func (s *CommonSuite) TestTargetCoveredBy(c *C) {
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource)
lblJoe := labels.NewLabel("io.cilium.user", "joe", "kubernetes")
lblAll := labels.NewLabel(labels.ID_NAME_ALL, "", common.ReservedLabelSource)
list1 := []labels.Label{*lblFoo}
list2 := []labels.Label{*lblBar, *lblBaz}
list3 := []labels.Label{*lblFoo, *lblJoe}
list4 := []labels.Label{*lblAll}
// any -> io.cilium.bar
ctx := SearchContext{To: []labels.Label{*lblBar}}
c.Assert(ctx.TargetCoveredBy(list1), Equals, false)
c.Assert(ctx.TargetCoveredBy(list2), Equals, true)
c.Assert(ctx.TargetCoveredBy(list3), Equals, false)
c.Assert(ctx.TargetCoveredBy(list4), Equals, true)
// any -> kubernetes:io.cilium.baz
ctx = SearchContext{To: []labels.Label{*lblBaz}}
c.Assert(ctx.TargetCoveredBy(list1), Equals, false)
c.Assert(ctx.TargetCoveredBy(list2), Equals, true)
c.Assert(ctx.TargetCoveredBy(list3), Equals, false)
c.Assert(ctx.TargetCoveredBy(list4), Equals, true)
// any -> [kubernetes:io.cilium.user=joe, io.cilium.foo]
ctx = SearchContext{To: []labels.Label{*lblJoe, *lblFoo}}
c.Assert(ctx.TargetCoveredBy(list1), Equals, true)
c.Assert(ctx.TargetCoveredBy(list2), Equals, false)
c.Assert(ctx.TargetCoveredBy(list3), Equals, true)
c.Assert(ctx.TargetCoveredBy(list4), Equals, true)
}
func (s *CommonSuite) TestRequires(c *C) {
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource)
// Foo -> Bar
aFooToBar := SearchContext{
From: []labels.Label{*lblFoo},
To: []labels.Label{*lblBar},
}
// Baz -> Bar
aBazToBar := SearchContext{
From: []labels.Label{*lblBaz},
To: []labels.Label{*lblBar},
}
// Bar -> Baz
aBarToBaz := SearchContext{
From: []labels.Label{*lblBar},
To: []labels.Label{*lblBaz},
}
// coverage: bar
// Require: foo
requires := PolicyRuleRequires{
Coverage: []labels.Label{*lblBar},
Requires: []labels.Label{*lblFoo},
}
c.Assert(requires.Allows(&aFooToBar), Equals, UNDECIDED)
c.Assert(requires.Allows(&aBazToBar), Equals, DENY)
c.Assert(requires.Allows(&aBarToBaz), Equals, UNDECIDED)
}
func (s *CommonSuite) TestAllowRule(c *C) {
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource)
lblAll := labels.NewLabel(labels.ID_NAME_ALL, "", common.ReservedLabelSource)
allow := AllowRule{Action: ACCEPT, Label: *lblFoo}
deny := AllowRule{Action: DENY, Label: *lblFoo}
allowAll := AllowRule{Action: ACCEPT, Label: *lblAll}
ctx := SearchContext{
From: []labels.Label{*lblFoo},
To: []labels.Label{*lblBar},
}
ctx2 := SearchContext{
From: []labels.Label{*lblBaz},
To: []labels.Label{*lblBar},
}
c.Assert(allow.Allows(&ctx), Equals, ACCEPT)
c.Assert(deny.Allows(&ctx), Equals, DENY)
c.Assert(allowAll.Allows(&ctx), Equals, ACCEPT)
c.Assert(allow.Allows(&ctx2), Equals, UNDECIDED)
c.Assert(deny.Allows(&ctx2), Equals, UNDECIDED)
c.Assert(allowAll.Allows(&ctx2), Equals, ACCEPT)
}
func (s *DaemonSuite) TestEndpointLabelsGetOK(c *C) {
ep := endpoint.Endpoint{
LXCMAC: HardAddr,
IPv6: IPv6Addr,
IPv4: IPv4Addr,
NodeMAC: HardAddr,
NodeIP: NodeAddr,
IfName: "ifname",
DockerNetworkID: "dockernetwork",
SecLabel: SecLabel,
}
ep.SetID()
epLbls := labels.Labels{
"foo": labels.NewLabel("foo", "bar", "cilium"),
}
