Пример #1
0
func (ep *Endpoint) SetDefaultOpts(opts *option.BoolOptions) {
	if ep.Opts == nil {
		ep.Opts = option.NewBoolOptions(&EndpointOptionLibrary)
	}
	if ep.Opts.Library == nil {
		ep.Opts.Library = &EndpointOptionLibrary
	}

	if opts != nil {
		for k := range EndpointMutableOptionLibrary {
			ep.Opts.Set(k, opts.IsEnabled(k))
		}
		// Lets keep this here to prevent users to hurt themselves.
		ep.Opts.SetIfUnset(OptionLearnTraffic, false)
	}
}
Пример #2
0
func (ds *DaemonSuite) SetUpTest(c *C) {
	tempLibDir, err := ioutil.TempDir("", "cilium-test")
	c.Assert(err, IsNil)
	tempRunDir, err := ioutil.TempDir("", "cilium-test-run")
	c.Assert(err, IsNil)
	err = os.Mkdir(filepath.Join(tempRunDir, "globals"), 0777)
	c.Assert(err, IsNil)

	nodeAddress, err := addressing.NewNodeAddress("beef:beef:beef:beef:aaaa:aaaa:1111:0", "10.1.0.1", "")
	c.Assert(err, IsNil)

	daemonConf := &Config{
		DryMode: true,
		Opts:    option.NewBoolOptions(&DaemonOptionLibrary),
	}
	daemonConf.LibDir = tempLibDir
	daemonConf.RunDir = tempRunDir
	daemonConf.LXCMap = nil
	daemonConf.NodeAddress = nodeAddress
	daemonConf.DockerEndpoint = "tcp://127.0.0.1"
	daemonConf.K8sEndpoint = "tcp://127.0.0.1"
	daemonConf.ValidLabelPrefixes = nil
	daemonConf.OptsMU.Lock()
	daemonConf.Opts.Set(endpoint.OptionDropNotify, true)
	daemonConf.OptsMU.Unlock()
	daemonConf.Device = "undefined"

	err = daemonConf.SetKVBackend()
	c.Assert(err, IsNil)

	d1 := []byte("#!/usr/bin/env bash\necho \"OK\"\n")
	err = ioutil.WriteFile(filepath.Join(daemonConf.LibDir, "join_ep.sh"), d1, 0755)
	c.Assert(err, IsNil)
	err = ioutil.WriteFile(filepath.Join(daemonConf.LibDir, "init.sh"), d1, 0755)
	c.Assert(err, IsNil)

	d, err := NewDaemon(daemonConf)
	c.Assert(err, Equals, nil)
	ds.d = d
	d.kvClient.DeleteTree(common.OperationalPath)
}
Пример #3
0
func NewConfig() *Config {
	return &Config{
		Opts: option.NewBoolOptions(&DaemonOptionLibrary),
	}
}
Пример #4
0
func (ds *DaemonSuite) TestUpdateConsumerMap(c *C) {
	lblProd := labels.NewLabel("io.cilium.Prod", "", common.CiliumLabelSource)
	lblQA := labels.NewLabel("io.cilium.QA", "", common.CiliumLabelSource)
	lblFoo := labels.NewLabel("io.cilium.foo", "", common.CiliumLabelSource)
	lblBar := labels.NewLabel("io.cilium.bar", "", common.CiliumLabelSource)
	lblJoe := labels.NewLabel("io.cilium.user", "joe", common.CiliumLabelSource)
	lblPete := labels.NewLabel("io.cilium.user", "pete", common.CiliumLabelSource)

	rootNode := policy.Node{
		Name: common.GlobalLabelPrefix,
		Rules: []policy.PolicyRule{
			&policy.PolicyRuleConsumers{
				Coverage: []labels.Label{*lblBar},
				Allow: []policy.AllowRule{
					// always-allow: user=joe
					{Action: policy.ALWAYS_ACCEPT, Label: *lblJoe},
					// allow:  user=pete
					{Action: policy.ACCEPT, Label: *lblPete},
				},
			},
			&policy.PolicyRuleRequires{ // coverage qa, requires qa
				Coverage: []labels.Label{*lblQA},
				Requires: []labels.Label{*lblQA},
			},
			&policy.PolicyRuleRequires{ // coverage prod, requires: prod
				Coverage: []labels.Label{*lblProd},
				Requires: []labels.Label{*lblProd},
			},
		},
		Children: map[string]*policy.Node{
			"foo": {},
			"bar": {
				Rules: []policy.PolicyRule{
					&policy.PolicyRuleConsumers{
						Allow: []policy.AllowRule{
							{ // allow: foo
								Action: policy.ACCEPT,
								Label:  *lblFoo,
							},
							{Action: policy.DENY, Label: *lblJoe},
							{Action: policy.DENY, Label: *lblPete},
						},
					},
				},
			},
		},
	}

	c.Assert(rootNode.ResolveTree(), Equals, nil)

	err := ds.d.PolicyAdd("io.cilium", &rootNode)
	c.Assert(err, Equals, nil)

