diff --git a/pkg/internal/testutils/parsed_resources_tests.go b/pkg/internal/testutils/parsed_resources_tests.go index 881ae294..de67ade6 100644 --- a/pkg/internal/testutils/parsed_resources_tests.go +++ b/pkg/internal/testutils/parsed_resources_tests.go @@ -32,9 +32,9 @@ const ( connUDP80 = "UDP 80" allButUDP80 = "SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535" allButTCP80A81UDP80A81 = "SCTP 1-65535,TCP 1-79,82-65535,UDP 1-79,82-65535" - allButTCP80UDP80 = "SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535" noConns = "No Connections" connTCP80A81UDP80A81 = "TCP 80-81,UDP 80-81" + connTCP80A81 = "TCP 80-81" priority100 = 100 ) @@ -148,7 +148,7 @@ func initBanp(banp *v1alpha1.BaselineAdminNetworkPolicy) *v1alpha1.BaselineAdmin return banp } -func (test *ParsedResourcesTest) Getk8sObjects() []parser.K8sObject { +func (test *ParsedResourcesTest) GetK8sObjects() []parser.K8sObject { res := []parser.K8sObject{} test.TestInfo = fmt.Sprintf("test: %q, output format: %q", test.Name, test.OutputFormat) for _, ns := range test.Resources.NsList { @@ -296,6 +296,16 @@ var ( allNamespacesSubject = v1alpha1.AdminNetworkPolicySubject{ Namespaces: &metav1.LabelSelector{}, } + subjectNsY = v1alpha1.AdminNetworkPolicySubject{ + Namespaces: &metav1.LabelSelector{ + MatchLabels: map[string]string{"ns": "y"}, + }, + } + subjectNsX = v1alpha1.AdminNetworkPolicySubject{ + Namespaces: &metav1.LabelSelector{ + MatchLabels: map[string]string{"ns": "x"}, + }, + } toXPeer = []v1alpha1.AdminNetworkPolicyEgressPeer{ { Namespaces: &metav1.LabelSelector{ @@ -310,6 +320,13 @@ var ( }, }, } + fromXPeer = []v1alpha1.AdminNetworkPolicyIngressPeer{ + { + Namespaces: &metav1.LabelSelector{ + MatchLabels: map[string]string{"ns": "x"}, + }, + }, + } egressRuleDenyPorts80 = []v1alpha1.AdminNetworkPolicyEgressRule{ { Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, @@ -337,6 +354,11 @@ var ( To: toXPeer, Ports: ports80, } + egressRuleAllowToXTCP8081 = v1alpha1.AdminNetworkPolicyEgressRule{ + Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, + To: toXPeer, + Ports: portsTCP8081, + } egressRuleDenyAllToX = v1alpha1.AdminNetworkPolicyEgressRule{ Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, To: toXPeer, @@ -366,6 +388,10 @@ var ( To: toXPeer, Ports: ports80, } + egressRulePassAllToX = v1alpha1.AdminNetworkPolicyEgressRule{ + Action: v1alpha1.AdminNetworkPolicyRuleActionPass, + To: toXPeer, + } egressRuleDenyToXUDP80 = v1alpha1.AdminNetworkPolicyEgressRule{ Action: v1alpha1.AdminNetworkPolicyRuleActionDeny, To: toXPeer, @@ -390,6 +416,10 @@ var ( From: fromYPeer, Ports: portsUDP80, } + ingressRuleAllowAllFromX = v1alpha1.AdminNetworkPolicyIngressRule{ + Action: v1alpha1.AdminNetworkPolicyRuleActionAllow, + From: fromXPeer, + } anp1 = v1alpha1.AdminNetworkPolicySpec{ Priority: priority100, Subject: allNamespacesSubject, @@ -427,6 +457,18 @@ var ( }, }, }) + banpDenyAllToX = initBanp(&v1alpha1.BaselineAdminNetworkPolicy{ + Spec: v1alpha1.BaselineAdminNetworkPolicySpec{ + Subject: subjectNsY, + Egress: []v1alpha1.BaselineAdminNetworkPolicyEgressRule{ + { + Action: v1alpha1.BaselineAdminNetworkPolicyRuleActionDeny, + To: toXPeer, + }, + }, + }, + }) + ANPConnectivityFromParsedResourcesTest = []ParsedResourcesTest{ { Name: "egress port number protocol unspecified", @@ -973,6 +1015,65 @@ var ( }, }), }, + { + Name: "ANP with unmatched ingress and egress connection #7", + // ANP 1: + // - subject ns : y + // - priority : 15 + // - egress rule to x : + // - allow TCP 80-81 + // - deny others + // ANP 2: + // - subject ns : x + // - priority : 4 + // - ingress rule from y: + // - allow UDP 80 + // what happens from y->x: + // actual table from policy-assistant: + // +--------+---------+---------+---------+---------+ + // | TCP/80 | X/A | X/B | Y/A | Y/B | + // | TCP/81 | | | | | + // | UDP/80 | | | | | + // | UDP/81 | | | | | + // +--------+---------+---------+---------+---------+ + // | x/a | # # # # | . . . . | . . . . | . . . . | + // +--------+---------+---------+---------+---------+ + // | x/b | . . . . | # # # # | . . . . | . . . . | + // +--------+---------+---------+---------+---------+ + // | y/a | . . X X | . . X X | # # # # | . . . . | + // +--------+---------+---------+---------+---------+ + // | y/b | . . X X | . . X X | . . . . | # # # # | + // +--------+---------+---------+---------+---------+ + OutputFormat: output.TextFormat, + ExpectedOutputFileName: "test7_anp_unmatched_ingress_egress_from_parsed_res.txt", + EvalTests: []EvalAllowedConnTest{ + { + Src: "x/a", Dst: "y/b", + ExpResult: allConnsStr, + }, + { + Src: "y/a", Dst: "x/b", + ExpResult: connTCP80A81, + }, + }, + Resources: initResources(podInfo1), + AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ + { + Spec: v1alpha1.AdminNetworkPolicySpec{ + Priority: 15, + Subject: subjectNsY, + Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleAllowToXTCP8081, egressRuleDenyAllToX}, + }, + }, + { + Spec: v1alpha1.AdminNetworkPolicySpec{ + Priority: 4, + Subject: subjectNsX, + Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleAllowFromYUDP80}, + }, + }, + }), + }, { Name: "ANP with unmatched ingress and egress connection #13", // ANP: @@ -1289,6 +1390,66 @@ var ( }, }), }, + { + Name: "ANP with unmatched ingress and egress connection #8", + // ANP : + // - subject ns : y + // - priority : 15 + // - ingress rule allow all from x + // NP: + // - ns : x + // - empty egress (deny all egress) + // what happens from x->y: + // actual table from policy-assistant: + // +--------+---------+---------+---------+---------+ + // | TCP/80 | X/A | X/B | Y/A | Y/B | + // | TCP/81 | | | | | + // | UDP/80 | | | | | + // | UDP/81 | | | | | + // +--------+---------+---------+---------+---------+ + // | x/a | # # # # | X X X X | X X X X | X X X X | + // +--------+---------+---------+---------+---------+ + // | x/b | X X X X | # # # # | X X X X | X X X X | + // +--------+---------+---------+---------+---------+ + // | y/a | . . . . | . . . . | # # # # | . . . . | + // +--------+---------+---------+---------+---------+ + // | y/b | . . . . | . . . . | . . . . | # # # # | + // +--------+---------+---------+---------+---------+ + OutputFormat: output.TextFormat, + ExpectedOutputFileName: "test8_anp_np_unmatched_ingress_egress_from_parsed_res.txt", + EvalTests: []EvalAllowedConnTest{ + { + Src: "x/b", Dst: "y/a", + ExpResult: noConns, + }, + { + Src: "y/b", Dst: "x/a", + ExpResult: allConnsStr, + }, + }, + Resources: initResources(podInfo1), + NpList: initNpList([]*netv1.NetworkPolicy{ + { + ObjectMeta: metav1.ObjectMeta{ + Namespace: "x", + Name: "base", + }, + Spec: netv1.NetworkPolicySpec{ + PodSelector: metav1.LabelSelector{}, + PolicyTypes: []netv1.PolicyType{netv1.PolicyTypeEgress}, + }, + }, + }), + AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ + { + Spec: v1alpha1.AdminNetworkPolicySpec{ + Priority: 15, + Subject: subjectNsY, + Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRuleAllowAllFromX}, + }, + }, + }), + }, } BANPWithNetPolV1FromParsedResourcesTest = []ParsedResourcesTest{ @@ -1505,7 +1666,6 @@ var ( // | y/b | X X . X | X X . X | X X . X | # # # # | // +--------+---------+---------+---------+---------+ - // @TBD: Note that expected output is different from the actual output generated by policy-assistant OutputFormat: output.TextFormat, ExpectedOutputFileName: "test3_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ @@ -1515,7 +1675,7 @@ var ( }, { Src: "y/a", Dst: "x/b", - ExpResult: noConns, // policy-assistant expects UDP80 + ExpResult: connUDP80, }, }, Resources: initResources(podInfo1), @@ -1531,6 +1691,56 @@ var ( }), Banp: banpDenyAllFromY, }, + { + Name: "ANP with unmatched ingress and egress connection #5", + // ANP: + // - subject is all namespaces (x,y) + // - ingress rule from y : Pass UDP80 + // - egress rule to x : Allow UDP 80 + // BANP: + // - subject : all namespaces + // - ingress rule : deny all from y + // what happens from y->x: + // actual table from policy-assistant: (y->x all conns are denied) + // +--------+---------+---------+---------+---------+ + // | TCP/80 | X/A | X/B | Y/A | Y/B | + // | TCP/81 | | | | | + // | UDP/80 | | | | | + // | UDP/81 | | | | | + // +--------+---------+---------+---------+---------+ + // | x/a | # # # # | . . . . | . . . . | . . . . | + // +--------+---------+---------+---------+---------+ + // | x/b | . . . . | # # # # | . . . . | . . . . | + // +--------+---------+---------+---------+---------+ + // | y/a | X X X X | X X X X | # # # # | X X X X | + // +--------+---------+---------+---------+---------+ + // | y/b | X X X X | X X X X | X X X X | # # # # | + // +--------+---------+---------+---------+---------+ + OutputFormat: output.TextFormat, + ExpectedOutputFileName: "test5_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", + EvalTests: []EvalAllowedConnTest{ + { + Src: "x/a", Dst: "y/b", + ExpResult: allConnsStr, + }, + { + Src: "y/a", Dst: "x/b", + ExpResult: noConns, + }, + }, + Resources: initResources(podInfo1), + AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ + { + Spec: v1alpha1.AdminNetworkPolicySpec{ + Priority: priority100, + Subject: allNamespacesSubject, + Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRuleAllowToXUDP80}, + Ingress: []v1alpha1.AdminNetworkPolicyIngressRule{ingressRulePassFromYUDP80}, + }, + }, + }), + Banp: banpDenyAllFromY, + }, { Name: "ANP with unmatched ingress and egress connection #11", // ANP: @@ -1660,8 +1870,6 @@ var ( // +--------+---------+---------+---------+---------+ // | y/b | . . X . | . . X . | . . X . | # # # # | // +--------+---------+---------+---------+---------+ - - // @TBD: Note that expected output is different from the actual output generated by policy-assistant OutputFormat: output.TextFormat, ExpectedOutputFileName: "test14_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", EvalTests: []EvalAllowedConnTest{ @@ -1671,7 +1879,7 @@ var ( }, { Src: "y/a", Dst: "x/b", - ExpResult: allButTCP80UDP80, // policy-assistant expects allButUDP80 only + ExpResult: allButUDP80, }, }, Resources: initResources(podInfo1), @@ -1687,5 +1895,52 @@ var ( }), Banp: banpDenyAllFromY, }, + { + Name: "ANP with unmatched ingress and egress connection #9", + // ANP: + // - subject is ns:y + // - egress rule pass all to x + // BANP: + // - subject : ns:y + // - egress rule deny all to x + // actual table form policy-assistant: + // +--------+---------+---------+---------+---------+ + // | TCP/80 | X/A | X/B | Y/A | Y/B | + // | TCP/81 | | | | | + // | UDP/80 | | | | | + // | UDP/81 | | | | | + // +--------+---------+---------+---------+---------+ + // | x/a | # # # # | . . . . | . . . . | . . . . | + // +--------+---------+---------+---------+---------+ + // | x/b | . . . . | # # # # | . . . . | . . . . | + // +--------+---------+---------+---------+---------+ + // | y/a | X X X X | X X X X | # # # # | . . . . | + // +--------+---------+---------+---------+---------+ + // | y/b | X X X X | X X X X | . . . . | # # # # | + // +--------+---------+---------+---------+---------+ + OutputFormat: output.TextFormat, + ExpectedOutputFileName: "test9_anp_banp_unmatched_ingress_egress_from_parsed_res.txt", + EvalTests: []EvalAllowedConnTest{ + { + Src: "x/a", Dst: "y/b", + ExpResult: allConnsStr, + }, + { + Src: "y/a", Dst: "x/b", + ExpResult: noConns, + }, + }, + Resources: initResources(podInfo1), + AnpList: initAnpList([]*v1alpha1.AdminNetworkPolicy{ + { + Spec: v1alpha1.AdminNetworkPolicySpec{ + Priority: priority100, + Subject: subjectNsY, + Egress: []v1alpha1.AdminNetworkPolicyEgressRule{egressRulePassAllToX}, + }, + }, + }), + Banp: banpDenyAllToX, + }, } ) diff --git a/pkg/netpol/connlist/connlist_test.go b/pkg/netpol/connlist/connlist_test.go index c403e6b0..fe23a403 100644 --- a/pkg/netpol/connlist/connlist_test.go +++ b/pkg/netpol/connlist/connlist_test.go @@ -1348,7 +1348,7 @@ func runParsedResourcesConnlistTests(t *testing.T, testList []testutils.ParsedRe t.Run(test.Name, func(t *testing.T) { t.Parallel() analyzer := NewConnlistAnalyzer(WithOutputFormat(test.OutputFormat)) - res, _, err := analyzer.connsListFromParsedResources(test.Getk8sObjects()) + res, _, err := analyzer.connsListFromParsedResources(test.GetK8sObjects()) require.Nil(t, err, test.TestInfo) out, err := analyzer.ConnectionsListToString(res) require.Nil(t, err, test.TestInfo) diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index 8fd9ec94..c924f034 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -143,81 +143,36 @@ func (pe *PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPe // allAllowedConnectionsBetweenPeers: returns the allowed connections from srcPeer to dstPeer // expecting that srcPeer and dstPeer are in level of pods (PodPeer) -// allowed conns are computed considering all policy resources available, admin-network-policies and network-policies -// -//gocyclo:ignore +// allowed conns are computed considering all the available resources of k8s network policy api: +// admin-network-policies, network-policies and baseline-admin-network-policies func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) (*common.ConnectionSet, error) { srcK8sPeer := srcPeer.(k8s.Peer) dstK8sPeer := dstPeer.