Calico APICalico API是Project Calico项目的权威源代码包含了该项目的API定义。它为Kubernetes容器网络和安全策略提供了一套标准化的类型定义和客户端工具使开发者能够方便地构建、管理和自动化Calico网络和安全策略。 功能特性丰富的API类型包含BGPConfiguration、BGPFilter、BGPPeer、GlobalNetworkPolicy、NetworkPolicy、IPPool、IPReservation、Tier等核心资源类型覆盖网络配置、安全策略、IP地址管理等各个方面。自动生成的客户端提供自动生成的Go语言客户端clientset、listers和informers支持Kubernetes风格的资源操作Create、Update、Delete、Get、List、Watch、Patch和事件监听。多架构支持构建系统支持跨平台编译如amd64, arm64, s390x等可生成针对不同CPU架构的二进制文件和Docker镜像。开发者友好包含完整的开发者指南详细说明了如何设置开发环境、构建代码、运行测试以及贡献代码的流程。安全策略支持定义了精细的网络策略规则Rule支持基于标签选择器、命名空间、服务账户、CIDR、端口和协议等多维度的流量控制。BGP网络集成提供了完整的BGP配置API支持节点对等、路由过滤和BGP策略管理便于集成到现有网络基础设施中。分阶段策略Staged Policy支持StagedGlobalNetworkPolicy、StagedNetworkPolicy等资源允许策略分阶段部署和验证提高变更安全性。分层安全模型Tier通过Tier资源实现安全策略的分层管理允许管理员定义策略的应用顺序和默认行为。️ 安装指南前提条件Linux构建环境DockerGitMake构建Calico API克隆仓库gitclone https://github.com/projectcalico/api.gitcdapi构建所有组件makeimage此命令将生成多个容器镜像。要进行干净的构建可使用makeclean image为特定架构构建makeimageARCHarm64更新生成的代码在添加新的API类型后makebuild此命令会重新生成客户端、listers、informers等代码。 使用说明导入客户端你可以直接导入生成的客户端库来操作Calico API资源。import(contextfmtcalicoclientsetgithub.com/projectcalico/api/pkg/client/clientset_generated/clientsetmetav1k8s.io/apimachinery/pkg/apis/meta/v1k8s.io/client-go/tools/clientcmd)funcmain(){// 加载kubeconfigconfig,err:clientcmd.BuildConfigFromFlags(,/path/to/kubeconfig)iferr!nil{panic(err)}// 创建Calico客户端clientset,err:calicoclientset.NewForConfig(config)iferr!nil{panic(err)}// 示例列出所有GlobalNetworkPolicypolicies,err:clientset.ProjectcalicoV3().GlobalNetworkPolicies().List(context.TODO(),metav1.ListOptions{})iferr!nil{panic(err)}for_,policy:rangepolicies.Items{fmt.Printf(Policy: %s\n,policy.Name)}}定义自定义资源示例以下是一个GlobalNetworkPolicy的YAML示例展示了如何定义一条允许特定命名空间内Pod间通信的入口规则。apiVersion:projectcalico.org/v3kind:GlobalNetworkPolicymetadata:name:allow-frontend-to-backendspec:tier:defaultorder:100selector:app backendingress:-action:Allowsource:selector:app frontendnamespaceSelector:name productionprotocol:TCPdestination:ports:[6379]egress:-action:Allow使用Informers监听资源变化import(informersgithub.com/projectcalico/api/pkg/client/informers_generated/externalversionsk8s.io/apimachinery/pkg/util/waitk8s.io/client-go/tools/cache)// 创建SharedInformerFactoryfactory:informers.NewSharedInformerFactory(clientset,time.Minute*5)// 获取特定资源的InformerpolicyInformer:factory.Projectcalico().V3().GlobalNetworkPolicies().Informer()// 添加事件处理函数policyInformer.AddEventHandler(cache.ResourceEventHandlerFuncs{AddFunc:func(objinterface{}){fmt.Printf(Policy added: %s\n,obj.(*v3.GlobalNetworkPolicy).Name)},UpdateFunc:func(oldObj,newObjinterface{}){fmt.Printf(Policy updated: %s\n,newObj.(*v3.GlobalNetworkPolicy).Name)},DeleteFunc:func(objinterface{}){fmt.Printf(Policy deleted: %s\n,obj.(*v3.GlobalNetworkPolicy).Name)},})// 启动Informerfactory.Start(wait.NeverStop)factory.WaitForCacheSync(wait.NeverStop)// 保持程序运行select{} 核心代码1. BGPConfiguration API 定义 (pkg/apis/projectcalico/v3/bgpconfiguration.go)此文件定义了BGP配置资源用于全局BGP设置。// Copyright (c) 2020-2021 Tigera, Inc. All rights reserved.// Licensed under the Apache License, Version 2.0 (the License);// you may not use this file except in compliance with the License.// You may obtain a copy of the License at//// http://www.apache.org/licenses/LICENSE-2.0packagev3import(github.com/projectcalico/api/pkg/lib/numorstringmetav1k8s.io/apimachinery/pkg/apis/meta/v1)const(KindBGPConfigurationBGPConfigurationKindBGPConfigurationListBGPConfigurationList)typeBindModestringconst(BindModeNone BindModeNoneBindModeNodeIP BindModeNodeIP)// genclient:nonNamespaced// k8s:deepcopy-gen:interfacesk8s.io/apimachinery/pkg/runtime.Object// BGPConfigurationList是BGPConfiguration资源的列表。typeBGPConfigurationListstruct{metav1.TypeMetajson:,inlinemetav1.ListMetajson:metadata,omitempty protobuf:bytes,1,opt,namemetadataItems[]BGPConfigurationjson:items protobuf:bytes,2,rep,nameitems}// genclient// genclient:nonNamespaced// k8s:deepcopy-gen:interfacesk8s.io/apimachinery/pkg/runtime.Object// BGPConfiguration定义了BGP的全局配置。