func (s *CommonSuite) TestTargetCoveredBy(c *C) { lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource) lblJoe := labels.NewLabel("io.cilium.user", "joe", "kubernetes") lblAll := labels.NewLabel(labels.ID_NAME_ALL, "", common.ReservedLabelSource) list1 := []labels.Label{*lblFoo} list2 := []labels.Label{*lblBar, *lblBaz} list3 := []labels.Label{*lblFoo, *lblJoe} list4 := []labels.Label{*lblAll} // any -> io.cilium.bar ctx := SearchContext{To: []labels.Label{*lblBar}} c.Assert(ctx.TargetCoveredBy(list1), Equals, false) c.Assert(ctx.TargetCoveredBy(list2), Equals, true) c.Assert(ctx.TargetCoveredBy(list3), Equals, false) c.Assert(ctx.TargetCoveredBy(list4), Equals, true) // any -> kubernetes:io.cilium.baz ctx = SearchContext{To: []labels.Label{*lblBaz}} c.Assert(ctx.TargetCoveredBy(list1), Equals, false) c.Assert(ctx.TargetCoveredBy(list2), Equals, true) c.Assert(ctx.TargetCoveredBy(list3), Equals, false) c.Assert(ctx.TargetCoveredBy(list4), Equals, true) // any -> [kubernetes:io.cilium.user=joe, io.cilium.foo] ctx = SearchContext{To: []labels.Label{*lblJoe, *lblFoo}} c.Assert(ctx.TargetCoveredBy(list1), Equals, true) c.Assert(ctx.TargetCoveredBy(list2), Equals, false) c.Assert(ctx.TargetCoveredBy(list3), Equals, true) c.Assert(ctx.TargetCoveredBy(list4), Equals, true) }
func (s *CommonSuite) TestRequires(c *C) { lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource) // Foo -> Bar aFooToBar := SearchContext{ From: []labels.Label{*lblFoo}, To: []labels.Label{*lblBar}, } // Baz -> Bar aBazToBar := SearchContext{ From: []labels.Label{*lblBaz}, To: []labels.Label{*lblBar}, } // Bar -> Baz aBarToBaz := SearchContext{ From: []labels.Label{*lblBar}, To: []labels.Label{*lblBaz}, } // coverage: bar // Require: foo requires := PolicyRuleRequires{ Coverage: []labels.Label{*lblBar}, Requires: []labels.Label{*lblFoo}, } c.Assert(requires.Allows(&aFooToBar), Equals, UNDECIDED) c.Assert(requires.Allows(&aBazToBar), Equals, DENY) c.Assert(requires.Allows(&aBarToBaz), Equals, UNDECIDED) }
func (s *CommonSuite) TestAllowRule(c *C) { lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource) lblAll := labels.NewLabel(labels.ID_NAME_ALL, "", common.ReservedLabelSource) allow := AllowRule{Action: ACCEPT, Label: *lblFoo} deny := AllowRule{Action: DENY, Label: *lblFoo} allowAll := AllowRule{Action: ACCEPT, Label: *lblAll} ctx := SearchContext{ From: []labels.Label{*lblFoo}, To: []labels.Label{*lblBar}, } ctx2 := SearchContext{ From: []labels.Label{*lblBaz}, To: []labels.Label{*lblBar}, } c.Assert(allow.Allows(&ctx), Equals, ACCEPT) c.Assert(deny.Allows(&ctx), Equals, DENY) c.Assert(allowAll.Allows(&ctx), Equals, ACCEPT) c.Assert(allow.Allows(&ctx2), Equals, UNDECIDED) c.Assert(deny.Allows(&ctx2), Equals, UNDECIDED) c.Assert(allowAll.Allows(&ctx2), Equals, ACCEPT) }
func (s *DaemonSuite) TestEndpointLabelsGetOK(c *C) { ep := endpoint.Endpoint{ LXCMAC: HardAddr, IPv6: IPv6Addr, IPv4: IPv4Addr, NodeMAC: HardAddr, NodeIP: NodeAddr, IfName: "ifname", DockerNetworkID: "dockernetwork", SecLabel: SecLabel, } ep.SetID() epLbls := labels.Labels{ "foo": labels.NewLabel("foo", "bar", "cilium"), } ciliumLbls := labels.Labels{ "bar": labels.NewLabel("bar", "foo", "cilium"), } wantedLbls := labels.OpLabels{ AllLabels: ciliumLbls, EndpointLabels: epLbls, } s.d.OnEndpointLabelsGet = func(epID uint16) (*labels.OpLabels, error) { c.Assert(ep.ID, DeepEquals, epID) return &wantedLbls, nil } lbls, err := s.c.EndpointLabelsGet(ep.ID) c.Assert(err, IsNil) c.Assert(wantedLbls, DeepEquals, *lbls) }