(k8s.Peer) + var res *common.ConnectionSet var err error // cases where any connection is always allowed if isPodToItself(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(dstK8sPeer, srcK8sPeer) { return common.MakeConnectionSet(true), nil } - - // first: get conns between src and dst from AdminNetworkPolicies; - // note that: - // - anpConns may contain allowed, denied or/and passed connections - // - anpCaptured is true iff there is at least one rule in the input ANPs that captures both src and dst; - // because anp rules are read as is and don't contain any implicit isolation effects for the Pods selected by the AdminNetworkPolicy. - anpConns, anpCaptured, err := pe.getAllConnsFromAdminNetpols(srcK8sPeer, dstK8sPeer) - if err != nil { - return nil, err - } - - // second: get conns between src and dst from networkPolicies: - // note that : - // - npConns contains only allowed connections - // - npCaptured is true iff there are policies selecting either src or dst - since network-policies' rules contain - // implicit deny on Pods selected by them. - npConns, npCaptured, err := pe.getAllAllowedConnsFromNetpols(srcK8sPeer, dstK8sPeer) + // egress: get egress allowed connections between the src and dst by + // walking through all k8s egress policies capturing the src; + // evaluating first ANPs then NPs and finally the BANP + res, err = pe.allAllowedXgressConnections(srcK8sPeer, dstK8sPeer, false) if err != nil { return nil, err } - - if anpCaptured && npCaptured { - // if conns between src and dst were captured by the admin-network-policies and by network-policies - // collect conns: - // - traffic that has no match in ANPs but allowed by NPs is added to allowed conns - // - pass conns from ANPs, are determined by NPs conns, note that allowed conns by NPs, imply deny on other traffic; - // so ANPs.pass conns which intersect with NPs.allowed are added to allowed conns result; - // other pass conns (which don't intersect with NPs allowed conns) are not allowed implicitly. - anpConns.CollectConnsFromLowerPolicyType(npConns) - return anpConns.AllowedConns, nil - } - if !anpCaptured && npCaptured { - // only NPs capture the peers, return allowed conns from netpols - return npConns.AllowedConns, nil + if res.IsEmpty() { + return res, nil } - // otherwise, network-policies don't capture the traffic between src and dst: - // get default connection between src and dst: - // note that : - // - if there is no banp in the input resources, then default conns is system-default which is allow-all - // - defaultConns may contain allowed and denied conns - defaultConns, err := pe.getDefaultConns(srcK8sPeer, dstK8sPeer) + // ingress: get ingress allowed connections between the src and dst by + // walking through all k8s ingress policies capturing the dst; + // evaluating first ANPs then NPs and finally the BANP + ingressRes, err := pe.allAllowedXgressConnections(srcK8sPeer, dstK8sPeer, true) if err != nil { return nil, err } - if !anpCaptured && !npCaptured { - // if no ANPs nor NPs capturing the peers, return the default allowed conns (from BANP or system-default) - // note that if conns are not captured by an ANP/NP but captured only by BANP, then: - // if BANP denies some conns but has no allow rule then, allowed conns are all but the denied conns: - if defaultConns.AllowedConns.IsEmpty() && !defaultConns.DeniedConns.IsEmpty() { - allowedConns := common.MakeConnectionSet(true) - allowedConns.Subtract(defaultConns.DeniedConns) - return allowedConns, nil - } // else return the allowed conns by BANP - return defaultConns.AllowedConns, nil - } - // else - // ANPs capture the peers, netpols don't , return the allowed conns from ANPs considering default conns - // this determines what happens on traffic (ports) which are not mentioned in the ANPs; since ANP rules are read as is only - anpConns.CollectConnsFromLowerPolicyType(defaultConns) - // note that : BANP rules may not match all ANPs.Pass conns, remaining pass conns will be allowed as system-default - if !anpConns.PassConns.IsEmpty() { - anpConns.AllowedConns.Union(anpConns.PassConns) - } - return anpConns.AllowedConns, nil + res.Intersection(ingressRes) + return res, nil } // getPod: returns a Pod object corresponding to the input pod name @@ -369,7 +324,7 @@ func (pe *PolicyEngine) checkIfAllowedNew(src, dst, protocol, port string) (bool } // allAllowedConnections: returns allowed connection between input strings of src and dst -// currently used only for testing (computations based on all policy resources (e.g. ANP, NP)) +// currently used only for testing (computations based on all policy resources (e.g. ANP, NP & BANP)) func (pe *PolicyEngine) allAllowedConnections(src, dst string) (*common.ConnectionSet, error) { srcPeer, err := pe.getPeer(src) if err != nil { @@ -397,45 +352,89 @@ func GetPeerExposedTCPConnections(peer Peer) *common.ConnectionSet { } } -// analyzing network-policies for conns between peers (object kind == NetworkPolicy): - -// getAllAllowedConnsFromNetpols: returns connections between src and dst by analyzing the network-policies rules; -// and whether the connection between the src and dst was captured by network-policies' rules. -// note that network-policies connections represent only allowed conns. -// note that: if there are policies selecting either src or dst, then the connection is captured; -// since NetworkPolicy rules implicitly deny unmentioned connections. -func (pe *PolicyEngine) getAllAllowedConnsFromNetpols(src, dst k8s.Peer) (policyConns *k8s.PolicyConnections, npCaptured bool, err error) { - policyConns = k8s.InitEmptyPolicyConnections() - // egress - res, egressCaptured, err := pe.getAllAllowedXgressConnsFromNetpols(src, dst, false) +// allAllowedConnectionsBetweenPeers: returns the allowed connections from srcPeer to dstPeer on the +// given direction (ingress/egress) +// allowed conns are computed by walking through all the available resources of k8s network policy api: +// admin-network-policies, network-policies and baseline-admin-network-policies; +// considering the precedence of each policy +func (pe *PolicyEngine) allAllowedXgressConnections(src, dst k8s.Peer, isIngress bool) (allowedConns *common.ConnectionSet, err error) { + // first get allowed xgress conn between the src and dst from the ANPs + // note that: + // - anpConns may contain allowed, denied or/and passed connections + // - anpCaptured is true iff there is at least one rule in the input ANPs that captures both src and dst; + // because anp rules are read as is and don't contain any implicit isolation effects for the Pods selected by the AdminNetworkPolicy. + anpConns, anpCaptured, err := pe.getAllAllowedXgressConnectionsFromANPs(src, dst, isIngress) if err != nil { - return nil, false, err + return nil, err } - if egressCaptured && res.IsEmpty() { - // connections are not allowed from src to dst by policies selecting "src", return - policyConns.AllowedConns = res - return policyConns, egressCaptured, nil + // second get the allowed xgress conns between the src and dst from the netpols + // note that : + // - npConns contains only allowed connections + // - npCaptured is true iff there are policies selecting either src or dst - since network-policies' rules contain + // implicit deny on Pods selected by them. + npConns, npCaptured, err := pe.getAllAllowedXgressConnsFromNetpols(src, dst, isIngress) + if err != nil { + return nil, err } - // ingress - ingressRes, ingressCaptured, err := pe.getAllAllowedXgressConnsFromNetpols(src, dst, true) + + // compute the allowed connections on the given direction considering the which policies captured the xgress connection + // and precedence of each policy type: + if anpCaptured && npCaptured { + // if conns between src and dst were captured by both the admin-network-policies and by network-policies + // collect conns: + // - traffic that was allowed or denied by ANPs will not be affected by the netpol conns. + // - traffic that has no