/cilium/pkg/k8s/apis/cilium.io" 8 "github.com/cilium/cilium/pkg/labels" 9 ) 10 11 // Entity specifies the class of receiver/sender endpoints that do not have 12 // individual identities. Entities are used to describe "outside of cluster", 13 // "host", etc. 14 // 15 // +kubebuilder:validation:Enum=all;world;cluster;host;init;ingress;unmanaged;remote-node;health;none;kube-apiserver 16 type Entity string 17 18 const ( 19 // EntityAll is an entity that represents all traffic 20 EntityAll Entity = "all" 21 22 // EntityWorld is an entity that represents traffic external to 23 // endpoint's cluster 24 EntityWorld Entity = "world" 25 26 // EntityWorldIPv4 is an entity that represents traffic external to 27 // endpoint's cluster, specifically an IPv4 endpoint, to distinguish 28 // it from IPv6 in dual-stack mode. 29 EntityWorldIPv4 Entity = "world-ipv4" 30 31 // EntityWorldIPv6 is an entity that represents traffic external to 32 // endpoint's cluster, specifically an IPv6 endpoint, to distinguish 33 // it from IPv4 in dual-stack mode. 34 EntityWorldIPv6 Entity = "world-ipv6" 35 36 // EntityCluster is an entity that represents traffic within the 37 // endpoint's cluster, to endpoints not managed by cilium 38 EntityCluster Entity = "cluster" 39 40 // EntityHost is an entity that represents traffic within endpoint host 41 EntityHost Entity = "host" 42 43 // EntityInit is an entity that represents an initializing endpoint 44 EntityInit Entity = "init" 45 46 // EntityIngress is an entity that represents envoy proxy 47 EntityIngress Entity = "ingress" 48 49 // EntityUnmanaged is an entity that represents unamanaged endpoints. 50 EntityUnmanaged Entity = "unmanaged" 51 52 // EntityRemoteNode is an entity that represents all remote nodes 53 EntityRemoteNode Entity = "remote-node" 54 55 // EntityHealth is an entity that represents all health endpoints. 56 EntityHealth Entity = "health" 57 58 // EntityNone is an entity that can be selected but never exist 59 EntityNone Entity = "none" 60 61 // EntityNone is an entity that represents the kube-apiserver. 62 EntityKubeAPIServer Entity = "kube-apiserver" 63 ) 64 65 var ( 66 endpointSelectorWorld = NewESFromLabels(labels.NewLabel(labels.IDNameWorld, "", labels.LabelSourceReserved)) 67 68 endpointSelectorWorldIPv4 = NewESFromLabels(labels.NewLabel(labels.IDNameWorldIPv4, "", labels.LabelSourceReserved)) 69 70 endpointSelectorWorldIPv6 = NewESFromLabels(labels.NewLabel(labels.IDNameWorldIPv6, "", labels.LabelSourceReserved)) 71 72 endpointSelectorHost = NewESFromLabels(labels.NewLabel(labels.IDNameHost, "", labels.LabelSourceReserved)) 73 74 endpointSelectorInit = NewESFromLabels(labels.NewLabel(labels.IDNameInit, "", labels.LabelSourceReserved)) 75 76 endpointSelectorIngress = NewESFromLabels(labels.NewLabel(labels.IDNameIngress, "", labels.LabelSourceReserved)) 77 78 endpointSelectorRemoteNode = NewESFromLabels(labels.NewLabel(labels.IDNameRemoteNode, "", labels.LabelSourceReserved)) 79 80 endpointSelectorHealth = NewESFromLabels(labels.NewLabel(labels.IDNameHealth, "", labels.LabelSourceReserved)) 81 82 EndpointSelectorNone = NewESFromLabels(labels.NewLabel(labels.IDNameNone, "", labels.LabelSourceReserved)) 83 84 endpointSelectorUnmanaged = NewESFromLabels(labels.NewLabel(labels.IDNameUnmanaged, "", labels.LabelSourceReserved)) 85 86 endpointSelectorKubeAPIServer = NewESFromLabels(labels.LabelKubeAPIServer[labels.IDNameKubeAPIServer]) 87 88 // EntitySelectorMapping maps special entity names that come in 89 // policies to selectors 90 // If you add an entry here, you must also update the CRD 91 // validation above. 92 EntitySelectorMapping = map[Entity]EndpointSelectorSlice{ 93 EntityAll: {WildcardEndpointSelector}, 94 EntityWorld: {endpointSelectorWorld, endpointSelectorWorldIPv4, endpointSelectorWorldIPv6}, 95 EntityWorldIPv4: {endpointSelectorWorldIPv4}, 96 EntityWorldIPv6: {endpointSelectorWorldIPv6}, 97 EntityHost: {endpointSelectorHost}, 98 EntityInit: {endpointSelectorInit}, 99 EntityIngress: {endpointSelectorIngress}, 100 EntityRemoteNode: {endpointSelectorRemoteNode}, 101 EntityHealth: {endpointSelectorHealth}, 102 EntityUnmanaged: {endpointSelectorUnmanaged}, 103 EntityNone: {EndpointSelectorNone}, 104 EntityKubeAPIServer: {endpointSelectorKubeAPIServer}, 105 106 // EntityCluster is populated with an empty entry to allow the 107 // cilium client importing this package to perform basic rule 108 // validation. The basic rule validation only enforces 109 // awareness of individual entity names and does not require 110 // understanding of the individual endpoint selectors. The 111 // endpoint selector for the cluster entity can only be 112 // initialized at runtime as it depends on user configuration 113 // such as the cluster name. See InitEntities() below. 114 EntityCluster: {}, 115 } 116 ) 117 118 // EntitySlice is a slice of entities 119 type EntitySlice []Entity 120 121 // GetAsEndpointSelectors returns the provided entity slice as a slice of 122 // endpoint selectors 123 func (s EntitySlice) GetAsEndpointSelectors() EndpointSelectorSlice { 124 slice := EndpointSelectorSlice{} 125 for _, e := range s { 126 if selector, ok := EntitySelectorMapping[e]; ok { 127 slice = append(slice, selector...) 128 } 129 } 130 131 return slice 132 } 133 134 // InitEntities is called to initialize the policy API layer 135 func InitEntities(clusterName string) { 136 EntitySelectorMapping[EntityCluster] = EndpointSelectorSlice{ 137 endpointSelectorHost, 138 endpointSelectorRemoteNode, 139 endpointSelectorInit, 140 endpointSelectorIngress, 141 endpointSelectorHealth, 142 endpointSelectorUnmanaged, 143 endpointSelectorKubeAPIServer, 144 NewESFromLabels(labels.NewLabel(k8sapi.PolicyLabelCluster, clusterName, labels.LabelSourceK8s)), 145 } 146 }