exposure analysis first branch (#294)

* exposure-analysis flag * initial support of exposure from only namespaceSelectors * lint gofmt * wip - defining an interface for exposure-analysis results (#295) * wip - define an interface for the new returned value (new API) * Update pkg/netpol/connlist/exposed_pods.go Co-authored-by: Adi Sosnovich <[email protected]> * wip- some updates to the interfaces (only) * Update pkg/netpol/connlist/exposed_pods.go Co-authored-by: Adi Sosnovich <[email protected]> * interface doc update * fixes * Update pkg/netpol/connlist/exposed_peer.go Co-authored-by: Adi Sosnovich <[email protected]> --------- Co-authored-by: Adi Sosnovich <[email protected]> * connlist implementing exposure analysis (#296) * connlist implementing exposure analysis * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * fix rep. pod name * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposed_peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposed_peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * add func that updates the protected flag of a pod * return error values * avoid fields dups among types * update func doc * getConnectionsBetweenPeers update doc + returns the exposureMap * move connection interface, avoid code dup, and compare conns using ConnectionSet * make the func an exposureMap func * fixing issue of same string in podsOwnerMap * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * renaming Connection interface + move PortRange * struct embedding * using connectionSet internally + move the refinement to one iter at the end * Update pkg/netpol/connection/connection.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * rename AllConnections * verify conversion * storing the maximum entire cluster connection --------- Co-authored-by: Adi Sosnovich <[email protected]> * Revert api changes (#298) * revert Connection, diff AllowedConnectivity, PortRange , ConnectionSet * revert connlist API changes * revert eval API changes * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * renaming funcs * exposing common.Connection as connlist.AllowedSet * revert exposing common.Connection as connlist.AllowedSet --------- Co-authored-by: Adi Sosnovich <[email protected]> * Exposure analysis unit tests (#299) * unit tests for the functionality of connlist/exposure_analysis.go * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * adding getallTCPconnections --------- Co-authored-by: Adi Sosnovich <[email protected]> * Entire cluster exposure opt (#304) * optimizing entire cluster exposure * optimizing performance - compute entire cluster exposure only once * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * multiple fixes * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * using empty connswt instead of nil * add pod exposure data struct * exporting podExposureInfo --------- Co-authored-by: Adi Sosnovich <[email protected]> * pre proccessing policy for general conns (#306) * first commit: pre proccessing policy for general conns * func doc * fixing to PortSet; instead of PortSet{}, call MakePortSet(false) to ensure initializing empty maps for named ports * fixing handling connections with namedPort * fixing lint issued by github - not relevant to PR * tiny fix * fixes * Policy engine with new api func for exposure analysis (#307) * task1 add new api func to policy-engine; so pre-process runs only for exposure-analysis * task2 on exposure analysis benefit from the stored data * eliminate isRuleGeneral; skip general rules in ruleSelectsPeer * missing func doc * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * todo comment * revert initiating conns between two peers * avoid iterating policy if its general conns are all conns * todo comment --------- Co-authored-by: Adi Sosnovich <[email protected]> * adding representativePeer struct (#309) * adding representativePeer struct * Update pkg/netpol/eval/internal/k8s/peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * gofmt * connlist if-else fix * fixes to exposure_map.go * fixing connlist includePairOfWorkloads * fix GetPeerList() - separate GetRepresentativePeersList * comment how Pod of representative peer is originated --------- Co-authored-by: Adi Sosnovich <[email protected]> * Optimize representative peers generation (#314) * add representative peers for all non-empty rules while policies upsert * refine pods that has a match in the resources - first commit * handling returned err from convertPeerToPodPeer * handle case of namespaceSelector containing name key * generate unizue rep peers and refine while upsering objects * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * fixes --------- Co-authored-by: Adi Sosnovich <[email protected]> * go fmt * lint fix * exposure analysis test (#316) * exposure analysis test * exposure data comparison and new test * using ca calls to compute exposed peers * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * lint fix * flattening tests dir * exposure map fixes * 3 values of protected data * splitting exposure map into two maps * fixes * required changes * code fixes * typo fix * a new test for increasing coverage * new test * comment update --------- Co-authored-by: Adi Sosnovich <[email protected]> * delete unused file * textual output with exposure analysis (#331) * textual output with exposure analysis * tiny code enhancement * readme update * output change + code modify * fixes * dot output with exposure results (#333) * dot output with exposure results * tiny fix * new tests * fixing golangci-lint 1.58.0 errors * exposure analysis with pod selectors (#343) * code changes + new tests with pod selectors * fixes and new test * running onlineboutique_workloads with exposure * running k8s_ingress_test_new