func (s *CommonSuite) TestNodeCovers(c *C) { root := Node{ Name: common.GlobalLabelPrefix, Children: map[string]*Node{ "foo": {}, "bar": {}, }, } err := root.ResolveTree() c.Assert(err, Equals, nil) lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) ctx := SearchContext{To: []labels.Label{*lblFoo}} c.Assert(root.Covers(&ctx), Equals, true) c.Assert(root.Children["foo"].Covers(&ctx), Equals, true) c.Assert(root.Children["bar"].Covers(&ctx), Equals, false) lblFoo = labels.NewLabel("io.cilium.foo2", "", common.CiliumLabelSource) ctx = SearchContext{To: []labels.Label{*lblFoo}} c.Assert(root.Covers(&ctx), Equals, true) c.Assert(root.Children["foo"].Covers(&ctx), Equals, false) c.Assert(root.Children["bar"].Covers(&ctx), Equals, false) lblRoot := labels.NewLabel("io.cilium", "", common.CiliumLabelSource) ctx = SearchContext{To: []labels.Label{*lblRoot}} c.Assert(root.Covers(&ctx), Equals, true) c.Assert(root.Children["foo"].Covers(&ctx), Equals, false) c.Assert(root.Children["bar"].Covers(&ctx), Equals, false) }
func K8sNP2CP(np *v1beta1.NetworkPolicy) (string, *policy.Node, error) { var parentNodeName, policyName string if np.Annotations[common.K8sAnnotationParentName] == "" { parentNodeName = common.GlobalLabelPrefix } else { parentNodeName = np.Annotations[common.K8sAnnotationParentName] } if np.Annotations[common.K8sAnnotationName] == "" { policyName = np.Name } else { policyName = np.Annotations[common.K8sAnnotationName] } allowRules := []policy.AllowRule{} for _, iRule := range np.Spec.Ingress { if iRule.From != nil { for _, rule := range iRule.From { if rule.PodSelector != nil { for k, v := range rule.PodSelector.MatchLabels { l := labels.NewLabel(k, v, "") if l.Source == common.CiliumLabelSource { l.Source = common.K8sLabelSource } ar := policy.AllowRule{ Action: policy.ALWAYS_ACCEPT, Label: *l, } allowRules = append(allowRules, ar) } } else if rule.NamespaceSelector != nil { for k := range rule.NamespaceSelector.MatchLabels { l := labels.NewLabel(common.K8sPodNamespaceLabel, k, common.K8sLabelSource) ar := policy.AllowRule{ Action: policy.ALWAYS_ACCEPT, Label: *l, } allowRules = append(allowRules, ar) } } } } } coverageLbls := labels.Map2Labels(np.Spec.PodSelector.MatchLabels, common.K8sLabelSource) pn := policy.NewNode(policyName, nil) pn.Rules = []policy.PolicyRule{ &policy.PolicyRuleConsumers{ Coverage: coverageLbls.ToSlice(), Allow: allowRules, }, } return parentNodeName, pn, nil }
func (s *CommonSuite) TestLabelCompare(c *C) { a1 := labels.NewLabel("io.cilium", "", "") a2 := labels.NewLabel("io.cilium", "", "") b1 := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) c1 := labels.NewLabel("io.cilium.bar", "", "kubernetes") d1 := labels.NewLabel("", "", "") c.Assert(a1.Equals(a2), Equals, true) c.Assert(a2.Equals(a1), Equals, true) c.Assert(a1.Equals(b1), Equals, false) c.Assert(a1.Equals(c1), Equals, false) c.Assert(a1.Equals(d1), Equals, false) c.Assert(b1.Equals(c1), Equals, false) }
func (s *DaemonSuite) TestEndpointLabelsAddOK(c *C) { ep := endpoint.Endpoint{ LXCMAC: HardAddr, IPv6: IPv6Addr, IPv4: IPv4Addr, NodeMAC: HardAddr, NodeIP: NodeAddr, IfName: "ifname", DockerNetworkID: "dockernetwork", SecLabel: SecLabel, } ep.SetID() wantedLabels := labels.LabelOp{ labels.AddLabelsOp: labels.Labels{ "foo": labels.NewLabel("foo", "bar", "cilium"), }, } s.d.OnEndpointLabelsUpdate = func(epID uint16, lbls labels.LabelOp) error { c.Assert(ep.ID, DeepEquals, epID) c.Assert(wantedLabels, DeepEquals, lbls) return nil } err := s.c.EndpointLabelsUpdate(ep.ID, wantedLabels) c.Assert(err, IsNil) }