ciliumLbls := labels.Labels{
"bar": labels.NewLabel("bar", "foo", "cilium"),
}
wantedLbls := labels.OpLabels{
AllLabels: ciliumLbls,
EndpointLabels: epLbls,
}
s.d.OnEndpointLabelsGet = func(epID uint16) (*labels.OpLabels, error) {
c.Assert(ep.ID, DeepEquals, epID)
return &wantedLbls, nil
}
lbls, err := s.c.EndpointLabelsGet(ep.ID)
c.Assert(err, IsNil)
c.Assert(wantedLbls, DeepEquals, *lbls)
}
func (s *CommonSuite) TestNodeCovers(c *C) {
root := Node{
Name: common.GlobalLabelPrefix,
Children: map[string]*Node{
"foo": {},
"bar": {},
},
}
err := root.ResolveTree()
c.Assert(err, Equals, nil)
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
ctx := SearchContext{To: []labels.Label{*lblFoo}}
c.Assert(root.Covers(&ctx), Equals, true)
c.Assert(root.Children["foo"].Covers(&ctx), Equals, true)
c.Assert(root.Children["bar"].Covers(&ctx), Equals, false)
lblFoo = labels.NewLabel("io.cilium.foo2", "", common.CiliumLabelSource)
ctx = SearchContext{To: []labels.Label{*lblFoo}}
c.Assert(root.Covers(&ctx), Equals, true)
c.Assert(root.Children["foo"].Covers(&ctx), Equals, false)
c.Assert(root.Children["bar"].Covers(&ctx), Equals, false)
lblRoot := labels.NewLabel("io.cilium", "", common.CiliumLabelSource)
ctx = SearchContext{To: []labels.Label{*lblRoot}}
c.Assert(root.Covers(&ctx), Equals, true)
c.Assert(root.Children["foo"].Covers(&ctx), Equals, false)
c.Assert(root.Children["bar"].Covers(&ctx), Equals, false)
}
func K8sNP2CP(np *v1beta1.NetworkPolicy) (string, *policy.Node, error) {
var parentNodeName, policyName string
if np.Annotations[common.K8sAnnotationParentName] == "" {
parentNodeName = common.GlobalLabelPrefix
} else {
parentNodeName = np.Annotations[common.K8sAnnotationParentName]
}
if np.Annotations[common.K8sAnnotationName] == "" {
policyName = np.Name
} else {
policyName = np.Annotations[common.K8sAnnotationName]
}
allowRules := []policy.AllowRule{}
for _, iRule := range np.Spec.Ingress {
if iRule.From != nil {
for _, rule := range iRule.From {
if rule.PodSelector != nil {
for k, v := range rule.PodSelector.MatchLabels {
l := labels.NewLabel(k, v, "")
if l.Source == common.CiliumLabelSource {
l.Source = common.K8sLabelSource
}
ar := policy.AllowRule{
Action: policy.ALWAYS_ACCEPT,
Label: *l,
}
allowRules = append(allowRules, ar)
}
} else if rule.NamespaceSelector != nil {
for k := range rule.NamespaceSelector.MatchLabels {
l := labels.NewLabel(common.K8sPodNamespaceLabel, k, common.K8sLabelSource)
ar := policy.AllowRule{
Action: policy.ALWAYS_ACCEPT,
Label: *l,
}
allowRules = append(allowRules, ar)
}
}
}
}
}
coverageLbls := labels.Map2Labels(np.Spec.PodSelector.MatchLabels, common.K8sLabelSource)
pn := policy.NewNode(policyName, nil)
pn.Rules = []policy.PolicyRule{
&policy.PolicyRuleConsumers{
Coverage: coverageLbls.ToSlice(),
Allow: allowRules,
},
}
return parentNodeName, pn, nil
}
func (s *CommonSuite) TestLabelCompare(c *C) {
a1 := labels.NewLabel("io.cilium", "", "")
a2 := labels.NewLabel("io.cilium", "", "")
b1 := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
c1 := labels.NewLabel("io.cilium.bar", "", "kubernetes")
d1 := labels.NewLabel("", "", "")
c.Assert(a1.Equals(a2), Equals, true)