with exposure * linter fix - headers * exposure analysis with focus-workload (#349) * exposure analysis with focus-workload * focus-workload fixes * textual output enhancement (adding [] to strings with multiple words) * fix * enhancing dot view (#353) * don't remove representative peers in any-namespace (#352) * always keep representative peers which match all-namespaces * update test output after merge * examples with rules exposing pod to an existing ns * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * don't refine rep. peers matching any pod in a namespace + changing some tests to keep initial purpose+updating results of existing tests * adding same test with nil podSelector instead of empty one * adding test with inaccurate output * fixing comment syntax * Update pkg/netpol/connlist/connlist_test.go Co-authored-by: Adi Sosnovich <[email protected]> * gofmt * updating comments in yaml * tiny fix --------- Co-authored-by: Adi Sosnovich <[email protected]> * supporting csv, md and json formats (#360) * supporting csv, md and json formats * fixing after merge with base branch * consider real exposure flag * csv, md, json are consistent with txt - two sections * dot graphs with exposure edges dashed and with different colors * merging with master branch * empty_commit * handling selectors with matchexpressions (fixed) (#377) * support match expression operators for generating and selecting representative peers + first examples * more tests * more tests * updating code with label selectors * merge fixes * duplicated tests with matching pods * fixing code + tests with multiple policies * update comments in exposure.go * renaming function and updating comments and doc of representative_selectors.go * move `RepresentativeNsLabelSelector` field from namespace.go to pod.go * 1. reverting changes to AddPodByNameAndNamespace and resolveSingleMissingNamespace (to original version from main branch) 2. creating a new func for adding representative pods to the policy-engine, without representative namespaces. a representative pod which should not be in a real namespace, will have no namespace * avoid duplicating code of generating the default namespace name map; and some updates to netpol.go * eliminate representativePeer.PotentialNamespaceLabelSelector as it duplicates Pod.RepresentativeNsLabelSelector * renaming the func in representative_selectors.go again * a new test with handling a special case of equiv rules written in a different way * unit test for representative_selectors.go * removing redundant code * updating documentation of new fields in pod.go * fixes in resources.go * fix in check.go * update few comments Signed-off-by: adisos <[email protected]> * renaming AddObjects + updating its documentation * renaming netpol funcs * renaming connPeers * fixing representative pods naming and updating relevant funcs * renaming "GeneralConns" to "ExposedGeneralConns" * removing PolicyNsFlag * no need to split namespaces with policies at first * Revert "no need to split namespaces with policies at first" This reverts commit 03e384e. * rename extractLabelsAndRefineRepresentativePeers and refineRepresentativePeersMatchingLabels * renaming checkIfP2PConnOrExposureConn * lint fix * func allAllowedConnectionsBetweenPeers: remove ingressSet, egressSet * using new terms for general conns : ClusterWideExposure and ExternalExposure * an example why should split namespaces at the beginning with the policies * eliminate RepresentativePeer struct * fixing some typos and adding some very used words to a cspell file * more typos fixes * updating some comments * updating readme (all formats supported) * getting netpols before pods for live cluster - so it works well for both exposure-analysis on/off * Update pkg/netpol/eval/check.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/check.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * rename getSelectorsAndUpdateExposedGeneralConns * rename ScanPolicyRulesAndUpdateExposedWideConns * rename updateNetworkPolicyWideExposureConns * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * fixing lint * Update pkg/netpol/eval/internal/k8s/representative_selectors.go Co-authored-by: Adi Sosnovich <[email protected]> * lint fix * Update pkg/netpol/eval/internal/k8s/representative_selectors.go Co-authored-by: Adi Sosnovich <[email protected]> * fixing the last commit * fixing the SelectorsFullMatch doc * removing unnecessaryDeepCopy calls * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * lint fix * some renamings in representative_selectors + document why returning full match for rep selector in case of empty rule * adding line to comment * split funcs in check.go for readability * rename hasRepresentativePod * updating comment * updating comment of storing the named port * updating String() func of workloadpeer * comment update * updating comment * new func of selectors match in `netpol.go` to avoid duplicates * updating comment in pod.go (what do the combinations of rep selectors imply for) * renaming str vars * eliminating addIfMissingNamespace func * new tests - rep peers when there is real ns but no real pods matching * add comment on String() func * rename handleRequirementWithInOpAndSingleValue * renaming test dirs and expected output of exposure-analysis tests * new fixes --------- Signed-off-by: adisos <[email protected]> Co-authored-by: adisos <[email protected]> Co-authored-by: Adi Sosnovich <[email protected]> --------- Signed-off-by: adisos <[email protected]> Co-authored-by: Adi Sosnovich <[email protected]> Co-authored-by: Tanya <[email protected]> Co-authored-by: adisos <[email protected]>
np-guard · Aug 8, 2024 · 3c602d1 · 3c602d1
1 parent 6e07f99
commit 3c602d1
Show file tree

