Skip to content

Commit

Permalink
Merge branch 'main' into support_admin_netpolicy
Browse files Browse the repository at this point in the history
  • Loading branch information
shireenf-ibm authored Oct 30, 2024
2 parents fceda09 + 8662620 commit 102fece
Show file tree
Hide file tree
Showing 12 changed files with 43 additions and 43 deletions.
2 changes: 1 addition & 1 deletion .github/workflows/codeql-analysis.yml
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@ jobs:

steps:
- name: Checkout repository
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/go-build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ jobs:
build-and-test:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
Expand Down
4 changes: 2 additions & 2 deletions .github/workflows/golangci-lint.yml
Original file line number Diff line number Diff line change
Expand Up @@ -11,11 +11,11 @@ jobs:
name: golangci-lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
with:
go-version-file: ./go.mod
cache: false
- uses: golangci/golangci-lint-action@aaa42aa0628b4ae2578232a66b541047968fac86
- uses: golangci/golangci-lint-action@971e284b6050e8a5849b72094c50ab08da042db8
with:
version: latest
2 changes: 1 addition & 1 deletion .github/workflows/make-release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out the repo
uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683

- name: Set up Go
uses: actions/setup-go@0a12ed9d6a96ab950c8f026ed9f722fe0da7ef32
Expand Down
4 changes: 2 additions & 2 deletions go.mod
Original file line number Diff line number Diff line change
@@ -1,10 +1,10 @@
module github.com/np-guard/netpol-analyzer

go 1.21
go 1.22

require (
github.com/hashicorp/golang-lru/v2 v2.0.7
github.com/np-guard/models v0.3.4
github.com/np-guard/models v0.5.2
github.com/openshift/api v0.0.0-20230502160752-c71432710382
github.com/spf13/cobra v1.8.1
github.com/stretchr/testify v1.9.0
Expand Down
4 changes: 2 additions & 2 deletions go.sum
Original file line number Diff line number Diff line change
Expand Up @@ -96,8 +96,8 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/
github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
github.com/np-guard/models v0.3.4 h1:HOhVi6wyGvo+KmYBnQ5Km5HYCF+/PQlDs1v7mL1v05g=
github.com/np-guard/models v0.3.4/go.mod h1:mqE2Irf8r+7HWh8fII0fWbWyQRMHGEo2SgSLN/6VKs8=
github.com/np-guard/models v0.5.2 h1:lty+shExffJpMQyu36a/NBYEky/rjEddQid4GOVHnhs=
github.com/np-guard/models v0.5.2/go.mod h1:dqRdt5EQID1GmHuYsMOJzg4sS104om6NwEZ6sVO55z8=
github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=
Expand Down
8 changes: 4 additions & 4 deletions pkg/netpol/eval/check.go
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"k8s.io/apimachinery/pkg/types"

"github.com/np-guard/models/pkg/ipblock"
"github.com/np-guard/models/pkg/netset"

"github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors"
"github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s"
Expand Down Expand Up @@ -254,7 +254,7 @@ func (pe *PolicyEngine) allowedXgressConnection(src, dst k8s.Peer, isIngress boo
// isPeerNodeIP returns true if peer1 is an IP address of a node and peer2 is a pod on that node
func isPeerNodeIP(peer1, peer2 k8s.Peer) bool {
if peer2.PeerType() == k8s.PodType && peer1.PeerType() == k8s.IPBlockType {
ip2, err := ipblock.FromIPAddress(peer2.GetPeerPod().HostIP)
ip2, err := netset.IPBlockFromIPAddress(peer2.GetPeerPod().HostIP)
if err != nil {
return peer1.GetPeerIPBlock().Equal(ip2)
}
Expand All @@ -277,15 +277,15 @@ func isPodToItself(peer1, peer2 k8s.Peer) bool {
func (pe *PolicyEngine) getPeer(p string) (k8s.Peer, error) {
// check if input peer is cidr
if _, _, err := net.ParseCIDR(p); err == nil {
peerIPBlock, err := ipblock.FromCidr(p)
peerIPBlock, err := netset.IPBlockFromCidr(p)
if err != nil {
return nil, err
}
return &k8s.IPBlockPeer{IPBlock: peerIPBlock}, nil
}
// check if input peer is an ip address
if net.ParseIP(p) != nil {
peerIPBlock, err := ipblock.FromIPAddress(p)
peerIPBlock, err := netset.IPBlockFromIPAddress(p)
if err != nil {
return nil, err
}
Expand Down
16 changes: 8 additions & 8 deletions pkg/netpol/eval/internal/k8s/netpol.go
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ import (
"k8s.io/apimachinery/pkg/types"
"k8s.io/apimachinery/pkg/util/intstr"

"github.com/np-guard/models/pkg/ipblock"
"github.com/np-guard/models/pkg/netset"