c.Assert(a2.Equals(a1), Equals, true)
c.Assert(a1.Equals(b1), Equals, false)
c.Assert(a1.Equals(c1), Equals, false)
c.Assert(a1.Equals(d1), Equals, false)
c.Assert(b1.Equals(c1), Equals, false)
}
func (s *DaemonSuite) TestEndpointLabelsAddOK(c *C) {
ep := endpoint.Endpoint{
LXCMAC: HardAddr,
IPv6: IPv6Addr,
IPv4: IPv4Addr,
NodeMAC: HardAddr,
NodeIP: NodeAddr,
IfName: "ifname",
DockerNetworkID: "dockernetwork",
SecLabel: SecLabel,
}
ep.SetID()
wantedLabels := labels.LabelOp{
labels.AddLabelsOp: labels.Labels{
"foo": labels.NewLabel("foo", "bar", "cilium"),
},
}
s.d.OnEndpointLabelsUpdate = func(epID uint16, lbls labels.LabelOp) error {
c.Assert(ep.ID, DeepEquals, epID)
c.Assert(wantedLabels, DeepEquals, lbls)
return nil
}
err := s.c.EndpointLabelsUpdate(ep.ID, wantedLabels)
c.Assert(err, IsNil)
}
func (s *DaemonSuite) TestEndpointLabelsAddFail(c *C) {
ep := endpoint.Endpoint{
LXCMAC: HardAddr,
IPv6: IPv6Addr,
IPv4: IPv4Addr,
NodeMAC: HardAddr,
NodeIP: NodeAddr,
IfName: "ifname",
DockerNetworkID: "dockernetwork",
SecLabel: SecLabel,
}
ep.SetID()
wantedLabels := labels.LabelOp{
labels.AddLabelsOp: labels.Labels{
"foo": labels.NewLabel("foo", "bar", "cilium"),
},
}
s.d.OnEndpointLabelsUpdate = func(epID uint16, labelOp labels.LabelOp) error {
c.Assert(ep.ID, DeepEquals, epID)
c.Assert(labelOp, DeepEquals, wantedLabels)
return errors.New("invalid endpoint")
}
err := s.c.EndpointLabelsUpdate(ep.ID, wantedLabels)
c.Assert(strings.Contains(err.Error(), "invalid endpoint"), Equals, true)
}
func (d *Daemon) PolicyInit() error {
for k, v := range labels.ResDec {
key := labels.ReservedID(uint32(v)).String()
lbl := labels.NewLabel(
key, "", common.ReservedLabelSource,
)
secLbl := labels.NewSecCtxLabel()
secLbl.ID = uint32(v)
secLbl.AddOrUpdateContainer(lbl.String())
secLbl.Labels[k] = lbl
policyMapPath := fmt.Sprintf("%sreserved_%d", common.PolicyMapPath, uint32(v))
policyMap, _, err := policymap.OpenMap(policyMapPath)
if err != nil {
return fmt.Errorf("Could not create policy BPF map '%s': %s", policyMapPath, err)
}
if c := policy.GetConsumable(uint32(v), secLbl); c == nil {
return fmt.Errorf("Unable to initialize consumable for %v", secLbl)
} else {
d.reservedConsumables = append(d.reservedConsumables, c)
c.AddMap(policyMap)
}
}
return nil
}
func (s *CommonSuite) TestValidateCoverage(c *C) {
rootNode := Node{Name: common.GlobalLabelPrefix}
node := Node{
Name: "foo",
Parent: &rootNode,
}
lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
consumer := PolicyRuleConsumers{Coverage: []labels.Label{*lblBar}}
c.Assert(consumer.Resolve(&node), Not(Equals), nil)
consumer2 := PolicyRuleRequires{Coverage: []labels.Label{*lblBar}}
c.Assert(consumer2.Resolve(&node), Not(Equals), nil)
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
consumer = PolicyRuleConsumers{Coverage: []labels.Label{*lblFoo}}
c.Assert(consumer.Resolve(&node), Equals, nil)
lblFoo = labels.NewLabel("foo", "", common.CiliumLabelSource)
consumer = PolicyRuleConsumers{Coverage: []labels.Label{*lblFoo}}
c.Assert(consumer.Resolve(&node), Equals, nil)
}
// GetLabels returns the SecCtxLabels that belongs to the given id.