Hide file tree

Showing 622 changed files with 24,405 additions and 525 deletions.
diff --git a/README.md b/README.md
@@ -70,6 +70,7 @@ Flags:
 Global Flags:
   -c, --context string      Kubernetes context to use when evaluating connections in a live cluster
       --dirpath string      Resources dir path when evaluating connections from a dir
+      --exposure            Runs also exposure analysis
       --fail                fail on the first encountered error
       --include-json        consider JSON manifests (in addition to YAML) when analyzing from dir
   -k, --kubeconfig string   Path and file to use for kubeconfig when evaluating connections in a live cluster

diff --git a/cspell.json b/cspell.json
@@ -0,0 +1,15 @@
+{
+    "version": "0.2",
+    "ignorePaths": [],
+    "dictionaryDefinitions": [],
+    "dictionaries": [],
+    "words": [
+        "connlist",
+        "netpol",
+        "netpols",
+        "SCTP",
+        "xgress"
+    ],
+    "ignoreWords": [],
+    "import": []
+}
diff --git a/pkg/cli/command_test.go b/pkg/cli/command_test.go
@@ -57,7 +57,7 @@ func buildAndExecuteCommand(args []string) (string, error) {
 }
 
 // append the optional args of a command if the values are not empty
-func addCmdOptionalArgs(format, outputFile, focusWorkload string) []string {
+func addCmdOptionalArgs(format, outputFile, focusWorkload string, exposure bool) []string {
 	res := []string{}
 	if focusWorkload != "" {
 		res = append(res, "--focusworkload", focusWorkload)
@@ -68,6 +68,9 @@ func addCmdOptionalArgs(format, outputFile, focusWorkload string) []string {
 	if outputFile != "" {
 		res = append(res, "-f", outputFile)
 	}
+	if exposure {
+		res = append(res, "--exposure")
+	}
 	return res
 }
 
@@ -81,9 +84,10 @@ func determineFileSuffix(format string) string {
 }
 
 // gets the test name and name of expected output file for a list command from its args
-func getListCmdTestNameAndExpectedOutputFile(dirName, focusWorkload, format string) (testName, expectedOutputFileName string) {
+func getListCmdTestNameAndExpectedOutputFile(dirName, focusWorkload, format string, exposureFlag bool) (testName,
+	expectedOutputFileName string) {
 	fileSuffix := determineFileSuffix(format)
-	return testutils.ConnlistTestNameByTestArgs(dirName, focusWorkload, fileSuffix)
+	return testutils.ConnlistTestNameByTestArgs(dirName, focusWorkload, fileSuffix, exposureFlag)
 }
 