"github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors"
"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
Expand Down Expand Up @@ -263,7 +263,7 @@ func (np *NetworkPolicy) ruleSelectsPeer(rulePeers []netv1.NetworkPolicyPeer, pe
}

peerIPBlock := peer.GetPeerIPBlock()
res := peerIPBlock.ContainedIn(ruleIPBlock)
res := peerIPBlock.IsSubset(ruleIPBlock)
if res {
return true, nil
}
Expand Down Expand Up @@ -397,8 +397,8 @@ func (np *NetworkPolicy) netpolErr(title, description string) error {
return fmt.Errorf("network policy %s %s: %s", np.fullName(), title, description)
}

func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*ipblock.IPBlock, error) {
ipb, err := ipblock.FromCidr(cidr)
func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*netset.IPBlock, error) {
ipb, err := netset.IPBlockFromCidr(cidr)
if err != nil {
return nil, np.netpolErr(netpolerrors.CidrErrTitle, err.Error())
}
Expand All @@ -417,8 +417,8 @@ func (np *NetworkPolicy) parseNetpolLabelSelector(selector *metav1.LabelSelector
return selectorRes, nil
}

func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPolicyPeer) ([]*ipblock.IPBlock, error) {
res := []*ipblock.IPBlock{}
func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPolicyPeer) ([]*netset.IPBlock, error) {
res := []*netset.IPBlock{}
for _, peerObj := range rulePeers {
if peerObj.IPBlock != nil {
ipb, err := np.parseNetpolCIDR(peerObj.IPBlock.CIDR, peerObj.IPBlock.Except)
Expand All @@ -432,8 +432,8 @@ func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPo
}

// GetReferencedIPBlocks: return list of IPBlock objects referenced in the current network policy
func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*ipblock.IPBlock, error) {
res := []*ipblock.IPBlock{}
func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*netset.IPBlock, error) {
res := []*netset.IPBlock{}
for _, rule := range np.Spec.Ingress {
ruleRes, err := np.rulePeersReferencedIPBlocks(rule.From)
if err != nil {
Expand Down
10 changes: 5 additions & 5 deletions pkg/netpol/eval/internal/k8s/peer.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ package k8s
import (
"k8s.io/apimachinery/pkg/types"

"github.com/np-guard/models/pkg/ipblock"
"github.com/np-guard/models/pkg/netset"
)

// PeerType is a type to indicate the type of a Peer object (Pod or IP address)
Expand All @@ -32,7 +32,7 @@ type Peer interface {
// else returns nil
GetPeerNamespace() *Namespace
// GetPeerIPBlock returns a reference to IPBlock if the peer is IP address, else returns nil
GetPeerIPBlock() *ipblock.IPBlock
GetPeerIPBlock() *netset.IPBlock
}

// PodPeer implements k8s.Peer interface and eval.Peer interface
Expand All @@ -43,7 +43,7 @@ type PodPeer struct {

// IPBlockPeer implements k8s.Peer interface and eval.Peer interface
type IPBlockPeer struct {
IPBlock *ipblock.IPBlock
IPBlock *netset.IPBlock
}

// WorkloadPeer implements eval.Peer interface
Expand Down Expand Up @@ -118,7 +118,7 @@ func (p *PodPeer) GetPeerNamespace() *Namespace {
return p.NamespaceObject
}

func (p *PodPeer) GetPeerIPBlock() *ipblock.IPBlock {
func (p *PodPeer) GetPeerIPBlock() *netset.IPBlock {
return nil
}

Expand Down Expand Up @@ -160,7 +160,7 @@ func (p *IPBlockPeer) GetPeerNamespace() *Namespace {
return nil
}

func (p *IPBlockPeer) GetPeerIPBlock() *ipblock.IPBlock {
func (p *IPBlockPeer) GetPeerIPBlock() *netset.IPBlock {
return p.IPBlock
}

Expand Down
22 changes: 11 additions & 11 deletions pkg/netpol/eval/peer.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ package eval
import (
"fmt"

"github.com/np-guard/models/pkg/ipblock"
"github.com/np-guard/models/pkg/netset"

"github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s"
)
Expand All @@ -35,15 +35,15 @@ type Peer interface {
// then in the result map there would be entries for (str(A), str(A1), A1) and for (str(A), str(A2), A2)
func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error) {
res := map[string]map[string]Peer{}
var ipSet1, ipSet2 []*ipblock.IPBlock
var ipSet1, ipSet2 []*netset.IPBlock
var err error
if ipSet1, err = peerIPSetToIPBlockSet(set1); err != nil {
return nil, err
}
if ipSet2, err = peerIPSetToIPBlockSet(set2); err != nil {
return nil, err
}
disjointIPset := ipblock.DisjointIPBlocks(ipSet1, ipSet2)
disjointIPset := netset.DisjointIPBlocks(ipSet1, ipSet2)

for _, ipb := range disjointIPset {
addDisjointIPBlockToMap(ipSet1, ipb, res)
Expand All @@ -54,9 +54,9 @@ func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error) {
}