func (d *Daemon) GetLabels(id uint32) (*labels.SecCtxLabel, error) {
if id > 0 && id < common.FirstFreeLabelID {
key := labels.ReservedID(id).String()
if key == "" {
return nil, nil
}
lbl := labels.NewLabel(
key, "", common.ReservedLabelSource,
)
secLbl := labels.NewSecCtxLabel()
secLbl.AddOrUpdateContainer(lbl.String())
secLbl.ID = id
secLbl.Labels = labels.Labels{
common.ReservedLabelSource: lbl,
}
return secLbl, nil
}
strID := strconv.FormatUint(uint64(id), 10)
rmsg, err := d.kvClient.GetValue(path.Join(common.LabelIDKeyPath, strID))
if err != nil {
return nil, err
}
if rmsg == nil {
return nil, nil
}
var secCtxLabels labels.SecCtxLabel
if err := json.Unmarshal(rmsg, &secCtxLabels); err != nil {
return nil, err
}
if secCtxLabels.RefCount() == 0 {
return nil, nil
}
return &secCtxLabels, nil
}
func (s *CommonSuite) TestNodeMerge(c *C) {
// Name mismatch
aNode := Node{Name: "a"}
bNode := Node{Name: "b"}
err := aNode.Merge(&bNode)
c.Assert(err, Not(Equals), nil)
// Empty nodes
aOrig := Node{Name: "a"}
aNode = Node{Name: "a"}
bNode = Node{Name: "a"}
err = aNode.Merge(&bNode)
c.Assert(err, Equals, nil)
c.Assert(aNode, DeepEquals, aOrig)
lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource)
lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource)
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
lblJoe := labels.NewLabel("io.cilium.user", "joe", "kubernetes")
lblPete := labels.NewLabel("io.cilium.user", "pete", "kubernetes")
aNode = Node{
Name: common.GlobalLabelPrefix,
Rules: []PolicyRule{
&PolicyRuleRequires{ // coverage qa, requires qa
Coverage: []labels.Label{*lblQA},
Requires: []labels.Label{*lblQA},
},
},
Children: map[string]*Node{
"bar": {
Name: "bar",
path: common.GlobalLabelPrefix + ".bar",
Rules: []PolicyRule{
&PolicyRuleConsumers{
Allow: []AllowRule{
{Action: DENY, Label: *lblJoe},
{Action: DENY, Label: *lblPete},
},
},
},
},
},
}
bNode = Node{
Name: common.GlobalLabelPrefix,
Rules: []PolicyRule{
&PolicyRuleRequires{ // coverage prod, requires: prod
Coverage: []labels.Label{*lblProd},
Requires: []labels.Label{*lblProd},
},
},
Children: map[string]*Node{
"foo": {
Name: "foo",
path: common.GlobalLabelPrefix + ".foo",
},
"bar": {
Name: "bar",
path: common.GlobalLabelPrefix + ".bar",
Rules: []PolicyRule{
&PolicyRuleConsumers{
Allow: []AllowRule{
{ // allow: foo
Action: ACCEPT,
Label: *lblFoo,
},
},
},
},
},
},
}
aNode.Path()
bNode.Path()
err = aNode.Merge(&bNode)
c.Assert(err, Equals, nil)
}
func (ds *DaemonSuite) TestUpdateConsumerMap(c *C) {
lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource)
lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource)
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
lblJoe := labels.NewLabel("io.cilium.user", "joe", common.CiliumLabelSource)
lblPete := labels.NewLabel("io.cilium.user", "pete", common.CiliumLabelSource)
rootNode := policy.Node{
Name: common.GlobalLabelPrefix,
Rules: []policy.PolicyRule{
&policy.PolicyRuleConsumers{
Coverage: []labels.Label{*lblBar},
Allow: []policy.AllowRule{