match in ANPs but allowed by NPs is added to allowed conns. + // - pass conns from ANPs, are determined by NPs conns; + // note that allowed conns by netpols, imply deny on other traffic; + // so ANPs.pass conns which intersect with NPs.allowed are added to allowed conns result; + // other pass conns (which don't intersect with NPs allowed conns) are not allowed implicitly. + anpConns.CollectConnsFromLowerPrecedencePolicyType(npConns) + return anpConns.AllowedConns, nil + } + if !anpCaptured && npCaptured { + // only NPs capture the peers, return allowed conns from netpols + return npConns.AllowedConns, nil + } + // otherwise,n getting here means network-policies don't capture the xgress direction traffic between src and dst. + // get default xgress connection between src and dst from the BANP/ system-default; + // note that : + // - if there is no banp in the input resources, then default conns is system-default which is allow-all + // - if the banp captures the xgress between src and dst; then defaultConns may contain allowed and denied conns + defaultConns, err := pe.getXgressDefaultConns(src, dst, isIngress) if err != nil { - return nil, false, err + return nil, err } - if !egressCaptured { // result is determined by ingress conns only (policies selecting dst)/ none - policyConns.AllowedConns = ingressRes - return policyConns, ingressCaptured, nil + if !anpCaptured && !npCaptured { // only BANP captures the xgress between src -> dst (or not captured at all) + // if no ANPs nor NPs capturing the xgress connection, return the default allowed conns (from BANP or system-default). + // note that: if conns are not captured by an ANP/NP but captured only by BANP, then: + // if BANP denies some conns but has no allow rule then, allowed conns are all but the denied conns: + if defaultConns.AllowedConns.IsEmpty() && !defaultConns.DeniedConns.IsEmpty() { + allowedConns := common.MakeConnectionSet(true) + allowedConns.Subtract(defaultConns.DeniedConns) + return allowedConns, nil + } // else return the allowed conns by BANP + return defaultConns.AllowedConns, nil } - if ingressCaptured && egressCaptured { // allowed conns is intersection between egress and ingress conns - res.Intersection(ingressRes) + // else ( anpCaptured && !npCaptured) + // ANPs capture the peers, netpols don't , return the allowed conns from ANPs considering default conns + // this determines what happens on traffic (ports) which are not mentioned in the ANPs; since ANP rules are read as is only + anpConns.CollectConnsFromLowerPrecedencePolicyType(defaultConns) + // note that : BANP rules may not match all ANPs.Pass conns, remaining pass conns will be allowed as system-default + if !anpConns.PassConns.IsEmpty() { + anpConns.AllowedConns.Union(anpConns.PassConns) } - policyConns.AllowedConns = res - return policyConns, ingressCaptured || egressCaptured, nil + return anpConns.AllowedConns, nil } +// analyzing network-policies for conns between peers (object kind == NetworkPolicy): + // getAllAllowedXgressConnsFromNetpols returns if connections from src to dst are captured by network policies on given direction, // if yes, returns also the set of allowed connections from src to dst on given direction(ingress/egress), by network policies rules. // also checks and updates if a src is exposed to all namespaces on egress or dst is exposed to all namespaces cluster on ingress -func (pe *PolicyEngine) getAllAllowedXgressConnsFromNetpols(src, dst k8s.Peer, isIngress bool) (allowedConns *common.ConnectionSet, +// note that network-policies connections represent only allowed conns. +// note that: if there are policies selecting src (on egress) or dst (on ingress), then the xgress connection is captured; +// since NetworkPolicy rules implicitly deny unmentioned connections. +func (pe *PolicyEngine) getAllAllowedXgressConnsFromNetpols(src, dst k8s.Peer, isIngress bool) (policiesConns *k8s.PolicyConnections, captured bool, err error) { // relevant policies: policies that capture dst if isIngress, else policies that capture src var netpols []*k8s.NetworkPolicy @@ -444,7 +443,7 @@ func (pe *PolicyEngine) getAllAllowedXgressConnsFromNetpols(src, dst k8s.Peer, i // since netpols may not select IPs; and then the connection will be determined as system-default // allow-all in a later check // i.e. the if dst.PeerType() == k8s.IPBlockType is deprecated - // so this connection is determined by system-default (which is allow all) + // so this connection is determined later by system-default (which is allow all) netpols, err = pe.getPoliciesSelectingPod(dst, netv1.PolicyTypeIngress) } else { // note that if src is an IPBlock Peer, then "getPoliciesSelectingPod" will return 0 netpols; @@ -456,12 +455,12 @@ func (pe *PolicyEngine) getAllAllowedXgressConnsFromNetpols(src, dst k8s.Peer, i } if len(netpols) == 0 { - // if both directions not capturing the connection between src and dst, - // this will be ignored and skipped so allowed conns will be determined by BANP, or default (allow-all) + // if the given direction is not capturing the connection between src and dst, + // this will be ignored and skipped so allowed conns will be determined later by BANP, or default (allow-all) return nil, false, nil } // connections between src and dst are captured by network-policies - allowedConns = common.MakeConnectionSet(false) + allowedConns := common.MakeConnectionSet(false) // iterate relevant network policies (that capture the required pod) for _, policy := range netpols { @@ -479,7 +478,10 @@ func (pe *PolicyEngine) getAllAllowedXgressConnsFromNetpols(src, dst k8s.Peer, i } allowedConns.Union(policyAllowedConnectionsPerDirection) } - return allowedConns, true, nil + // putting the result in policiesConns object to be compared with conns allowed by ANP/BANP later + policiesConns = k8s.InitEmptyPolicyConnections() + policiesConns.AllowedConns = allowedConns + return policiesConns, true, nil } // determineAllowedConnsPerDirection returns the policy's allowed connections between the @@ -524,54 +526,50 @@ func updatePeerXgressClusterWideExposure(policy *k8s.NetworkPolicy, src, dst k8s // analyzing admin-network-policies for conns between peers (object kind == AdminNetworkPolicy): -// getAllConnsFromAdminNetpols returns the connections from src to dst by analyzing admin network policies rules; +// getAllAllowedXgressConnectionsFromANPs returns the connections from src to dst on give direction (ingress/egress) +// by analyzing admin network policies rules; // and whether the connection between the src and dst was captured by admin-network-policies' rules. // note that: // - ANP connections may be allowed, passed and denied -// - a connection between src and dst is captured by an ANP iff there is a rule capturing both peers, since +// - a connection between src and dst is captured by an ANP iff there is an xgress rule capturing both peers, since // AdminNetworkPolicy rules should be read as-is, i.e. there will not be any implicit isolation effects for // the Pods selected by the AdminNetworkPolicy, as