 func testInfo(testName string) string {
@@ -217,6 +221,7 @@ func TestListCommandOutput(t *testing.T) {
 		focusWorkload string
 		format        string
 		outputFile    string
+		exposureFlag  bool
 	}{
 		// when focusWorkload is empty, output should be the connlist of the dir
 		// when format is empty - output should be in defaultFormat (txt)
@@ -265,13 +270,17 @@ func TestListCommandOutput(t *testing.T) {
 			dirName:    "onlineboutique",
 			outputFile: outFileName,
 		},
+		{
+			dirName:      "acs-security-demos",
+			exposureFlag: true,
+		},
 	}
 	for _, tt := range cases {
 		tt := tt
-		testName, expectedOutputFileName := getListCmdTestNameAndExpectedOutputFile(tt.dirName, tt.focusWorkload, tt.format)
+		testName, expectedOutputFileName := getListCmdTestNameAndExpectedOutputFile(tt.dirName, tt.focusWorkload, tt.format, tt.exposureFlag)
 		t.Run(testName, func(t *testing.T) {
 			args := []string{"list", "--dirpath", testutils.GetTestDirPath(tt.dirName)}
-			args = append(args, addCmdOptionalArgs(tt.format, tt.outputFile, tt.focusWorkload)...)
+			args = append(args, addCmdOptionalArgs(tt.format, tt.outputFile, tt.focusWorkload, tt.exposureFlag)...)
 			actualOut, err := buildAndExecuteCommand(args)
 			require.Nil(t, err, "test: %q", testName)
 			testutils.CheckActualVsExpectedOutputMatch(t, expectedOutputFileName, actualOut, testInfo(testName), currentPkg)
@@ -324,7 +333,7 @@ func TestDiffCommandOutput(t *testing.T) {
 		t.Run(testName, func(t *testing.T) {
 			args := []string{"diff", "--dir1", testutils.GetTestDirPath(tt.dir1), "--dir2",
 				testutils.GetTestDirPath(tt.dir2)}
-			args = append(args, addCmdOptionalArgs(tt.format, tt.outputFile, "")...)
+			args = append(args, addCmdOptionalArgs(tt.format, tt.outputFile, "", false)...)
 			actualOut, err := buildAndExecuteCommand(args)
 			require.Nil(t, err, "test: %q", testName)
 			testutils.CheckActualVsExpectedOutputMatch(t, expectedOutputFileName, actualOut, testInfo(testName), currentPkg)

diff --git a/pkg/cli/diff.go b/pkg/cli/diff.go
@@ -34,8 +34,8 @@ func runDiffCommand() error {
 	var connsDiff diff.ConnectivityDiff
 	var err error
 
-	clogger := logger.NewDefaultLoggerWithVerbosity(detrmineLogVerbosity())
-	diffAnalyzer := diff.NewDiffAnalyzer(getDiffOptions(clogger)...)
+	cLogger := logger.NewDefaultLoggerWithVerbosity(determineLogVerbosity())
+	diffAnalyzer := diff.NewDiffAnalyzer(getDiffOptions(cLogger)...)
 
 	connsDiff, err = diffAnalyzer.ConnDiffFromDirPaths(dir1, dir2)
 	if err != nil {
@@ -94,7 +94,7 @@ func newCommandDiff() *cobra.Command {
 	c.Flags().StringVarP(&dir1, dir1Arg, "", "", "Original Resources path to be compared")
 	c.Flags().StringVarP(&dir2, dir2Arg, "", "", "New Resources path to compare with original resources path")
 	supportedDiffFormats := strings.Join(diff.ValidDiffFormats, ",")
-	c.Flags().StringVarP(&outFormat, "output", "o", outconsts.DefaultFormat, getOutputFormatDescription(supportedDiffFormats))
+	c.Flags().StringVarP(&outFormat, "output", "o", outconsts.DefaultFormat, getRequiredOutputFormatString(supportedDiffFormats))
 	// out file
 	c.Flags().StringVarP(&outFile, "file", "f", "", "Write output to specified file")
 	return c

diff --git a/pkg/cli/evaluate.go b/pkg/cli/evaluate.go
@@ -50,7 +50,7 @@ func validateEvalFlags() error {
 	if destinationPod.Name == "" && dstExternalIP == "" {
 		return errors.New(netpolerrors.NoDestDefinedErr)
 	} else if destinationPod.Name != "" && dstExternalIP != "" {
-		return errors.New(netpolerrors.OnlyOneDstFalgErrStr)
+		return errors.New(netpolerrors.OnlyOneDstFlagErrStr)
 	}
 
 	if srcExternalIP != "" && dstExternalIP == "" {
@@ -65,22 +65,22 @@ func validateEvalFlags() error {
 