func (s *DaemonSuite) TestEndpointLabelsAddFail(c *C) { ep := endpoint.Endpoint{ LXCMAC: HardAddr, IPv6: IPv6Addr, IPv4: IPv4Addr, NodeMAC: HardAddr, NodeIP: NodeAddr, IfName: "ifname", DockerNetworkID: "dockernetwork", SecLabel: SecLabel, } ep.SetID() wantedLabels := labels.LabelOp{ labels.AddLabelsOp: labels.Labels{ "foo": labels.NewLabel("foo", "bar", "cilium"), }, } s.d.OnEndpointLabelsUpdate = func(epID uint16, labelOp labels.LabelOp) error { c.Assert(ep.ID, DeepEquals, epID) c.Assert(labelOp, DeepEquals, wantedLabels) return errors.New("invalid endpoint") } err := s.c.EndpointLabelsUpdate(ep.ID, wantedLabels) c.Assert(strings.Contains(err.Error(), "invalid endpoint"), Equals, true) }
func (d *Daemon) PolicyInit() error { for k, v := range labels.ResDec { key := labels.ReservedID(uint32(v)).String() lbl := labels.NewLabel( key, "", common.ReservedLabelSource, ) secLbl := labels.NewSecCtxLabel() secLbl.ID = uint32(v) secLbl.AddOrUpdateContainer(lbl.String()) secLbl.Labels[k] = lbl policyMapPath := fmt.Sprintf("%sreserved_%d", common.PolicyMapPath, uint32(v)) policyMap, _, err := policymap.OpenMap(policyMapPath) if err != nil { return fmt.Errorf("Could not create policy BPF map '%s': %s", policyMapPath, err) } if c := policy.GetConsumable(uint32(v), secLbl); c == nil { return fmt.Errorf("Unable to initialize consumable for %v", secLbl) } else { d.reservedConsumables = append(d.reservedConsumables, c) c.AddMap(policyMap) } } return nil }
func (s *CommonSuite) TestValidateCoverage(c *C) { rootNode := Node{Name: common.GlobalLabelPrefix} node := Node{ Name: "foo", Parent: &rootNode, } lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) consumer := PolicyRuleConsumers{Coverage: []labels.Label{*lblBar}} c.Assert(consumer.Resolve(&node), Not(Equals), nil) consumer2 := PolicyRuleRequires{Coverage: []labels.Label{*lblBar}} c.Assert(consumer2.Resolve(&node), Not(Equals), nil) lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) consumer = PolicyRuleConsumers{Coverage: []labels.Label{*lblFoo}} c.Assert(consumer.Resolve(&node), Equals, nil) lblFoo = labels.NewLabel("foo", "", common.CiliumLabelSource) consumer = PolicyRuleConsumers{Coverage: []labels.Label{*lblFoo}} c.Assert(consumer.Resolve(&node), Equals, nil) }
// GetLabels returns the SecCtxLabels that belongs to the given id. func (d *Daemon) GetLabels(id uint32) (*labels.SecCtxLabel, error) { if id > 0 && id < common.FirstFreeLabelID { key := labels.ReservedID(id).String() if key == "" { return nil, nil } lbl := labels.NewLabel( key, "", common.ReservedLabelSource, ) secLbl := labels.NewSecCtxLabel() secLbl.AddOrUpdateContainer(lbl.String()) secLbl.ID = id secLbl.Labels = labels.Labels{ common.ReservedLabelSource: lbl, } return secLbl, nil } strID := strconv.FormatUint(uint64(id), 10) rmsg, err := d.kvClient.GetValue(path.Join(common.LabelIDKeyPath, strID)) if err != nil { return nil, err } if rmsg == nil { return nil, nil } var secCtxLabels labels.SecCtxLabel if err := json.Unmarshal(rmsg, &secCtxLabels); err != nil { return nil, err } if secCtxLabels.RefCount() == 0 { return nil, nil } return &secCtxLabels, nil }