	qaBarLbls := labels.Labels{lblBar.Key: lblBar, lblQA.Key: lblQA}
	qaBarSecLblsCtx, _, err := ds.d.PutLabels(qaBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	prodBarLbls := labels.Labels{lblBar.Key: lblBar, lblProd.Key: lblProd}
	prodBarSecLblsCtx, _, err := ds.d.PutLabels(prodBarLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	qaFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblQA.Key: lblQA}
	qaFooSecLblsCtx, _, err := ds.d.PutLabels(qaFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	prodFooLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd}
	prodFooSecLblsCtx, _, err := ds.d.PutLabels(prodFooLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	prodFooJoeLbls := labels.Labels{lblFoo.Key: lblFoo, lblProd.Key: lblProd, lblJoe.Key: lblJoe}
	prodFooJoeSecLblsCtx, _, err := ds.d.PutLabels(prodFooJoeLbls, "cc08ff400e355f736dce1c291a6a4007ab9f2d56d42e1f3630ba87b861d45307")
	c.Assert(err, Equals, nil)

	e := endpoint.Endpoint{
		ID:      1,
		IfName:  "dummy1",
		IPv6:    IPv6Addr,
		IPv4:    IPv4Addr,
		LXCMAC:  HardAddr,
		NodeMAC: HardAddr,
	}
	e.Opts = option.NewBoolOptions(&DaemonOptionLibrary)
	e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false)
	err = os.Mkdir("1", 755)
	c.Assert(err, IsNil)
	defer func() {
		err = os.RemoveAll("1/geneve_opts.cfg")
		err = os.RemoveAll("1/lxc_config.h")
		time.Sleep(1 * time.Second)
		err = os.RemoveAll("1")
		err = os.RemoveAll("1_backup")
	}()
	e.SetSecLabel(qaBarSecLblsCtx)
	err = ds.d.regenerateEndpoint(&e)
	c.Assert(err, Equals, nil)
	c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, true)
	c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true)

	e = endpoint.Endpoint{
		ID:      1,
		IfName:  "dummy1",
		IPv6:    IPv6Addr,
		IPv4:    IPv4Addr,
		LXCMAC:  HardAddr,
		NodeMAC: HardAddr,
	}
	e.Opts = option.NewBoolOptions(&DaemonOptionLibrary)
	e.Opts.SetIfUnset(endpoint.OptionLearnTraffic, false)
	e.SetSecLabel(prodBarSecLblsCtx)
	err = ds.d.regenerateEndpoint(&e)
	c.Assert(err, Equals, nil)
	c.Assert(e.Allows(0), Equals, false)
	c.Assert(e.Allows(qaBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodBarSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(qaFooSecLblsCtx.ID), Equals, false)
	c.Assert(e.Allows(prodFooSecLblsCtx.ID), Equals, true)
	c.Assert(e.Allows(prodFooJoeSecLblsCtx.ID), Equals, true)

	err = ds.d.PolicyDelete("io.cilium")
	c.Assert(err, Equals, nil)
}
Пример #5
0
func (s *EndpointSuite) TestDeepCopy(c *C) {
	ipv4, err := addressing.NewCiliumIPv4("127.0.0.1")
	c.Assert(err, IsNil)
	ipv6, err := addressing.NewCiliumIPv6("::1")
	c.Assert(err, IsNil)
	epWant := &Endpoint{
		ID:               12,
		DockerID:         "123",
		DockerNetworkID:  "1234",
		DockerEndpointID: "12345",
		IfName:           "lxcifname",
		LXCMAC:           mac.MAC{1, 2, 3, 4, 5, 6},
		IPv6:             ipv6,
		IPv4:             ipv4,
		IfIndex:          4,
		NodeMAC:          mac.MAC{1, 2, 3, 4, 5, 6},
		NodeIP:           net.ParseIP("192.168.0.1"),
		PortMap:          make([]PortMap, 2),
		Opts:             option.NewBoolOptions(&EndpointOptionLibrary),
	}
	cpy := epWant.DeepCopy()
	c.Assert(*cpy, DeepEquals, *epWant)
	epWant.SecLabel = &labels.SecCtxLabel{
		ID: 1,
		Labels: labels.Labels{
			"io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"),
		},
		Containers: map[string]time.Time{
			"1234": time.Now(),
		},
	}
	epWant.Consumable = &policy.Consumable{
		ID:        123,
		Iteration: 3,
		Labels:    nil,
		LabelList: []labels.Label{
			*labels.NewLabel("io.cilium.kubernetes", "", "cilium"),
		},
		Maps: map[int]*policymap.PolicyMap{
			0: {},
		},
		Consumers: map[string]*policy.Consumer{
			"foo": policy.NewConsumer(12),
		},
		ReverseRules: map[uint32]*policy.Consumer{
			12: policy.NewConsumer(12),
		},
	}
	epWant.PolicyMap = &policymap.PolicyMap{}
	cpy = epWant.DeepCopy()
	c.Assert(*cpy.SecLabel, DeepEquals, *epWant.SecLabel)
	c.Assert(*cpy.Consumable, DeepEquals, *epWant.Consumable)
	c.Assert(*cpy.PolicyMap, DeepEquals, *epWant.PolicyMap)

	epWant.Consumable.Labels = &labels.SecCtxLabel{
		ID: 1,
		Labels: labels.Labels{
			"io.cilium.kubernetes": labels.NewLabel("io.cilium.kubernetes", "", "cilium"),
		},
		Containers: map[string]time.Time{
			"1234": time.Now(),
		},
	}

	epWant.PolicyMap = &policymap.PolicyMap{}
	cpy = epWant.DeepCopy()

	c.Assert(*cpy.Consumable.Labels, DeepEquals, *epWant.Consumable.Labels)

	cpy.Consumable.Labels.Containers["1234"] = time.Now()
	c.Assert(*cpy.Consumable.Labels, Not(DeepEquals), *epWant.Consumable.Labels)
}