 func updatePolicyEngineObjectsFromDirPath(pe *eval.PolicyEngine, podNames []types.NamespacedName) error {
 	// get relevant resources from dir path
-	elogger := logger.NewDefaultLoggerWithVerbosity(detrmineLogVerbosity())
+	eLogger := logger.NewDefaultLoggerWithVerbosity(determineLogVerbosity())
 
 	rList, errs := fsscanner.GetResourceInfosFromDirPath([]string{dirPath}, true, false)
 	if errs != nil {
 		// TODO: consider avoid logging this error because it is already printed to log by the builder
 		if len(rList) == 0 || stopOnFirstError {
 			err := utilerrors.NewAggregate(errs)
-			elogger.Errorf(err, netpolerrors.ErrGettingResInfoFromDir)
+			eLogger.Errorf(err, netpolerrors.ErrGettingResInfoFromDir)
 			return err // return as fatal error if rList is empty or if stopOnError is on
 		}
 		// split err if it's an aggregated error to a list of separate errors
 		for _, err := range errs {
-			elogger.Errorf(err, netpolerrors.FailedReadingFileErrorStr) // print to log the error from builder
+			eLogger.Errorf(err, netpolerrors.FailedReadingFileErrorStr) // print to log the error from builder
 		}
 	}
-	objectsList, processingErrs := parser.ResourceInfoListToK8sObjectsList(rList, elogger, false)
+	objectsList, processingErrs := parser.ResourceInfoListToK8sObjectsList(rList, eLogger, false)
 	for _, err := range processingErrs {
 		if err.IsFatal() || (stopOnFirstError && err.IsSevere()) {
 			return fmt.Errorf("scan dir path %s had processing errors: %w", dirPath, err.Error())
@@ -92,11 +92,11 @@ func updatePolicyEngineObjectsFromDirPath(pe *eval.PolicyEngine, podNames []type
 	for _, obj := range objectsList {
 		switch obj.Kind {
 		case parser.Pod:
-			err = pe.UpsertObject(obj.Pod)
+			err = pe.InsertObject(obj.Pod)
 		case parser.Namespace:
-			err = pe.UpsertObject(obj.Namespace)
-		case parser.Networkpolicy:
-			err = pe.UpsertObject(obj.Networkpolicy)
+			err = pe.InsertObject(obj.Namespace)
+		case parser.NetworkPolicy:
+			err = pe.InsertObject(obj.NetworkPolicy)
 		default:
 			continue
 		}
@@ -114,32 +114,32 @@ func updatePolicyEngineObjectsFromLiveCluster(pe *eval.PolicyEngine, podNames []
 	defer cancel()
 
 	for _, name := range nsNames {
-		ns, apierr := clientset.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
-		if apierr != nil {
-			return apierr
+		ns, apiErr := clientset.CoreV1().Namespaces().Get(ctx, name, metav1.GetOptions{})
+		if apiErr != nil {
+			return apiErr
 		}
-		if err := pe.UpsertObject(ns); err != nil {
+		if err := pe.InsertObject(ns); err != nil {
 			return err
 		}
 	}
 
 	for _, name := range podNames {
-		pod, apierr := clientset.CoreV1().Pods(name.Namespace).Get(ctx, name.Name, metav1.GetOptions{})
-		if apierr != nil {
-			return apierr
+		pod, apiErr := clientset.CoreV1().Pods(name.Namespace).Get(ctx, name.Name, metav1.GetOptions{})
+		if apiErr != nil {
+			return apiErr
 		}
-		if err := pe.UpsertObject(pod); err != nil {
+		if err := pe.InsertObject(pod); err != nil {
 			return err
 		}
 	}
 
 	for _, ns := range nsNames {
-		npList, apierr := clientset.NetworkingV1().NetworkPolicies(ns).List(ctx, metav1.ListOptions{})
-		if apierr != nil {
-			return apierr
+		npList, apiErr := clientset.NetworkingV1().NetworkPolicies(ns).List(ctx, metav1.ListOptions{})
+		if apiErr != nil {
+			return apiErr
 		}
 		for i := range npList.Items {
-			if err := pe.UpsertObject(&npList.Items[i]); err != nil {
+			if err := pe.InsertObject(&npList.Items[i]); err != nil {
 				return err
 			}
 		}

diff --git a/pkg/cli/list.go b/pkg/cli/list.go
@@ -20,21 +20,23 @@ import (
 )
 
 var (
-	focusWorkload string
-	output        string // output format
-	outFile       string // output file
+	focusWorkload    string
+	exposureAnalysis bool
+	output           string // output format
+	outFile          string // output file
 )
 