// addDisjointIPBlockToMap updates input map (from peer-str to its disjoint peers) by adding a new disjoint ip
func addDisjointIPBlockToMap(ipSet []*ipblock.IPBlock, disjointIP *ipblock.IPBlock, m map[string]map[string]Peer) {
func addDisjointIPBlockToMap(ipSet []*netset.IPBlock, disjointIP *netset.IPBlock, m map[string]map[string]Peer) {
for _, ipb1 := range ipSet {
if disjointIP.ContainedIn(ipb1) {
if disjointIP.IsSubset(ipb1) {
updatePeerIPMap(m, ipb1, disjointIP)
break
}
Expand All @@ -65,7 +65,7 @@ func addDisjointIPBlockToMap(ipSet []*ipblock.IPBlock, disjointIP *ipblock.IPBlo

// updatePeerIPMap updates input map (from peer-str to its disjoint peers), given a new disjoint ip (ipb), and its
// associated original ip-range key from the map (ipb1)
func updatePeerIPMap(m map[string]map[string]Peer, ipb1, ipb *ipblock.IPBlock) {
func updatePeerIPMap(m map[string]map[string]Peer, ipb1, ipb *netset.IPBlock) {
ipb1Str := ipb1.ToIPRanges()
if _, ok := m[ipb1Str]; !ok {
m[ipb1Str] = map[string]Peer{}
Expand All @@ -74,8 +74,8 @@ func updatePeerIPMap(m map[string]map[string]Peer, ipb1, ipb *ipblock.IPBlock) {
}

// peerIPSetToIPBlockSet is given as input a list of peers of type ip-block, and returns a list matching IPBlock objects
func peerIPSetToIPBlockSet(peerSet []Peer) ([]*ipblock.IPBlock, error) {
res := make([]*ipblock.IPBlock, len(peerSet))
func peerIPSetToIPBlockSet(peerSet []Peer) ([]*netset.IPBlock, error) {
res := make([]*netset.IPBlock, len(peerSet))
for i, p := range peerSet {
ipBlock, err := peerIPToIPBlock(p)
if err != nil {
Expand All @@ -87,17 +87,17 @@ func peerIPSetToIPBlockSet(peerSet []Peer) ([]*ipblock.IPBlock, error) {
}

// peerIPToIPBlock returns an IPBlock object from a Peer object of IP type
func peerIPToIPBlock(p Peer) (*ipblock.IPBlock, error) {
func peerIPToIPBlock(p Peer) (*netset.IPBlock, error) {
peerIP, ok := p.(*k8s.IPBlockPeer)
if !ok {
return nil, fmt.Errorf("input peer not IP block: %s", p.String())
}
return peerIP.IPBlock, nil
}

func mergeIPBlocksList(inputList []*ipblock.IPBlock) []*ipblock.IPBlock {
func mergeIPBlocksList(inputList []*netset.IPBlock) []*netset.IPBlock {
if len(inputList) == 0 {
return []*ipblock.IPBlock{}
return []*netset.IPBlock{}
}
union := inputList[0].Copy()
for i := 1; i < len(inputList); i++ {
Expand Down
10 changes: 5 additions & 5 deletions pkg/netpol/eval/resources.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ import (
"k8s.io/apimachinery/pkg/types"
apisv1a "sigs.k8s.io/network-policy-api/apis/v1alpha1"

"github.com/np-guard/models/pkg/ipblock"
"github.com/np-guard/models/pkg/netset"

"github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors"
"github.com/np-guard/netpol-analyzer/pkg/manifests/parser"
Expand Down Expand Up @@ -652,8 +652,8 @@ func (pe *PolicyEngine) GetRepresentativePeersList() []Peer {
}

// getDisjointIPBlocks returns a slice of disjoint ip-blocks from all netpols resources
func (pe *PolicyEngine) getDisjointIPBlocks() ([]*ipblock.IPBlock, error) {
var ipbList []*ipblock.IPBlock
func (pe *PolicyEngine) getDisjointIPBlocks() ([]*netset.IPBlock, error) {
var ipbList []*netset.IPBlock
for _, nsMap := range pe.netpolsMap {
for _, policy := range nsMap {
policyIPBlocksList, err := policy.GetReferencedIPBlocks()
Expand All @@ -663,8 +663,8 @@ func (pe *PolicyEngine) getDisjointIPBlocks() ([]*ipblock.IPBlock, error) {
ipbList = append(ipbList, policyIPBlocksList...)
}
}
newAll := ipblock.GetCidrAll()
disjointRes := ipblock.DisjointIPBlocks(ipbList, []*ipblock.IPBlock{newAll})
newAll := netset.GetCidrAll()
disjointRes := netset.DisjointIPBlocks(ipbList, []*netset.IPBlock{newAll})
return disjointRes, nil
}

Expand Down
2 changes: 1 addition & 1 deletion pkg/netpol/internal/common/portset.go
Original file line number Diff line number Diff line change
Expand Up @@ -110,7 +110,7 @@ func (p *PortSet) Union(other *PortSet) {

// ContainedIn: return true if current PortSet object is contained in input PortSet object
func (p *PortSet) ContainedIn(other *PortSet) bool {
return p.Ports.ContainedIn(other.Ports)
return p.Ports.IsSubset(other.Ports)
}

// Intersection: update current PortSet object as intersection with input PortSet object
Expand Down

0 comments on commit 102fece

Please sign in to comment.