func (s *CommonSuite) TestNodeMerge(c *C) { // Name mismatch aNode := Node{Name: "a"} bNode := Node{Name: "b"} err := aNode.Merge(&bNode) c.Assert(err, Not(Equals), nil) // Empty nodes aOrig := Node{Name: "a"} aNode = Node{Name: "a"} bNode = Node{Name: "a"} err = aNode.Merge(&bNode) c.Assert(err, Equals, nil) c.Assert(aNode, DeepEquals, aOrig) lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource) lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource) lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblJoe := labels.NewLabel("io.cilium.user", "joe", "kubernetes") lblPete := labels.NewLabel("io.cilium.user", "pete", "kubernetes") aNode = Node{ Name: common.GlobalLabelPrefix, Rules: []PolicyRule{ &PolicyRuleRequires{ // coverage qa, requires qa Coverage: []labels.Label{*lblQA}, Requires: []labels.Label{*lblQA}, }, }, Children: map[string]*Node{ "bar": { Name: "bar", path: common.GlobalLabelPrefix + ".bar", Rules: []PolicyRule{ &PolicyRuleConsumers{ Allow: []AllowRule{ {Action: DENY, Label: *lblJoe}, {Action: DENY, Label: *lblPete}, }, }, }, }, }, } bNode = Node{ Name: common.GlobalLabelPrefix, Rules: []PolicyRule{ &PolicyRuleRequires{ // coverage prod, requires: prod Coverage: []labels.Label{*lblProd}, Requires: []labels.Label{*lblProd}, }, }, Children: map[string]*Node{ "foo": { Name: "foo", path: common.GlobalLabelPrefix + ".foo", }, "bar": { Name: "bar", path: common.GlobalLabelPrefix + ".bar", Rules: []PolicyRule{ &PolicyRuleConsumers{ Allow: []AllowRule{ { // allow: foo Action: ACCEPT, Label: *lblFoo, }, }, }, }, }, }, } aNode.Path() bNode.Path() err = aNode.Merge(&bNode) c.Assert(err, Equals, nil) }
func (ds *DaemonSuite) TestUpdateConsumerMap(c *C) { lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource) lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource) lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) lblJoe := labels.NewLabel("io.cilium.user", "joe", common.CiliumLabelSource) lblPete := labels.NewLabel("io.cilium.user", "pete", common.CiliumLabelSource) rootNode := policy.Node{ Name: common.GlobalLabelPrefix, Rules: []policy.PolicyRule{ &policy.PolicyRuleConsumers{ Coverage: []labels.Label{*lblBar}, Allow: []policy.AllowRule{ // always-allow: user=joe {Action: policy.ALWAYS_ACCEPT, Label: *lblJoe}, // allow: user=pete {Action: policy.ACCEPT, Label: *lblPete}, }, }, &policy.PolicyRuleRequires{ // coverage qa, requires qa Coverage: []labels.Label{*lblQA}, Requires: []labels.Label{*lblQA}, }, &policy.PolicyRuleRequires{ // coverage prod, requires: prod Coverage: []labels.Label{*lblProd}, Requires: []labels.Label{*lblProd}, }, }, Children: map[string]*policy.Node{ "foo": {}, "bar": { Rules: []policy.PolicyRule{ &policy.PolicyRuleConsumers{ Allow: []policy.AllowRule{ { // allow: foo Action: policy.ACCEPT, Label: *lblFoo, }, {Action: policy.DENY, Label: *lblJoe}, {Action: policy.DENY, Label: *lblPete}, }, }, }, }, }, } c.Assert(rootNode.ResolveTree(), Equals, nil) err := ds.d.PolicyAdd("io.cilium", &rootNode) c.Assert(err, Equals, nil) qaBarLbls := labels.Labels{lblBar.Key: lblBar, lblQA.Key: lblQA} qaBarSecLblsCtx, _, err := ds.d.PutLabels(qaBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) prodBarLbls := labels.Labels{lblBar.Key: lblBar, lblProd.Key: lblProd} prodBarSecLblsCtx, _, err := ds.d.PutLabels(prodBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) qaFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblQA.Key: lblQA} qaFooSecLblsCtx, _, err := ds.d.PutLabels(qaFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) prodFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd} prodFooSecLblsCtx, _, err := ds.d.PutLabels(prodFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) prodFooJoeLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd, lblJoe.Key: lblJoe} prodFooJoeSecLblsCtx, _, err := ds.d.PutLabels(prodFooJoeLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) e := endpoint.Endpoint{ ID: 1, IfName: "dummy1", IPv6: IPv6Addr, IPv4: IPv4Addr, LXCMAC: HardAddr, NodeMAC: HardAddr, } e.Opts = option.NewBoolOptions(&DaemonOptionLibrary) e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false) err = os.Mkdir("1", 755) c.Assert(err, IsNil) defer func() { err = os.RemoveAll("1/geneve_opts.cfg") err = os.RemoveAll("1/lxc_config.h") time.Sleep(1 * time.Second) err = os.RemoveAll("1") err = os.RemoveAll("1_backup") }() e.SetSecLabel(qaBarSecLblsCtx) err = ds.d.regenerateEndpoint(&e) c.Assert(err, Equals, nil) c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, true) c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true) e = endpoint.Endpoint{ ID: 1, IfName: "dummy1", IPv6: IPv6Addr, IPv4: IPv4Addr, LXCMAC: HardAddr, NodeMAC: HardAddr, } e.Opts = option.NewBoolOptions(&DaemonOptionLibrary) e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false) e.SetSecLabel(prodBarSecLblsCtx) err = ds.d.regenerateEndpoint(&e) c.Assert(err, Equals, nil) c.Assert(e.Allows(0), Equals, false) c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, true) c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true) err = ds.d.PolicyDelete("io.cilium") c.Assert(err, Equals, nil) }
func (s *CommonSuite) TestpolicyAllows(c *C) { lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource) lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource) lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource) lblJoe := labels.NewLabel("io.cilium.user", "joe", "kubernetes") lblPete := labels.NewLabel("io.cilium.user", "pete", "kubernetes") // [Foo,QA] -> [Bar,QA] qaFooToQaBar := SearchContext{ From: []labels.Label{*lblQA, *lblFoo}, To: []labels.Label{*lblQA, *lblBar}, } // [Foo, Prod] -> [Bar,Prod] prodFooToProdBar := SearchContext{ From: []labels.Label{*lblProd, *lblFoo}, To: []labels.Label{*lblBar}, } // [Foo,QA] -> [Bar,Prod] qaFooToProdBar := SearchContext{ From: []labels.Label{*lblQA, *lblFoo}, To: []labels.Label{*lblBar, *lblProd}, } // [Foo,QA, Joe] -> [Bar,prod] qaJoeFooToProdBar := SearchContext{ From: []labels.Label{*lblQA, *lblFoo, *lblJoe}, To: []labels.Label{*lblBar, *lblProd}, } // [Foo,QA, Pete] -> [Bar,Prod] qaPeteFooToProdBar := SearchContext{ From: []labels.Label{*lblQA, *lblFoo, *lblPete}, To: []labels.Label{*lblBar, *lblProd}, } // [Baz, QA] -> Bar qaBazToQaBar := SearchContext{ From: []labels.Label{*lblQA, *lblBaz}, To: []labels.Label{*lblQA, *lblBar}, } rootNode := Node{ Name: common.GlobalLabelPrefix, Rules: []PolicyRule{ &PolicyRuleConsumers{ Coverage: []labels.Label{*lblBar}, Allow: []AllowRule{ // always-allow: user=joe {Action: ALWAYS_ACCEPT, Label: *lblJoe}, // allow: user=pete {Action: ACCEPT, Label: *lblPete}, }, }, &PolicyRuleRequires{ // coverage qa, requires qa Coverage: []labels.Label{*lblQA}, Requires: []labels.Label{*lblQA}, }, &PolicyRuleRequires{ // coverage prod, requires: prod Coverage: []labels.Label{*lblProd}, Requires: []labels.Label{*lblProd}, }, }, Children: map[string]*Node{ "foo": {}, "bar": { Rules: []PolicyRule{ &PolicyRuleConsumers{ Allow: []AllowRule{ { // allow: foo Action: ACCEPT, Label: *lblFoo, }, {Action: DENY, Label: *lblJoe}, {Action: DENY, Label: *lblPete}, }, }, }, }, }, } c.Assert(rootNode.ResolveTree(), Equals, nil) root := Tree{&rootNode} c.Assert(root.Allows(&qaFooToQaBar), Equals, ACCEPT) c.Assert(root.Allows(&prodFooToProdBar), Equals, ACCEPT) c.Assert(root.Allows(&qaFooToProdBar), Equals, DENY) c.Assert(root.Allows(&qaJoeFooToProdBar), Equals, ACCEPT) c.Assert(root.Allows(&qaPeteFooToProdBar), Equals, DENY) c.Assert(root.Allows(&qaBazToQaBar), Equals, DENY) _, err := json.MarshalIndent(rootNode, "", " ") c.Assert(err, Equals, nil) }
func (s *CommonSuite) TestAllowConsumer(c *C) { lblTeamA := labels.NewLabel("io.cilium.teamA", "", common.CiliumLabelSource) lblTeamB := labels.NewLabel("io.cilium.teamB", "", common.CiliumLabelSource) lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource) // [Foo,TeamA] -> Bar aFooToBar := SearchContext{ From: []labels.Label{*lblTeamA, *lblFoo}, To: []labels.Label{*lblBar}, } // [Baz, TeamA] -> Bar aBazToBar := SearchContext{ From: []labels.Label{*lblTeamA, *lblBaz}, To: []labels.Label{*lblBar}, } // [Foo,TeamB] -> Bar bFooToBar := SearchContext{ From: []labels.Label{*lblTeamB, *lblFoo}, To: []labels.Label{*lblBar}, } // [Baz, TeamB] -> Bar bBazToBar := SearchContext{ From: []labels.Label{*lblTeamB, *lblBaz}, To: []labels.Label{*lblBar}, } allowFoo := AllowRule{Action: ACCEPT, Label: *lblFoo} dontAllowFoo := AllowRule{Action: DENY, Label: *lblFoo} allowTeamA := AllowRule{Action: ACCEPT, Label: *lblTeamA} dontAllowBaz := AllowRule{Action: DENY, Label: *lblBaz} alwaysAllowFoo := AllowRule{Action: ALWAYS_ACCEPT, Label: *lblFoo} // Allow: foo, !foo consumers := PolicyRuleConsumers{ Coverage: []labels.Label{*lblBar}, Allow: []AllowRule{allowFoo, dontAllowFoo}, } // NOTE: We are testing on single consumer rule leve, there is // no default deny policy enforced. No match equals UNDECIDED c.Assert(consumers.Allows(&aFooToBar), Equals, DENY) c.Assert(consumers.Allows(&bFooToBar), Equals, DENY) c.Assert(consumers.Allows(&aBazToBar), Equals, UNDECIDED) c.Assert(consumers.Allows(&bBazToBar), Equals, UNDECIDED) // Always-Allow: foo, !foo consumers = PolicyRuleConsumers{ Coverage: []labels.Label{*lblBar}, Allow: []AllowRule{alwaysAllowFoo, dontAllowFoo}, } c.Assert(consumers.Allows(&aFooToBar), Equals, ALWAYS_ACCEPT) c.Assert(consumers.Allows(&bFooToBar), Equals, ALWAYS_ACCEPT) c.Assert(consumers.Allows(&aBazToBar), Equals, UNDECIDED) c.Assert(consumers.Allows(&bBazToBar), Equals, UNDECIDED) // Allow: TeamA, !baz consumers = PolicyRuleConsumers{ Coverage: []labels.Label{*lblBar}, Allow: []AllowRule{allowTeamA, dontAllowBaz}, } c.Assert(consumers.Allows(&aFooToBar), Equals, ACCEPT) c.Assert(consumers.Allows(&aBazToBar), Equals, DENY) c.Assert(consumers.Allows(&bFooToBar), Equals, UNDECIDED) c.Assert(consumers.Allows(&bBazToBar), Equals, DENY) // Allow: TeamA, !baz consumers = PolicyRuleConsumers{ Coverage: []labels.Label{*lblFoo}, Allow: []AllowRule{allowTeamA, dontAllowBaz}, } c.Assert(consumers.Allows(&aFooToBar), Equals, UNDECIDED) c.Assert(consumers.Allows(&aBazToBar), Equals, UNDECIDED) c.Assert(consumers.Allows(&bFooToBar), Equals, UNDECIDED) c.Assert(consumers.Allows(&bBazToBar), Equals, UNDECIDED) }
