github.com/cilium/cilium@v1.16.2/pkg/policy/directory/cell.go (about) 1 // SPDX-License-Identifier: Apache-2.0 2 // Copyright Authors of Cilium 3 4 package directory 5 6 import ( 7 "context" 8 9 "github.com/cilium/hive/cell" 10 "github.com/sirupsen/logrus" 11 "github.com/spf13/pflag" 12 13 cilium_v2 "github.com/cilium/cilium/pkg/k8s/apis/cilium.io/v2" 14 "github.com/cilium/cilium/pkg/labels" 15 "github.com/cilium/cilium/pkg/policy" 16 "github.com/cilium/cilium/pkg/policy/api" 17 ) 18 19 // Cell provides the Directory policy watcher. The Directory policy watcher watches 20 // CiliumNetworkPolicy, CiliumClusterWideNetworkPolicy created/deleted under a directory 21 // specified through cilium config. It reads and translates them to Cilium's own 22 // policy representation (api.Rules) and updates the policy repository 23 // (via PolicyManager) accordingly. 24 var Cell = cell.Module( 25 "policy-directory-watcher", 26 "Watches Directory for cilium network policy file updates", 27 cell.Config(defaultConfig), 28 cell.Provide(newDirectoryPolicyResourcesWatcher, 29 func() DirectoryWatcherReadStatus { 30 return make(DirectoryWatcherReadStatus) 31 }), 32 ) 33 34 type PolicyManager interface { 35 PolicyAdd(rules api.Rules, opts *policy.AddOptions) (newRev uint64, err error) 36 PolicyDelete(labels labels.LabelArray, opts *policy.DeleteOptions) (newRev uint64, err error) 37 } 38 39 type DirectoryWatcherReadStatus chan struct{} 40 41 type PolicyWatcherParams struct { 42 cell.In 43 44 ReadStatus DirectoryWatcherReadStatus 45 Lifecycle cell.Lifecycle 46 Logger logrus.FieldLogger 47 } 48 49 type PolicyResourcesWatcher struct { 50 params PolicyWatcherParams 51 cfg Config 52 } 53 54 type Config struct { 55 StaticCNPPath string 56 } 57 58 const ( 59 // StaticCNPPath defines the directory path for static cilium network policy yaml files. 60 staticCNPPath = "static-cnp-path" 61 ) 62 63 var defaultConfig = Config{} 64 65 func (cfg Config) Flags(flags *pflag.FlagSet) { 66 flags.String(staticCNPPath, defaultConfig.StaticCNPPath, "Directory path to watch and load static cilium network policy yaml files.") 67 } 68 69 func newDirectoryPolicyResourcesWatcher(p PolicyWatcherParams, cfg Config) *PolicyResourcesWatcher { 70 if cfg.StaticCNPPath == "" { 71 close(p.ReadStatus) 72 return nil 73 } 74 75 return &PolicyResourcesWatcher{ 76 params: p, 77 cfg: cfg, 78 } 79 } 80 81 // WatchDirectoryPolicyResources starts watching Cilium Network policy files created under a directory. 82 func (p *PolicyResourcesWatcher) WatchDirectoryPolicyResources(ctx context.Context, policyManager PolicyManager) { 83 w := newPolicyWatcher(ctx, policyManager, p) 84 w.watchDirectory(ctx) 85 } 86 87 // newPolicyWatcher constructs a new policy watcher. 88 // This constructor unfortunately cannot be started via the Hive lifecycle as 89 // there exists a circular dependency between this watcher and the Daemon: 90 // The constructor newDaemon cannot complete before all pre-existing 91 // Cilium Network Policy defined as yaml under specific directory have been added via the PolicyManager 92 // (i.e. watchDirectory has observed the CNP file addition). 93 // Because the PolicyManager interface itself is implemented by the Daemon 94 // struct, we have a circular dependency. 95 func newPolicyWatcher(ctx context.Context, policyManager PolicyManager, p *PolicyResourcesWatcher) *policyWatcher { 96 w := &policyWatcher{ 97 log: p.params.Logger, 98 policyManager: policyManager, 99 readStatus: p.params.ReadStatus, 100 config: p.cfg, 101 fileNameToCnpCache: make(map[string]*cilium_v2.CiliumNetworkPolicy), 102 } 103 return w 104 }