-func getOutputFormatDescription(validFormats string) string {
+// getRequiredOutputFormatString returns the description of required format(s) of the command
+func getRequiredOutputFormatString(validFormats string) string {
 	return fmt.Sprintf("Required output format (%s)", validFormats)
 }
 
 func runListCommand() error {
 	var conns []connlist.Peer2PeerConnection
 	var err error
 
-	clogger := logger.NewDefaultLoggerWithVerbosity(detrmineLogVerbosity())
-	analyzer := connlist.NewConnlistAnalyzer(getConnlistOptions(clogger)...)
+	cLogger := logger.NewDefaultLoggerWithVerbosity(determineLogVerbosity())
+	analyzer := connlist.NewConnlistAnalyzer(getConnlistOptions(cLogger)...)
 
 	if dirPath != "" {
 		conns, _, err = analyzer.ConnlistFromDirPath(dirPath)
@@ -80,6 +82,9 @@ func getConnlistOptions(l *logger.DefaultLogger) []connlist.ConnlistAnalyzerOpti
 	if stopOnFirstError {
 		res = append(res, connlist.WithStopOnError())
 	}
+	if exposureAnalysis {
+		res = append(res, connlist.WithExposureAnalysis())
+	}
 	return res
 }
 
@@ -124,9 +129,11 @@ defined`,
 	// Use PersistentFlags() for flags inherited by subcommands or Flags() for local flags.
 	c.Flags().StringVarP(&focusWorkload, "focusworkload", "", "",
 		"Focus connections of specified workload in the output (<workload-name> or <workload-namespace/workload-name>)")
+	c.Flags().BoolVarP(&exposureAnalysis, "exposure", "", false, "Turn on exposure analysis and append results to the output")
+	// output format - default txt
 	// output format - default txt
 	supportedFormats := strings.Join(connlist.ValidFormats, ",")
-	c.Flags().StringVarP(&output, "output", "o", outconsts.DefaultFormat, getOutputFormatDescription(supportedFormats))
+	c.Flags().StringVarP(&output, "output", "o", outconsts.DefaultFormat, getRequiredOutputFormatString(supportedFormats))
 	// out file
 	c.Flags().StringVarP(&outFile, "file", "f", "", "Write output to specified file")
 

diff --git a/pkg/cli/root.go b/pkg/cli/root.go
@@ -32,7 +32,7 @@ var (
 )
 
 // returns verbosity level based on the -q and -v switches
-func detrmineLogVerbosity() logger.Verbosity {
+func determineLogVerbosity() logger.Verbosity {
 	verbosity := logger.DefaultVerbosity
 	if quiet {
 		verbosity = logger.LowVerbosity

diff --git a/pkg/internal/netpolerrors/netpol_errors.go b/pkg/internal/netpolerrors/netpol_errors.go
@@ -33,22 +33,23 @@ const (
 	NoAllowedConnsWarning  = "Connectivity analysis found no allowed connectivity between pairs from the configured workloads or" +
 		" external IP-blocks"
 
-	ErrGettingResInfoFromDir = "Error getting resourceInfos from dir path"
+	ErrGettingResInfoFromDir     = "Error getting resourceInfos from dir path"
+	ConversionToConnectionSetErr = "failed conversion from AllowedSet to ConnectionSet"
 
 	// eval errors
 	NoSourceDefinedErr     = "no source defined, source pod and namespace or external IP required"
 	NotFoundNamespace      = "could not find peer namespace"
 	OnlyOneSrcFlagErrStr   = "only one of source pod and namespace or external IP can be defined, not both"
 	NoDestDefinedErr       = "no destination defined, destination pod and namespace or external IP required"
-	OnlyOneDstFalgErrStr   = "only one of destination pod and namespace or external IP can be defined, not both"
+	OnlyOneDstFlagErrStr   = "only one of destination pod and namespace or external IP can be defined, not both"
 	OnlyOneIPPeerErrStr    = "only one of source or destination can be defined as external IP, not both"
 	RequiredDstPortFlagErr = "destination port name or value is required"
 