// always-allow: user=joe
{Action: policy.ALWAYS_ACCEPT, Label: *lblJoe},
// allow: user=pete
{Action: policy.ACCEPT, Label: *lblPete},
},
},
&policy.PolicyRuleRequires{ // coverage qa, requires qa
Coverage: []labels.Label{*lblQA},
Requires: []labels.Label{*lblQA},
},
&policy.PolicyRuleRequires{ // coverage prod, requires: prod
Coverage: []labels.Label{*lblProd},
Requires: []labels.Label{*lblProd},
},
},
Children: map[string]*policy.Node{
"foo": {},
"bar": {
Rules: []policy.PolicyRule{
&policy.PolicyRuleConsumers{
Allow: []policy.AllowRule{
{ // allow: foo
Action: policy.ACCEPT,
Label: *lblFoo,
},
{Action: policy.DENY, Label: *lblJoe},
{Action: policy.DENY, Label: *lblPete},
},
},
},
},
},
}
c.Assert(rootNode.ResolveTree(), Equals, nil)
err := ds.d.PolicyAdd("io.cilium", &rootNode)
c.Assert(err, Equals, nil)
qaBarLbls := labels.Labels{lblBar.Key: lblBar, lblQA.Key: lblQA}
qaBarSecLblsCtx, _, err := ds.d.PutLabels(qaBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
c.Assert(err, Equals, nil)
prodBarLbls := labels.Labels{lblBar.Key: lblBar, lblProd.Key: lblProd}
prodBarSecLblsCtx, _, err := ds.d.PutLabels(prodBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
c.Assert(err, Equals, nil)
qaFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblQA.Key: lblQA}
qaFooSecLblsCtx, _, err := ds.d.PutLabels(qaFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
c.Assert(err, Equals, nil)
prodFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd}
prodFooSecLblsCtx, _, err := ds.d.PutLabels(prodFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
c.Assert(err, Equals, nil)
prodFooJoeLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd, lblJoe.Key: lblJoe}
prodFooJoeSecLblsCtx, _, err := ds.d.PutLabels(prodFooJoeLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
c.Assert(err, Equals, nil)
e := endpoint.Endpoint{
ID: 1,
IfName: "dummy1",
IPv6: IPv6Addr,
IPv4: IPv4Addr,
LXCMAC: HardAddr,
NodeMAC: HardAddr,
}
e.Opts = option.NewBoolOptions(&DaemonOptionLibrary)
e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false)
err = os.Mkdir("1", 755)
c.Assert(err, IsNil)
defer func() {
err = os.RemoveAll("1/geneve_opts.cfg")
err = os.RemoveAll("1/lxc_config.h")
time.Sleep(1 * time.Second)
err = os.RemoveAll("1")
err = os.RemoveAll("1_backup")
}()
e.SetSecLabel(qaBarSecLblsCtx)
err = ds.d.regenerateEndpoint(&e)
c.Assert(err, Equals, nil)
c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false)
c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false)
c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, true)
c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, false)
c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true)
e = endpoint.Endpoint{
ID: 1,
IfName: "dummy1",
IPv6: IPv6Addr,
IPv4: IPv4Addr,
LXCMAC: HardAddr,
NodeMAC: HardAddr,
}
e.Opts = option.NewBoolOptions(&DaemonOptionLibrary)
e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false)
e.SetSecLabel(prodBarSecLblsCtx)
err = ds.d.regenerateEndpoint(&e)
c.Assert(err, Equals, nil)
c.Assert(e.Allows(0), Equals, false)