typeBGPConfigurationstruct{metav1.TypeMetajson:,inlinemetav1.ObjectMetajson:metadata,omitempty protobuf:bytes,1,opt,namemetadataSpec BGPConfigurationSpecjson:spec,omitempty protobuf:bytes,2,opt,namespec}// BGPConfigurationSpec包含了BGP配置的值。typeBGPConfigurationSpecstruct{// LogSeverityScreen是发送到stdout的日志严重级别。[默认: INFO]LogSeverityScreenstringjson:logSeverityScreen,omitempty validate:omitempty,logLevel// 其他字段...}2. NetworkPolicy API 定义 (pkg/apis/projectcalico/v3/networkpolicy.go)此文件定义了命名空间作用域的网络策略资源。// Copyright (c) 2017-2024 Tigera, Inc. All rights reserved.// Licensed under the Apache License, Version 2.0 (the License);// you may not use this file except in compliance with the License.// You may obtain a copy of the License at//// http://www.apache.org/licenses/LICENSE-2.0packagev3import(metav1k8s.io/apimachinery/pkg/apis/meta/v1)const(KindNetworkPolicyNetworkPolicyKindNetworkPolicyListNetworkPolicyList)// k8s:deepcopy-gen:interfacesk8s.io/apimachinery/pkg/runtime.Object// NetworkPolicyList是Policy对象的列表。typeNetworkPolicyListstruct{metav1.TypeMetajson:,inlinemetav1.ListMetajson:metadata,omitempty protobuf:bytes,1,opt,namemetadataItems[]NetworkPolicyjson:items protobuf:bytes,2,rep,nameitems}// genclient// k8s:deepcopy-gen:interfacesk8s.io/apimachinery/pkg/runtime.Object// NetworkPolicy定义了命名空间级别的网络安全策略。typeNetworkPolicystruct{metav1.TypeMetajson:,inlinemetav1.ObjectMetajson:metadata,omitempty protobuf:bytes,1,opt,namemetadataSpec NetworkPolicySpecjson:spec,omitempty protobuf:bytes,2,opt,namespec}// NetworkPolicySpec包含了网络策略的规范。typeNetworkPolicySpecstruct{// Tier指定此策略所属的层级名称。如果省略则假定为默认层级名称为default。Tierstringjson:tier,omitempty validate:omitempty,name// Order是可选的字段指定同一层级内策略的应用顺序。Order*float64json:order,omitempty// Selector选择此策略应用的工作负载端点。Selectorstringjson:selector validate:selector// Ingress定义入站流量规则的有序集合。Ingress[]Rulejson:ingress,omitempty validate:omitempty,dive// Egress定义出站流量规则的有序集合。Egress[]Rulejson:egress,omitempty validate:omitempty,dive// Types指定此策略适用的流量方向Ingress, Egress, 或两者。Types[]PolicyTypejson:types,omitempty validate:omitempty,dive,policyType}3. 客户端生成脚本 (hack/update-codegen.sh)此脚本用于生成客户端、listers和informers代码。#!/bin/bash# Copyright 2015 The Kubernetes Authors.# Licensed under the Apache License, Version 2.0 (the License);# you may not use this file except in compliance with the License.# You may obtain a copy of the License at## http://www.apache.org/licenses/LICENSE-2.0set-o errexitset-o nounsetset-o pipefailREPO_ROOT$(realpath$(dirname${BASH_SOURCE})/..)BINDIR${REPO_ROOT}/bin# 生成版本化客户端 (pkg/client/clientset_generated/clientset)client-gen$\--go-header-file${REPO_ROOT}/hack/boilerplate/boilerplate.go.txt\--input-basegithub.com/projectcalico/api/pkg/apis/\--inputprojectcalico/v3\--output-dir${REPO_ROOT}/pkg/client/clientset_generated\--clientset-pathgithub.com/projectcalico/api/pkg/client/clientset_generated/\--clientset-nameclientset# 生成listerlister-gen$\--go-header-file${REPO_ROOT}/hack/boilerplate/boilerplate.go.txt\--output-dir${REPO_ROOT}/pkg/client/listers_generated\--output-pkggithub.com/projectcalico/api/pkg/client/listers_generated\github.com/projectcalico/api/pkg/apis/projectcalico/v3# 生成informerinformer-gen$\--go-header-file${REPO_ROOT}/hack/boilerplate/boilerplate.go.txt\--versioned-clientset-packagegithub.com/projectcalico/api/pkg/client/clientset_generated/clientset\--listers-packagegithub.com/projectcalico/api/pkg/client/listers_generated\--output-dir${REPO_ROOT}/pkg/client/informers_generated\--output-pkggithub.com/projectcalico/api/pkg/client/informers_generated\github.com/projectcalico/api/pkg/apis/projectcalico/v3这些核心代码展示了Calico API库的主要结构和功能包括API类型定义、客户端代码生成以及构建系统的关键组成部分。通过使用这些API开发者可以构建强大的网络和安全自动化工具充分利用Calico在Kubernetes环境中的高级网络功能。FINISHEDQEHhY4oFma5gLUWjolaPoJ798aL6NOEUm82cMVLULfA更多精彩内容 请关注我的个人公众号 公众号办公AI智能小助手对网络安全、黑客技术感兴趣的朋友可以关注我的安全公众号网络安全技术点滴分享