func (ep *Endpoint) SetDefaultOpts(opts *option.BoolOptions) { if ep.Opts == nil { ep.Opts = option.NewBoolOptions(&EndpointOptionLibrary) } if ep.Opts.Library == nil { ep.Opts.Library = &EndpointOptionLibrary } if opts != nil { for k := range EndpointMutableOptionLibrary { ep.Opts.Set(k, opts.IsEnabled(k)) } // Lets keep this here to prevent users to hurt themselves. ep.Opts.SetIfUnset(OptionLearnTraffic, false) } }
func (ds *DaemonSuite) SetUpTest(c *C) { tempLibDir, err := ioutil.TempDir("", "cilium-test") c.Assert(err, IsNil) tempRunDir, err := ioutil.TempDir("", "cilium-test-run") c.Assert(err, IsNil) err = os.Mkdir(filepath.Join(tempRunDir, "globals"), 0777) c.Assert(err, IsNil) nodeAddress, err := addressing.NewNodeAddress("beef:beef:beef:beef:aaaa:aaaa:1111:0", "10.1.0.1", "") c.Assert(err, IsNil) daemonConf := &Config{ DryMode: true, Opts: option.NewBoolOptions(&DaemonOptionLibrary), } daemonConf.LibDir = tempLibDir daemonConf.RunDir = tempRunDir daemonConf.LXCMap = nil daemonConf.NodeAddress = nodeAddress daemonConf.DockerEndpoint = "tcp://127.0.0.1" daemonConf.K8sEndpoint = "tcp://127.0.0.1" daemonConf.ValidLabelPrefixes = nil daemonConf.OptsMU.Lock() daemonConf.Opts.Set(endpoint.OptionDropNotify, true) daemonConf.OptsMU.Unlock() daemonConf.Device = "undefined" err = daemonConf.SetKVBackend() c.Assert(err, IsNil) d1 := []byte("#!/usr/bin/env bash\necho \"OK\"\n") err = ioutil.WriteFile(filepath.Join(daemonConf.LibDir, "join_ep.sh"), d1, 0755) c.Assert(err, IsNil) err = ioutil.WriteFile(filepath.Join(daemonConf.LibDir, "init.sh"), d1, 0755) c.Assert(err, IsNil) d, err := NewDaemon(daemonConf) c.Assert(err, Equals, nil) ds.d = d d.kvClient.DeleteTree(common.OperationalPath) }
func NewConfig() *Config { return &Config{ Opts: option.NewBoolOptions(&DaemonOptionLibrary), } }
func (ds *DaemonSuite) TestUpdateConsumerMap(c *C) { lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource) lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource) lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource) lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource) lblJoe := labels.NewLabel("io.cilium.user", "joe", common.CiliumLabelSource) lblPete := labels.NewLabel("io.cilium.user", "pete", common.CiliumLabelSource) rootNode := policy.Node{ Name: common.GlobalLabelPrefix, Rules: []policy.PolicyRule{ &policy.PolicyRuleConsumers{ Coverage: []labels.Label{*lblBar}, Allow: []policy.AllowRule{ // always-allow: user=joe {Action: policy.ALWAYS_ACCEPT, Label: *lblJoe}, // allow: user=pete {Action: policy.ACCEPT, Label: *lblPete}, }, }, &policy.PolicyRuleRequires{ // coverage qa, requires qa Coverage: []labels.Label{*lblQA}, Requires: []labels.Label{*lblQA}, }, &policy.PolicyRuleRequires{ // coverage prod, requires: prod Coverage: []labels.Label{*lblProd}, Requires: []labels.Label{*lblProd}, }, }, Children: map[string]*policy.Node{ "foo": {}, "bar": { Rules: []policy.PolicyRule{ &policy.PolicyRuleConsumers{ Allow: []policy.AllowRule{ { // allow: foo Action: policy.ACCEPT, Label: *lblFoo, }, {Action: policy.DENY, Label: *lblJoe}, {Action: policy.DENY, Label: *lblPete}, }, }, }, }, }, } c.Assert(rootNode.ResolveTree(), Equals, nil) err := ds.d.PolicyAdd("io.cilium", &rootNode) c.Assert(err, Equals, nil) qaBarLbls := labels.Labels{lblBar.Key: lblBar, lblQA.Key: lblQA} qaBarSecLblsCtx, _, err := ds.d.PutLabels(qaBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) prodBarLbls := labels.Labels{lblBar.Key: lblBar, lblProd.Key: lblProd} prodBarSecLblsCtx, _, err := ds.d.PutLabels(prodBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) qaFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblQA.Key: lblQA} qaFooSecLblsCtx, _, err := ds.d.PutLabels(qaFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) prodFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd} prodFooSecLblsCtx, _, err := ds.d.PutLabels(prodFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) prodFooJoeLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd, lblJoe.Key: lblJoe} prodFooJoeSecLblsCtx, _, err := ds.d.PutLabels(prodFooJoeLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307") c.Assert(err, Equals, nil) e := endpoint.Endpoint{ ID: 1, IfName: "dummy1", IPv6: IPv6Addr, IPv4: IPv4Addr, LXCMAC: HardAddr, NodeMAC: HardAddr, } e.Opts = option.NewBoolOptions(&DaemonOptionLibrary) e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false) err = os.Mkdir("1", 755) c.Assert(err, IsNil) defer func() { err = os.RemoveAll("1/geneve_opts.cfg") err = os.RemoveAll("1/lxc_config.h") time.Sleep(1 * time.Second) err = os.RemoveAll("1") err = os.RemoveAll("1_backup") }() e.SetSecLabel(qaBarSecLblsCtx) err = ds.d.regenerateEndpoint(&e) c.Assert(err, Equals, nil) c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, true) c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true) e = endpoint.Endpoint{ ID: 1, IfName: "dummy1", IPv6: IPv6Addr, IPv4: IPv4Addr, LXCMAC: HardAddr, NodeMAC: HardAddr, } e.Opts = option.NewBoolOptions(&DaemonOptionLibrary) e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false) e.SetSecLabel(prodBarSecLblsCtx) err = ds.d.regenerateEndpoint(&e) c.Assert(err, Equals, nil) c.Assert(e.Allows(0), Equals, false) c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, false) c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, true) c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true) err = ds.d.PolicyDelete("io.cilium") c.Assert(err, Equals, nil) }
func (s *EndpointSuite) TestDeepCopy(c *C) { ipv4, err := addressing.NewCiliumIPv4("127.0.0.1") c.Assert(err, IsNil) ipv6, err := addressing.NewCiliumIPv6("::1") c.Assert(err, IsNil) epWant := &Endpoint{ ID: 12, DockerID: "123", DockerNetworkID: "1234", DockerEndpointID: "12345", IfName: "lxcifname", LXCMAC: mac.MAC{1, 2, 3, 4, 5, 6}, IPv6: ipv6, IPv4: ipv4, IfIndex: 4, NodeMAC: mac.MAC{1, 2, 3, 4, 5, 6}, NodeIP: net.ParseIP("192.168.0.1"), PortMap: make([]PortMap, 2), Opts: option.NewBoolOptions(&EndpointOptionLibrary), } cpy := epWant.DeepCopy() c.Assert(*cpy, DeepEquals, *epWant) epWant.SecLabel = &labels.SecCtxLabel{ ID: 1, Labels: labels.Labels{ "io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"), }, Containers: map[string]time.Time{ "1234": time.Now(), }, } epWant.Consumable = &policy.Consumable{ ID: 123, Iteration: 3, Labels: nil, LabelList: []labels.Label{ *labels.NewLabel("io.cilium.kubernetes", "", "cilium"), }, Maps: map[int]*policymap.PolicyMap{ 0: {}, }, Consumers: map[string]*policy.Consumer{ "foo": policy.NewConsumer(12), }, ReverseRules: map[uint32]*policy.Consumer{ 12: policy.NewConsumer(12), }, } epWant.PolicyMap = &policymap.PolicyMap{} cpy = epWant.DeepCopy() c.Assert(*cpy.SecLabel, DeepEquals, *epWant.SecLabel) c.Assert(*cpy.Consumable, DeepEquals, *epWant.Consumable) c.Assert(*cpy.PolicyMap, DeepEquals, *epWant.PolicyMap) epWant.Consumable.Labels = &labels.SecCtxLabel{ ID: 1, Labels: labels.Labels{ "io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"), }, Containers: map[string]time.Time{ "1234": time.Now(), }, } epWant.PolicyMap = &policymap.PolicyMap{} cpy = epWant.DeepCopy() c.Assert(*cpy.Consumable.Labels, DeepEquals, *epWant.Consumable.Labels) cpy.Consumable.Labels.Containers["1234"] = time.Now() c.Assert(*cpy.Consumable.Labels, Not(DeepEquals), *epWant.Consumable.Labels) }