support_banp (#403)

* support_banp+tests * removing lint note * fix merge errors * why failed to use generics for duplicated code in egressRuleSelectsPeer and ingressRuleSelectsPeer * banp tests with swapped rules * integrating Tanya's tests with BANP + adding results; results were compared to policy-assistant, all good * pass action is not defined for BANP * more code enhancement, + could not use generics
np-guard · Sep 9, 2024 · 8d2e6a3 · 8d2e6a3
1 parent c90ac47
commit 8d2e6a3
Show file tree

Hide file tree

Showing 255 changed files with 16,173 additions and 340 deletions.
diff --git a/cspell.json b/cspell.json
@@ -4,6 +4,7 @@
     "dictionaryDefinitions": [],
     "dictionaries": [],
     "words": [
+        "banp",
         "connlist",
         "netpol",
         "netpols",

diff --git a/docs/connlist_output.md b/docs/connlist_output.md
@@ -4,6 +4,7 @@ Resource manifests considered for a connectivity analysis:
 - workload resources (such as Kubernetes Pod / Deployment)
 - Kubernetes NetworkPolicy
 - Kubernetes AdminNetworkPolicy
+- Kubernetes BaselineAdminNetworkPolicy 
 - Kubernetes Ingress
 - Openshift Route
 

diff --git a/pkg/internal/netpolerrors/netpol_errors.go b/pkg/internal/netpolerrors/netpol_errors.go
@@ -61,16 +61,21 @@ const (
 	UnmarshalErr            = "cannot unmarshal array into Go value of type unstructured.detector"
 	UnableToDecodeErr       = "unable to decode"
 
-	// errors constants from adminNetworkPolicy
+	// errors constants from adminNetworkPolicy and baselineAdminNetworkPolicy
 	SubjectErrTitle                  = "invalid Subject:"
-	SubjectFieldsErr                 = "Exactly one field must be set"
+	oneFieldSetErr                   = "exactly one field must be set"
+	OneFieldSetRulePeerErr           = oneFieldSetErr + " in a rule peer"
+	OneFieldSetSubjectErr            = oneFieldSetErr + " in a subject"
 	UnknownRuleActionErr             = "unrecognized action"
 	ANPPortsError                    = "exactly one field must be set in an AdminNetworkPolicyPort"
-	ANPIngressRulePeersErr           = "From field must be defined and contain at least one item"
-	ANPEgressRulePeersErr            = "To field must be defined and contain at least one item"
+	ANPIngressRulePeersErr           = "from field must be defined and contain at least one item"
+	ANPEgressRulePeersErr            = "to field must be defined and contain at least one item"
 	ANPMissingNameErr                = "missing name for an AdminNetworkPolicy object"
 	ExposureAnalysisDisabledWithANPs = "exposure analysis is disabled when there are admin-network-policies in the input resources"
 
+	BANPAlreadyExists = "only one baseline admin network policy may be provided in input resources; one already exists"
+	BANPNameAssertion = "only one baseline admin network policy with metadata.name=default can be created in the cluster"
+
 	UnknownCommandErr = "unknown command"
 
 	NilRepresentativePodSelectorsErr = "representative pod might not be generated if it does not have any representative selector"