opposed to implicit deny NetworkPolicy rules imply. -func (pe *PolicyEngine) getAllConnsFromAdminNetpols(src, dst k8s.Peer) (policiesConns *k8s.PolicyConnections, +func (pe *PolicyEngine) getAllAllowedXgressConnectionsFromANPs(src, dst k8s.Peer, isIngress bool) (policiesConns *k8s.PolicyConnections, captured bool, err error) { policiesConns = k8s.InitEmptyPolicyConnections() - // iterate the sorted admin network policies in order to compute the allowed, pass, and denied connections between the peers - // from the admin netpols capturing the src / dst / both. + // iterate the sorted admin network policies in order to compute the allowed, pass, and denied xgress connections between the peers + // from the admin netpols capturing the src (if !isIngress)/ capturing the dst (if isIngress true). // connections are computed considering ANPs priorities (rules of an ANP with lower priority take precedence on other ANPs rules) // and rules ordering in single ANP (coming first takes precedence). for _, anp := range pe.sortedAdminNetpols { singleANPConns := k8s.InitEmptyPolicyConnections() // collect the allowed, pass, and denied connectivity from the relevant rules into policiesConns - // note that anp may capture both the src and dst (by namespaces field), so both ingress and egress sections might be helpful - - // if the anp captures the src, get the relevant egress conns between src and dst - selectsSrc, err := anp.Selects(src, false) - if err != nil { - return nil, false, err - } - if selectsSrc { - singleANPConns, err = anp.GetEgressPolicyConns(dst) + if !isIngress { // egress + selectsSrc, err := anp.Selects(src, false) if err != nil { return nil, false, err } - } - // if the anp captures the dst, get the relevant ingress conns (from src to dst) - selectsDst, err := anp.Selects(dst, true) - if err != nil { - return nil, false, err - } - if selectsDst { - ingressConns, err := anp.GetIngressPolicyConns(src, dst) + // if the anp captures the src, get the relevant egress conns between src and dst + if selectsSrc { + singleANPConns, err = anp.GetEgressPolicyConns(dst) + if err != nil { + return nil, false, err + } + } + } else { // ingress + selectsDst, err := anp.Selects(dst, true) if err != nil { return nil, false, err } - // get the intersection of ingress and egress sections if also the src was captured - if selectsSrc { - singleANPConns = getAdminPolicyConnFromEgressIngressConns(singleANPConns, ingressConns) - } else { // only dst is captured by anp - singleANPConns = ingressConns + // if the anp captures the dst, get the relevant ingress conns (from src to dst) + if selectsDst { + singleANPConns, err = anp.GetIngressPolicyConns(src, dst) + if err != nil { + return nil, false, err + } } } - if !singleANPConns.IsEmpty() { // the anp is relevant (captured at least one of the peers) + if !singleANPConns.IsEmpty() { // the anp is relevant (the xgress connection is captured) policiesConns.CollectANPConns(singleANPConns) } } @@ -583,76 +581,47 @@ func (pe *PolicyEngine) getAllConnsFromAdminNetpols(src, dst k8s.Peer) (policies return policiesConns, true, nil } -// getDefaultConns returns the default connections between src and dst; considering the existence of a baseline-admin-network-policy -// if there is a BANP in the input resources, it is analyzed; if it captures conns between src and dst, +// analyzing baseline-admin-network-policies for conns between peers (object kind == BaselineAdminNetworkPolicy): + +// getXgressDefaultConns returns the default connections between src and dst on the given direction (ingress/egress); +// considering the existence of a baseline-admin-network-policy +// if there is a BANP in the input resources, it is analyzed; if it captures xgress conns between src and dst, // then the captured conns are returned. // if there is no BANP or if the BANP does not capture connections between src and dst, then default allow-all connections is returned. // - note that the result may contain allowed / denied connections. -func (pe *PolicyEngine) getDefaultConns(src, dst k8s.Peer) (*k8s.PolicyConnections, error) { +func (pe *PolicyEngine) getXgressDefaultConns(src, dst k8s.Peer, isIngress bool) (*k8s.PolicyConnections, error) { res := k8s.InitEmptyPolicyConnections() if pe.baselineAdminNetpol == nil { res.AllowedConns = common.MakeConnectionSet(true) return res, nil } - // else : - // if the banp selects the src on egress, get egress conns - egressCaptured, err := pe.baselineAdminNetpol.Selects(src, false) - if err != nil { - return nil, err - } - if egressCaptured { - res, err = pe.baselineAdminNetpol.GetEgressPolicyConns(dst) + if isIngress { // ingress + selectsDst, err := pe.baselineAdminNetpol.Selects(dst, true) if err != nil { return nil, err } - } - // if the banp selects the dst on ingress, get ingress conns - ingressCaptured, err := pe.baselineAdminNetpol.Selects(dst, true) - if err != nil { - return nil, err - } - if ingressCaptured { - ingressRes, err := pe.baselineAdminNetpol.GetIngressPolicyConns(src, dst) - if err != nil { - return nil, err - } - if egressCaptured { // both ingress and egress captured - compute conns intersections - res = getAdminPolicyConnFromEgressIngressConns(res, ingressRes) - } else { // only ingress captured - res = ingressRes + // if the banp selects the dst on ingress, get ingress conns + if selectsDst { + res, err = pe.baselineAdminNetpol.GetIngressPolicyConns(src, dst) + if err != nil { + return nil, err + } + } else { // egress (!isIngress) + selectsSrc, err := pe.baselineAdminNetpol.Selects(src, false) + if err != nil { + return nil, err + } + // if the banp selects the src on egress, get egress conns + if selectsSrc { + res, err = pe.baselineAdminNetpol.GetEgressPolicyConns(dst) + if err != nil { + return nil, err + } + } } } - if res.IsEmpty() { // banp rules didn't capture src and dst, return system-default: allow-all + if res.IsEmpty() { // banp rules didn't capture xgress conn between src and dst, return system-default: allow-all res.AllowedConns = common.MakeConnectionSet(true) } return res, nil } - -// getAdminPolicyConnFromEgressIngressConns gets egress and ingress connections between pair of peers from a single (b)anp, -// and returns the final connections between the peers from this policy's egress and ingress sections -// the main principle of this func is that: a connection is allowed iff both ingress and egress allow it (either implicitly or explicitly) -func getAdminPolicyConnFromEgressIngressConns(egressConns, ingressConns *k8s.PolicyConnections) *k8s.PolicyConnections { - // by default any connection that is not captured by rules is allowed by the section - // so allowed conns are "all conns" minus (denied + passed conns) - egressNonCapturedAllowedConns := common.MakeConnectionSet(true) - egressNonCapturedAllowedConns.Subtract(egressConns.DeniedConns) - egressNonCapturedAllowedConns.Subtract(egressConns.PassConns) // egressNonCapturedAllowedConns contains all - // allowed conns by egress (captured + non-captured) - ingressNonCapturedAllowedConns := common.MakeConnectionSet(true) - ingressNonCapturedAllowedConns.Subtract(ingressConns.PassConns) - ingressNonCapturedAllowedConns.Subtract(ingressConns.DeniedConns) // ingressNonCapturedAllowedConns contains all the - // allowed connections by ingress (captured + non-captured) - - // captured allowed conns by policy is intersection of captured allowed and non-captured allowed between the two directions - // egress captured allowed is: - (egressConns.AllowedConns).Intersection(ingressNonCapturedAllowedConns) - // ingress captured is : - (ingressConns.AllowedConns).Intersection(egressNonCapturedAllowedConns) - // final result - storing it in egressConns : - egressConns.AllowedConns.Union(ingressConns.AllowedConns) - egressConns.DeniedConns.Union(ingressConns.DeniedConns) - egressConns.PassConns.Union(ingressConns.PassConns) - // remove denied conns from pass (if a connection is denied it can not be passed forward) - egressConns.PassConns.Subtract(egressConns.DeniedConns) - return egressConns // stored final result in egressConns -} diff --git a/pkg/netpol/eval/eval_test.go b/pkg/netpol/eval/eval_test.go index ea27e080..05ca2430 100644 --- a/pkg/netpol/eval/eval_test.go +++ b/pkg/netpol/eval/eval_test.go @@ -1828,7 +1828,7 @@ func runParsedResourcesEvalTests(t *testing.T, testList []testutils.ParsedResour test := &testList[i] t.Run(test.Name, func(t *testing.T) { t.Parallel() - pe, err := NewPolicyEngineWithObjects(test.Getk8sObjects()) + pe, err := NewPolicyEngineWithObjects(test.GetK8sObjects()) require.Nil(t, err, test.TestInfo) for _, evalTest := range test.EvalTests { src := evalTest.Src diff --git a/pkg/netpol/eval/internal/k8s/policy_connections.go b/pkg/netpol/eval/internal/k8s/policy_connections.go index 6e2aab63..455789f0 100644 --- a/pkg/netpol/eval/internal/k8s/policy_connections.go +++ b/pkg/netpol/eval/internal/k8s/policy_connections.go @@ -84,12 +84,12 @@ func (pc *PolicyConnections) CollectANPConns(newAdminPolicyConns *PolicyConnecti pc.PassConns.Union(newAdminPolicyConns.PassConns) } -// CollectConnsFromLowerPolicyType updates current PolicyConnections object with connections from a +// CollectConnsFromLowerPrecedencePolicyType updates current PolicyConnections object with connections from a // policy with lower priority than ANP. (e.g. network-policy or baseline-admin-network-policy or instead system-default connection) // allowed and denied connections of current PolicyConnections object (admin-network-policy) are non-overridden. // but pass connections in current PolicyConnections object will be determined by the input PolicyConnections parameter. // note that: passConns in otherConns will always be empty. (np and banp don't contain pass connections) -func (pc *PolicyConnections) CollectConnsFromLowerPolicyType(otherConns *PolicyConnections) { +func (pc *PolicyConnections) CollectConnsFromLowerPrecedencePolicyType(otherConns *PolicyConnections) { // allowed and denied conns of current pc are non-overridden otherConns.AllowedConns.Subtract(pc.DeniedConns) otherConns.DeniedConns.Subtract(pc.AllowedConns) diff --git a/test_outputs/connlist/anp_demo_connlist_output.csv b/test_outputs/connlist/anp_demo_connlist_output.csv index fd67a4bf..8f322df8 100644 --- a/test_outputs/connlist/anp_demo_connlist_output.csv +++ b/test_outputs/connlist/anp_demo_connlist_output.csv @@ -2,12 +2,11 @@ src,dst,conn 0.0.0.0-255.255.255.255,hufflepuff/cedric-diggory[StatefulSet],All Connections 0.0.0.0-255.255.255.255,slytherin/draco-malfoy[StatefulSet],All Connections gryffindor/harry-potter[StatefulSet],0.0.0.0-255.255.255.255,All Connections -gryffindor/harry-potter[StatefulSet],hufflepuff/cedric-diggory[StatefulSet],"SCTP 9003,TCP 8080,UDP 53,5353" +gryffindor/harry-potter[StatefulSet],hufflepuff/cedric-diggory[StatefulSet],"SCTP 9003,TCP 8080,UDP 5353" gryffindor/harry-potter[StatefulSet],ravenclaw/luna-lovegood[StatefulSet],UDP 52 gryffindor/harry-potter[StatefulSet],slytherin/draco-malfoy[StatefulSet],"SCTP 1-9002,9004-65535,TCP 1-79,81-65535,UDP 1-52,54-65535" hufflepuff/cedric-diggory[StatefulSet],0.0.0.0-255.255.255.255,All Connections hufflepuff/cedric-diggory[StatefulSet],gryffindor/harry-potter[StatefulSet],"SCTP 9003,TCP 80,UDP 5353" -ravenclaw/luna-lovegood[StatefulSet],gryffindor/harry-potter[StatefulSet],All Connections slytherin/draco-malfoy[StatefulSet],0.0.0.0-255.255.255.255,All Connections slytherin/draco-malfoy[StatefulSet],gryffindor/harry-potter[StatefulSet],All Connections slytherin/draco-malfoy[StatefulSet],hufflepuff/cedric-diggory[StatefulSet],All Connections diff --git a/test_outputs/connlist/anp_demo_connlist_output.dot b/test_outputs/connlist/anp_demo_connlist_output.dot index f0600272..9a936e47 100644 --- a/test_outputs/connlist/anp_demo_connlist_output.dot +++ b/test_outputs/connlist/anp_demo_connlist_output.dot @@ -27,12 +27,11 @@ digraph { "0.0.0.0-255.255.255.255" -> "hufflepuff/cedric-diggory[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "0.0.0.0-255.255.255.255" -> "slytherin/draco-malfoy[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "gryffindor/harry-potter[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] - "gryffindor/harry-potter[StatefulSet]" -> "hufflepuff/cedric-diggory[StatefulSet]" [label="SCTP 9003,TCP 8080,UDP 53,5353" color="gold2" fontcolor="darkgreen" weight=0.5] + "gryffindor/harry-potter[StatefulSet]" -> "hufflepuff/cedric-diggory[StatefulSet]" [label="SCTP 9003,TCP 8080,UDP 5353" color="gold2" fontcolor="darkgreen" weight=0.5] "gryffindor/harry-potter[StatefulSet]" -> "ravenclaw/luna-lovegood[StatefulSet]" [label="UDP 52" color="gold2" fontcolor="darkgreen" weight=0.5] "gryffindor/harry-potter[StatefulSet]" -> "slytherin/draco-malfoy[StatefulSet]" [label="SCTP 1-9002,9004-65535,TCP 1-79,81-65535,UDP 1-52,54-65535" color="gold2" fontcolor="darkgreen" weight=0.5] "hufflepuff/cedric-diggory[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] "hufflepuff/cedric-diggory[StatefulSet]" -> "gryffindor/harry-potter[StatefulSet]" [label="SCTP 9003,TCP 80,UDP 5353" color="gold2" fontcolor="darkgreen" weight=1] - "ravenclaw/luna-lovegood[StatefulSet]" -> "gryffindor/harry-potter[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] "slytherin/draco-malfoy[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] "slytherin/draco-malfoy[StatefulSet]" -> "gryffindor/harry-potter[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] "slytherin/draco-malfoy[StatefulSet]" -> "hufflepuff/cedric-diggory[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] diff --git a/test_outputs/connlist/anp_demo_connlist_output.dot.png b/test_outputs/connlist/anp_demo_connlist_output.dot.png index 05ae88f4..5b4cb301 100644 Binary files a/test_outputs/connlist/anp_demo_connlist_output.dot.png and b/test_outputs/connlist/anp_demo_connlist_output.dot.png differ diff --git a/test_outputs/connlist/anp_demo_connlist_output.dot.svg b/test_outputs/connlist/anp_demo_connlist_output.dot.svg index f6377991..7147c9af 100644 --- a/test_outputs/connlist/anp_demo_connlist_output.dot.svg +++ b/test_outputs/connlist/anp_demo_connlist_output.dot.svg @@ -4,150 +4,143 @@ - + - + cluster_hufflepuff - -hufflepuff + +hufflepuff cluster_ravenclaw - -ravenclaw - - -cluster_slytherin - -slytherin + +ravenclaw cluster_gryffindor - -gryffindor + +gryffindor + + +cluster_slytherin + +slytherin gryffindor/harry-potter[StatefulSet] - -harry-potter[StatefulSet] + +harry-potter[StatefulSet] hufflepuff/cedric-diggory[StatefulSet] - -cedric-diggory[StatefulSet] + +cedric-diggory[StatefulSet] gryffindor/harry-potter[StatefulSet]->hufflepuff/cedric-diggory[StatefulSet] - - -SCTP 9003,TCP 8080,UDP 53,5353 + + +SCTP 9003,TCP 8080,UDP 5353 ravenclaw/luna-lovegood[StatefulSet] - -luna-lovegood[StatefulSet] + +luna-lovegood[StatefulSet] gryffindor/harry-potter[StatefulSet]->ravenclaw/luna-lovegood[StatefulSet] - - -UDP 52 + + +UDP 52 slytherin/draco-malfoy[StatefulSet] - -draco-malfoy[StatefulSet] + +draco-malfoy[StatefulSet] gryffindor/harry-potter[StatefulSet]->slytherin/draco-malfoy[StatefulSet] - - -SCTP 1-9002,9004-65535,TCP 1-79,81-65535,UDP 1-52,54-65535 + + +SCTP 1-9002,9004-65535,TCP 1-79,81-65535,UDP 1-52,54-65535 0.0.0.0-255.255.255.255 - -0.0.0.0-255.255.255.255 + +0.0.0.0-255.255.255.255 gryffindor/harry-potter[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections hufflepuff/cedric-diggory[StatefulSet]->gryffindor/harry-potter[StatefulSet] - - -SCTP 9003,TCP 80,UDP 5353 + + +SCTP 9003,TCP 80,UDP 5353 hufflepuff/cedric-diggory[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections - - - -ravenclaw/luna-lovegood[StatefulSet]->gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections - + slytherin/draco-malfoy[StatefulSet]->gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections - + slytherin/draco-malfoy[StatefulSet]->hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections - + slytherin/draco-malfoy[StatefulSet]->ravenclaw/luna-lovegood[StatefulSet] - - -TCP 1-79,81-65535 + + +TCP 1-79,81-65535 - + slytherin/draco-malfoy[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections diff --git a/test_outputs/connlist/anp_demo_connlist_output.json b/test_outputs/connlist/anp_demo_connlist_output.json index 7a1b7068..259f2f69 100644 --- a/test_outputs/connlist/anp_demo_connlist_output.json +++ b/test_outputs/connlist/anp_demo_connlist_output.json @@ -17,7 +17,7 @@ { "src": "gryffindor/harry-potter[StatefulSet]", "dst": "hufflepuff/cedric-diggory[StatefulSet]", - "conn": "SCTP 9003,TCP 8080,UDP 53,5353" + "conn": "SCTP 9003,TCP 8080,UDP 5353" }, { "src": "gryffindor/harry-potter[StatefulSet]", @@ -39,11 +39,6 @@ "dst": "gryffindor/harry-potter[StatefulSet]", "conn": "SCTP 9003,TCP 80,UDP 5353" }, - { - "src": "ravenclaw/luna-lovegood[StatefulSet]", - "dst": "gryffindor/harry-potter[StatefulSet]", - "conn": "All Connections" - }, { "src": "slytherin/draco-malfoy[StatefulSet]", "dst": "0.0.0.0-255.255.255.255", diff --git a/test_outputs/connlist/anp_demo_connlist_output.md b/test_outputs/connlist/anp_demo_connlist_output.md index 19b1ed3e..6d33e1b4 100644 --- a/test_outputs/connlist/anp_demo_connlist_output.md +++ b/test_outputs/connlist/anp_demo_connlist_output.md @@ -3,12 +3,11 @@ | 0.0.0.0-255.255.255.255 | hufflepuff/cedric-diggory[StatefulSet] | All Connections | | 0.0.0.0-255.255.255.255 | slytherin/draco-malfoy[StatefulSet] | All Connections | | gryffindor/harry-potter[StatefulSet] | 0.0.0.0-255.255.255.255 | All Connections | -| gryffindor/harry-potter[StatefulSet] | hufflepuff/cedric-diggory[StatefulSet] | SCTP 9003,TCP 8080,UDP 53,5353 | +| gryffindor/harry-potter[StatefulSet] | hufflepuff/cedric-diggory[StatefulSet] | SCTP 9003,TCP 8080,UDP 5353 | | gryffindor/harry-potter[StatefulSet] | ravenclaw/luna-lovegood[StatefulSet] | UDP 52 | | gryffindor/harry-potter[StatefulSet] | slytherin/draco-malfoy[StatefulSet] | SCTP 1-9002,9004-65535,TCP 1-79,81-65535,UDP 1-52,54-65535 | | hufflepuff/cedric-diggory[StatefulSet] | 0.0.0.0-255.255.255.255 | All Connections | | hufflepuff/cedric-diggory[StatefulSet] | gryffindor/harry-potter[StatefulSet] | SCTP 9003,TCP 80,UDP 5353 | -| ravenclaw/luna-lovegood[StatefulSet] | gryffindor/harry-potter[StatefulSet] | All Connections | | slytherin/draco-malfoy[StatefulSet] | 0.0.0.0-255.255.255.255 | All Connections | | slytherin/draco-malfoy[StatefulSet] | gryffindor/harry-potter[StatefulSet] | All Connections | | slytherin/draco-malfoy[StatefulSet] | hufflepuff/cedric-diggory[StatefulSet] | All Connections | diff --git a/test_outputs/connlist/anp_demo_connlist_output.txt b/test_outputs/connlist/anp_demo_connlist_output.txt index 788ea64b..a59382d6 100644 --- a/test_outputs/connlist/anp_demo_connlist_output.txt +++ b/test_outputs/connlist/anp_demo_connlist_output.txt @@ -1,12 +1,11 @@ 0.0.0.0-255.255.255.255 => hufflepuff/cedric-diggory[StatefulSet] : All Connections 0.0.0.0-255.255.255.255 => slytherin/draco-malfoy[StatefulSet] : All Connections gryffindor/harry-potter[StatefulSet] => 0.0.0.0-255.255.255.255 : All Connections -gryffindor/harry-potter[StatefulSet] => hufflepuff/cedric-diggory[StatefulSet] : SCTP 9003,TCP 8080,UDP 53,5353 +gryffindor/harry-potter[StatefulSet] => hufflepuff/cedric-diggory[StatefulSet] : SCTP 9003,TCP 8080,UDP 5353 gryffindor/harry-potter[StatefulSet] => ravenclaw/luna-lovegood[StatefulSet] : UDP 52 gryffindor/harry-potter[StatefulSet] => slytherin/draco-malfoy[StatefulSet] : SCTP 1-9002,9004-65535,TCP 1-79,81-65535,UDP 1-52,54-65535 hufflepuff/cedric-diggory[StatefulSet] => 0.0.0.0-255.255.255.255 : All Connections hufflepuff/cedric-diggory[StatefulSet] => gryffindor/harry-potter[StatefulSet] : SCTP 9003,TCP 80,UDP 5353 -ravenclaw/luna-lovegood[StatefulSet] => gryffindor/harry-potter[StatefulSet] : All Connections slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255 : All Connections slytherin/draco-malfoy[StatefulSet] => gryffindor/harry-potter[StatefulSet] : All Connections slytherin/draco-malfoy[StatefulSet] => hufflepuff/cedric-diggory[StatefulSet] : All Connections diff --git a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.csv b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.csv index 815f6c25..5cd03c71 100644 --- a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.csv +++ b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.csv @@ -2,7 +2,6 @@ src,dst,conn 0.0.0.0-255.255.255.255,network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],All Connections 0.0.0.0-255.255.255.255,network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],All Connections 0.0.0.0-255.255.255.255,network-policy-conformance-slytherin/draco-malfoy[StatefulSet],All Connections -network-policy-conformance-gryffindor/harry-potter[StatefulSet],network-policy-conformance-slytherin/draco-malfoy[StatefulSet],All Connections network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],0.0.0.0-255.255.255.255,All Connections network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],All Connections network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],network-policy-conformance-slytherin/draco-malfoy[StatefulSet],All Connections diff --git