c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false)
c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false)
c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, false)
c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, true)
c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true)
err = ds.d.PolicyDelete("io.cilium")
c.Assert(err, Equals, nil)
}
func (s *CommonSuite) TestpolicyAllows(c *C) {
lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource)
lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource)
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource)
lblJoe := labels.NewLabel("io.cilium.user", "joe", "kubernetes")
lblPete := labels.NewLabel("io.cilium.user", "pete", "kubernetes")
// [Foo,QA] -> [Bar,QA]
qaFooToQaBar := SearchContext{
From: []labels.Label{*lblQA, *lblFoo},
To: []labels.Label{*lblQA, *lblBar},
}
// [Foo, Prod] -> [Bar,Prod]
prodFooToProdBar := SearchContext{
From: []labels.Label{*lblProd, *lblFoo},
To: []labels.Label{*lblBar},
}
// [Foo,QA] -> [Bar,Prod]
qaFooToProdBar := SearchContext{
From: []labels.Label{*lblQA, *lblFoo},
To: []labels.Label{*lblBar, *lblProd},
}
// [Foo,QA, Joe] -> [Bar,prod]
qaJoeFooToProdBar := SearchContext{
From: []labels.Label{*lblQA, *lblFoo, *lblJoe},
To: []labels.Label{*lblBar, *lblProd},
}
// [Foo,QA, Pete] -> [Bar,Prod]
qaPeteFooToProdBar := SearchContext{
From: []labels.Label{*lblQA, *lblFoo, *lblPete},
To: []labels.Label{*lblBar, *lblProd},
}
// [Baz, QA] -> Bar
qaBazToQaBar := SearchContext{
From: []labels.Label{*lblQA, *lblBaz},
To: []labels.Label{*lblQA, *lblBar},
}
rootNode := Node{
Name: common.GlobalLabelPrefix,
Rules: []PolicyRule{
&PolicyRuleConsumers{
Coverage: []labels.Label{*lblBar},
Allow: []AllowRule{
// always-allow: user=joe
{Action: ALWAYS_ACCEPT, Label: *lblJoe},
// allow: user=pete
{Action: ACCEPT, Label: *lblPete},
},
},
&PolicyRuleRequires{ // coverage qa, requires qa
Coverage: []labels.Label{*lblQA},
Requires: []labels.Label{*lblQA},
},
&PolicyRuleRequires{ // coverage prod, requires: prod
Coverage: []labels.Label{*lblProd},
Requires: []labels.Label{*lblProd},
},
},
Children: map[string]*Node{
"foo": {},
"bar": {
Rules: []PolicyRule{
&PolicyRuleConsumers{
Allow: []AllowRule{
{ // allow: foo
Action: ACCEPT,
Label: *lblFoo,
},
{Action: DENY, Label: *lblJoe},
{Action: DENY, Label: *lblPete},
},
},
},
},
},
}
c.Assert(rootNode.ResolveTree(), Equals, nil)
root := Tree{&rootNode}
c.Assert(root.Allows(&qaFooToQaBar), Equals, ACCEPT)
c.Assert(root.Allows(&prodFooToProdBar), Equals, ACCEPT)
c.Assert(root.Allows(&qaFooToProdBar), Equals, DENY)
c.Assert(root.Allows(&qaJoeFooToProdBar), Equals, ACCEPT)
c.Assert(root.Allows(&qaPeteFooToProdBar), Equals, DENY)
c.Assert(root.Allows(&qaBazToQaBar), Equals, DENY)
_, err := json.MarshalIndent(rootNode, "", " ")
c.Assert(err, Equals, nil)
}
func (s *CommonSuite) TestAllowConsumer(c *C) {
lblTeamA := labels.NewLabel("io.cilium.teamA", "", common.CiliumLabelSource)
lblTeamB := labels.NewLabel("io.cilium.teamB", "", common.CiliumLabelSource)
lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
lblBaz := labels.NewLabel("io.cilium.baz", "", common.CiliumLabelSource)
// [Foo,TeamA] -> Bar
aFooToBar := SearchContext{
From: []labels.Label{*lblTeamA, *lblFoo},
To: []labels.Label{*lblBar},
}
// [Baz, TeamA] -> Bar
aBazToBar := SearchContext{
From: []labels.Label{*lblTeamA, *lblBaz},
To: []labels.Label{*lblBar},
}
// [Foo,TeamB] -> Bar
bFooToBar := SearchContext{
From: []labels.Label{*lblTeamB, *lblFoo},
To: []labels.Label{*lblBar},
}
// [Baz, TeamB] -> Bar
bBazToBar := SearchContext{
From: []labels.Label{*lblTeamB, *lblBaz},
To: []labels.Label{*lblBar},
}
allowFoo := AllowRule{Action: ACCEPT, Label: *lblFoo}
dontAllowFoo := AllowRule{Action: DENY, Label: *lblFoo}
allowTeamA := AllowRule{Action: ACCEPT, Label: *lblTeamA}
dontAllowBaz := AllowRule{Action: DENY, Label: *lblBaz}
alwaysAllowFoo := AllowRule{Action: ALWAYS_ACCEPT, Label: *lblFoo}
// Allow: foo, !foo
consumers := PolicyRuleConsumers{
Coverage: []labels.Label{*lblBar},
Allow: []AllowRule{allowFoo, dontAllowFoo},
}
// NOTE: We are testing on single consumer rule leve, there is
// no default deny policy enforced. No match equals UNDECIDED
c.Assert(consumers.Allows(&aFooToBar), Equals, DENY)
c.Assert(consumers.Allows(&bFooToBar), Equals, DENY)
c.Assert(consumers.Allows(&aBazToBar), Equals, UNDECIDED)
c.Assert(consumers.Allows(&bBazToBar), Equals, UNDECIDED)
// Always-Allow: foo, !foo
consumers = PolicyRuleConsumers{
Coverage: []labels.Label{*lblBar},
Allow: []AllowRule{alwaysAllowFoo, dontAllowFoo},
}
c.Assert(consumers.Allows(&aFooToBar), Equals, ALWAYS_ACCEPT)
c.Assert(consumers.Allows(&bFooToBar), Equals, ALWAYS_ACCEPT)
c.Assert(consumers.Allows(&aBazToBar), Equals, UNDECIDED)
c.Assert(consumers.Allows(&bBazToBar), Equals, UNDECIDED)
// Allow: TeamA, !baz
consumers = PolicyRuleConsumers{
Coverage: []labels.Label{*lblBar},
Allow: []AllowRule{allowTeamA, dontAllowBaz},
}
c.Assert(consumers.Allows(&aFooToBar), Equals, ACCEPT)
c.Assert(consumers.Allows(&aBazToBar), Equals, DENY)
c.Assert(consumers.Allows(&bFooToBar), Equals, UNDECIDED)
c.Assert(consumers.Allows(&bBazToBar), Equals, DENY)
// Allow: TeamA, !baz
consumers = PolicyRuleConsumers{
Coverage: []labels.Label{*lblFoo},
Allow: []AllowRule{allowTeamA, dontAllowBaz},
}
c.Assert(consumers.Allows(&aFooToBar), Equals, UNDECIDED)
c.Assert(consumers.Allows(&aBazToBar), Equals, UNDECIDED)
c.Assert(consumers.Allows(&bFooToBar), Equals, UNDECIDED)
c.Assert(consumers.Allows(&bBazToBar), Equals, UNDECIDED)
}
"github.com/cilium/cilium/pkg/endpoint"
"github.com/cilium/cilium/pkg/labels"
"github.com/cilium/cilium/pkg/mac"
"github.com/cilium/cilium/pkg/option"
. "gopkg.in/check.v1"
)
var (
IPv6Addr, _ = addressing.NewCiliumIPv6("beef:beef:beef:beef:aaaa:aaaa:1111:1112")
IPv4Addr, _ = addressing.NewCiliumIPv4("10.11.12.13")
NodeAddr = net.IP{0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xbe, 0xef, 0xaa, 0xaa, 0xaa, 0xaa, 0x11, 0x11, 0, 0}
HardAddr = mac.MAC{0x01, 0x02, 0x03, 0x04, 0x05, 0x06}