"github.com/cilium/cilium/pkg/endpoint" "github.com/cilium/cilium/pkg/labels" "github.com/cilium/cilium/pkg/mac" "github.com/cilium/cilium/pkg/option" . "gopkg.in/check.v1" ) var ( IPv6Addr, _ = addressing.NewCiliumIPv6("beef:beef:beef:beef:aaaa:aaaa:1111:1112") IPv4Addr, _ = addressing.NewCiliumIPv4("10.11.12.13") NodeAddr = net.IP{0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xaa, 0xaa, 0xaa, 0xaa, 0x11, 0x11, 0, 0} HardAddr = mac.MAC{0x01, 0x02, 0x03, 0x04, 0x05, 0x06} SecLabel = &labels.SecCtxLabel{ Labels: labels.Labels{ "foo": labels.NewLabel("foo", "", ""), }, Containers: map[string]time.Time{ "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307": time.Now(), }, ID: 0x100, } ) func (s *DaemonSuite) TestEndpointJoinOK(c *C) { ep := endpoint.Endpoint{ LXCMAC: HardAddr, IPv6: IPv6Addr, IPv4: IPv4Addr, NodeMAC: HardAddr, NodeIP: NodeAddr,
package server import ( "errors" "strings" "time" "github.com/cilium/cilium/common" "github.com/cilium/cilium/pkg/labels" . "gopkg.in/check.v1" ) var ( lbls = labels.Labels{ "foo": labels.NewLabel("foo", "bar", common.CiliumLabelSource), "foo2": labels.NewLabel("foo2", "=bar2", common.CiliumLabelSource), "key": labels.NewLabel("key", "", common.CiliumLabelSource), "foo==": labels.NewLabel("foo==", "==", common.CiliumLabelSource), `foo\\=`: labels.NewLabel(`foo\\=`, `\=`, common.CiliumLabelSource), `//=/`: labels.NewLabel(`//=/`, "", common.CiliumLabelSource), `%`: labels.NewLabel(`%`, `%ed`, common.CiliumLabelSource), } wantSecCtxLbls = labels.SecCtxLabel{ ID: 123, Containers: map[string]time.Time{ "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307": time.Now(), }, Labels: lbls, }
func (s *EndpointSuite) TestDeepCopy(c *C) { ipv4, err := addressing.NewCiliumIPv4("127.0.0.1") c.Assert(err, IsNil) ipv6, err := addressing.NewCiliumIPv6("::1") c.Assert(err, IsNil) epWant := &Endpoint{ ID: 12, DockerID: "123", DockerNetworkID: "1234", DockerEndpointID: "12345", IfName: "lxcifname", LXCMAC: mac.MAC{1, 2, 3, 4, 5, 6}, IPv6: ipv6, IPv4: ipv4, IfIndex: 4, NodeMAC: mac.MAC{1, 2, 3, 4, 5, 6}, NodeIP: net.ParseIP("192.168.0.1"), PortMap: make([]PortMap, 2), Opts: option.NewBoolOptions(&EndpointOptionLibrary), } cpy := epWant.DeepCopy() c.Assert(*cpy, DeepEquals, *epWant) epWant.SecLabel = &labels.SecCtxLabel{ ID: 1, Labels: labels.Labels{ "io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"), }, Containers: map[string]time.Time{ "1234": time.Now(), }, } epWant.Consumable = &policy.Consumable{ ID: 123, Iteration: 3, Labels: nil, LabelList: []labels.Label{ *labels.NewLabel("io.cilium.kubernetes", "", "cilium"), }, Maps: map[int]*policymap.PolicyMap{ 0: {}, }, Consumers: map[string]*policy.Consumer{ "foo": policy.NewConsumer(12), }, ReverseRules: map[uint32]*policy.Consumer{ 12: policy.NewConsumer(12), }, } epWant.PolicyMap = &policymap.PolicyMap{} cpy = epWant.DeepCopy() c.Assert(*cpy.SecLabel, DeepEquals, *epWant.SecLabel) c.Assert(*cpy.Consumable, DeepEquals, *epWant.Consumable) c.Assert(*cpy.PolicyMap, DeepEquals, *epWant.PolicyMap) epWant.Consumable.Labels = &labels.SecCtxLabel{ ID: 1, Labels: labels.Labels{ "io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"), }, Containers: map[string]time.Time{ "1234": time.Now(), }, } epWant.PolicyMap = &policymap.PolicyMap{} cpy = epWant.DeepCopy() c.Assert(*cpy.Consumable.Labels, DeepEquals, *epWant.Consumable.Labels) cpy.Consumable.Labels.Containers["1234"] = time.Now() c.Assert(*cpy.Consumable.Labels, Not(DeepEquals), *epWant.Consumable.Labels) }