 	// diff command errors
 	RequiredFlagsErr = "both directory paths dir1 and dir2 are required"
 	FlagMisUseErr    = "dirpath flag is not used with diff command"
 
-	// errors consts from `orig errors` that are raised by external libraries
+	// errors constants from `orig errors` that are raised by external libraries
 	InvalidCIDRAddr         = "invalid CIDR address"
 	InvalidKeyVal           = "key: Invalid value"
 	UnrecognizedValType     = "unrecognized type"
@@ -61,6 +62,10 @@ const (
 	UnableToDecodeErr       = "unable to decode"
 
 	UnknownCommandErr = "unknown command"
+
+	NilRepresentativePodSelectorsErr = "representative pod might not be generated if it does not have any representative selector"
+	NilNamespaceAndNilNsSelectorErr  = "representative pod might not be generated from nil namespace-selector and nil namespace;" +
+		"at least one should not be nil"
 )
 
 // NotSupportedPodResourcesErrorStr returns error string of not supported pods with same ownerRef but different labels
@@ -69,7 +74,7 @@ func NotSupportedPodResourcesErrorStr(ownerRefName string) string {
 		ownerRefName + " but with different set of labels."
 }
 
-// WorkloadDoesNotExistErrStr returns error string of missing workload for connlist with focusworkload
+// WorkloadDoesNotExistErrStr returns error string of missing workload for connlist with focus-workload
 func WorkloadDoesNotExistErrStr(workload string) string {
 	return "Workload " + workload + " does not exist in the input resources." + EmptyConnListErrStr
 }
@@ -97,13 +102,17 @@ func BlockedIngressWarning(objKind, objName, peerStr string) string {
 }
 
 // MissingNamespaceErrStr returns error string of a missing namespace of a peer
-func MissingNamespaceErrStr(peerStr string) string {
-	return "error: namespace of pod " + peerStr + " is missing"
+func MissingNamespaceErrStr(nsName, peerName string) string {
+	return "error: namespace " + nsName + " of pod " + peerName + " is missing"
 }
 
 // NotPeerErrStr returns error string of a peer that is not workload peer
 func NotPeerErrStr(peerStr string) string {
-	return "peer: " + peerStr + ",is not a WorkloadPeer"
+	return "peer: " + peerStr + ", is not a WorkloadPeer"
+}
+
+func NotRepresentativePeerErrStr(peerStr string) string {
+	return peerStr + ", is not a Representative peer"
 }
 
 // BothSrcAndDstIPsErrStr returns error string that conn from ip to ip is not supported

diff --git a/pkg/internal/testutils/testutils.go b/pkg/internal/testutils/testutils.go
@@ -26,6 +26,7 @@ var update = flag.Bool("update", false, "write or override golden files")
 
 const (
 	connlistExpectedOutputFilePartialName = "connlist_output."
+	exposureExpectedOutputFilePartialName = "exposure_output."
 	underscore                            = "_"
 	dotSign                               = "."
 	formatStr                             = "_format_"
@@ -41,13 +42,17 @@ func GetTestDirPath(dirName string) string {
 }
 
 // ConnlistTestNameByTestArgs returns connlist test name and test's expected output file from some tests args
-func ConnlistTestNameByTestArgs(dirName, focusWorkload, format string) (testName, expectedOutputFileName string) {
+func ConnlistTestNameByTestArgs(dirName, focusWorkload, format string, exposureFlag bool) (testName, expectedOutputFileName string) {
 	namePrefix := dirName
 	if focusWorkload != "" {
 		namePrefix += focusWlAnnotation + strings.Replace(focusWorkload, "/", underscore, 1)
 	}
 	testName = namePrefix + formatStr + format
-	expectedOutputFileName = namePrefix + underscore + connlistExpectedOutputFilePartialName + format
+	outputPartialName := connlistExpectedOutputFilePartialName
+	if exposureFlag {
+		outputPartialName = exposureExpectedOutputFilePartialName
+	}
+	expectedOutputFileName = namePrefix + underscore + outputPartialName + format
 	return testName, expectedOutputFileName
 }