SecLabel = &labels.SecCtxLabel{
Labels: labels.Labels{
"foo": labels.NewLabel("foo", "", ""),
},
Containers: map[string]time.Time{
"cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307": time.Now(),
},
ID: 0x100,
}
)
func (s *DaemonSuite) TestEndpointJoinOK(c *C) {
ep := endpoint.Endpoint{
LXCMAC: HardAddr,
IPv6: IPv6Addr,
IPv4: IPv4Addr,
NodeMAC: HardAddr,
NodeIP: NodeAddr,
package server
import (
"errors"
"strings"
"time"
"github.com/cilium/cilium/common"
"github.com/cilium/cilium/pkg/labels"
. "gopkg.in/check.v1"
)
var (
lbls = labels.Labels{
"foo": labels.NewLabel("foo", "bar", common.CiliumLabelSource),
"foo2": labels.NewLabel("foo2", "=bar2", common.CiliumLabelSource),
"key": labels.NewLabel("key", "", common.CiliumLabelSource),
"foo==": labels.NewLabel("foo==", "==", common.CiliumLabelSource),
`foo\\=`: labels.NewLabel(`foo\\=`, `\=`, common.CiliumLabelSource),
`//=/`: labels.NewLabel(`//=/`, "", common.CiliumLabelSource),
`%`: labels.NewLabel(`%`, `%ed`, common.CiliumLabelSource),
}
wantSecCtxLbls = labels.SecCtxLabel{
ID: 123,
Containers: map[string]time.Time{
"cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307": time.Now(),
},
Labels: lbls,
}
func (s *EndpointSuite) TestDeepCopy(c *C) {
ipv4, err := addressing.NewCiliumIPv4("127.0.0.1")
c.Assert(err, IsNil)
ipv6, err := addressing.NewCiliumIPv6("::1")
c.Assert(err, IsNil)
epWant := &Endpoint{
ID: 12,
DockerID: "123",
DockerNetworkID: "1234",
DockerEndpointID: "12345",
IfName: "lxcifname",
LXCMAC: mac.MAC{1, 2, 3, 4, 5, 6},
IPv6: ipv6,
IPv4: ipv4,
IfIndex: 4,
NodeMAC: mac.MAC{1, 2, 3, 4, 5, 6},
NodeIP: net.ParseIP("192.168.0.1"),
PortMap: make([]PortMap, 2),
Opts: option.NewBoolOptions(&EndpointOptionLibrary),
}
cpy := epWant.DeepCopy()
c.Assert(*cpy, DeepEquals, *epWant)
epWant.SecLabel = &labels.SecCtxLabel{
ID: 1,
Labels: labels.Labels{
"io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"),
},
Containers: map[string]time.Time{
"1234": time.Now(),
},
}
epWant.Consumable = &policy.Consumable{
ID: 123,
Iteration: 3,
Labels: nil,
LabelList: []labels.Label{
*labels.NewLabel("io.cilium.kubernetes", "", "cilium"),
},
Maps: map[int]*policymap.PolicyMap{
0: {},
},
Consumers: map[string]*policy.Consumer{
"foo": policy.NewConsumer(12),
},
ReverseRules: map[uint32]*policy.Consumer{
12: policy.NewConsumer(12),
},
}
epWant.PolicyMap = &policymap.PolicyMap{}
cpy = epWant.DeepCopy()
c.Assert(*cpy.SecLabel, DeepEquals, *epWant.SecLabel)
c.Assert(*cpy.Consumable, DeepEquals, *epWant.Consumable)
c.Assert(*cpy.PolicyMap, DeepEquals, *epWant.PolicyMap)
epWant.Consumable.Labels = &labels.SecCtxLabel{
ID: 1,
Labels: labels.Labels{
"io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"),
},
Containers: map[string]time.Time{
"1234": time.Now(),
},
}
epWant.PolicyMap = &policymap.PolicyMap{}
cpy = epWant.DeepCopy()
c.Assert(*cpy.Consumable.Labels, DeepEquals, *epWant.Consumable.Labels)
cpy.Consumable.Labels.Containers["1234"] = time.Now()
c.Assert(*cpy.Consumable.Labels, Not(DeepEquals), *epWant.Consumable.Labels)
}