a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot index a6672324..e800abca 100644 --- a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot +++ b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot @@ -27,7 +27,6 @@ digraph { "0.0.0.0-255.255.255.255" -> "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "0.0.0.0-255.255.255.255" -> "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "0.0.0.0-255.255.255.255" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] - "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] diff --git a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.png b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.png index 65e8576a..957d21de 100644 Binary files a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.png and b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.png differ diff --git a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.svg b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.svg index 33c9b449..e7c78b65 100644 --- a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.svg +++ b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.dot.svg @@ -4,157 +4,150 @@ - + - + + +cluster_network_policy_conformance_slytherin + +network-policy-conformance-slytherin + + +cluster_network_policy_conformance_hufflepuff + +network-policy-conformance-hufflepuff + cluster_network_policy_conformance_gryffindor - -network-policy-conformance-gryffindor + +network-policy-conformance-gryffindor cluster_network_policy_conformance_ravenclaw - -network-policy-conformance-ravenclaw - - -cluster_network_policy_conformance_hufflepuff - -network-policy-conformance-hufflepuff - - -cluster_network_policy_conformance_slytherin - -network-policy-conformance-slytherin + +network-policy-conformance-ravenclaw network-policy-conformance-gryffindor/harry-potter[StatefulSet] - -harry-potter[StatefulSet] - - - -network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - -draco-malfoy[StatefulSet] - - - -network-policy-conformance-gryffindor/harry-potter[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + +harry-potter[StatefulSet] network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - -cedric-diggory[StatefulSet] + +cedric-diggory[StatefulSet] network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - -luna-lovegood[StatefulSet] + +luna-lovegood[StatefulSet] - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections + + + +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] + +draco-malfoy[StatefulSet] - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255 - -0.0.0.0-255.255.255.255 + +0.0.0.0-255.255.255.255 - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections diff --git a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.json b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.json index 97a33df9..b6823eff 100644 --- a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.json +++ b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.json @@ -14,11 +14,6 @@ "dst": "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]", "conn": "All Connections" }, - { - "src": "network-policy-conformance-gryffindor/harry-potter[StatefulSet]", - "dst": "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]", - "conn": "All Connections" - }, { "src": "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]", "dst": "0.0.0.0-255.255.255.255", diff --git a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.md b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.md index 04250a7a..7f60ca72 100644 --- a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.md +++ b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.md @@ -3,7 +3,6 @@ | 0.0.0.0-255.255.255.255 | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | All Connections | | 0.0.0.0-255.255.255.255 | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | All Connections | | 0.0.0.0-255.255.255.255 | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | All Connections | -| network-policy-conformance-gryffindor/harry-potter[StatefulSet] | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | All Connections | | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | 0.0.0.0-255.255.255.255 | All Connections | | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | All Connections | | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | All Connections | diff --git a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.txt b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.txt index 42d61601..784cbe7b 100644 --- a/test_outputs/connlist/anp_np_banp_core_test_connlist_output.txt +++ b/test_outputs/connlist/anp_np_banp_core_test_connlist_output.txt @@ -1,7 +1,6 @@ 0.0.0.0-255.255.255.255 => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] : All Connections 0.0.0.0-255.255.255.255 => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] : All Connections 0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] : All Connections -network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] : All Connections network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => 0.0.0.0-255.255.255.255 : All Connections network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] : All Connections network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] : All Connections diff --git a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.csv b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.csv index 74cfebf4..5eab334a 100644 --- a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.csv +++ b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.csv @@ -2,16 +2,14 @@ src,dst,conn 0.0.0.0-255.255.255.255,network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],All Connections 0.0.0.0-255.255.255.255,network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],All Connections 0.0.0.0-255.255.255.255,network-policy-conformance-slytherin/draco-malfoy[StatefulSet],All Connections -network-policy-conformance-gryffindor/harry-potter[StatefulSet],network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],UDP 53 network-policy-conformance-gryffindor/harry-potter[StatefulSet],network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],All Connections network-policy-conformance-gryffindor/harry-potter[StatefulSet],network-policy-conformance-slytherin/draco-malfoy[StatefulSet],"SCTP 1-65535,TCP 1-79,81-65535,UDP 1-65535" network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],0.0.0.0-255.255.255.255,All Connections -network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],network-policy-conformance-gryffindor/harry-potter[StatefulSet],TCP 80 network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],SCTP 9003 network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],network-policy-conformance-slytherin/draco-malfoy[StatefulSet],"SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535" network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],0.0.0.0-255.255.255.255,All Connections network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],network-policy-conformance-gryffindor/harry-potter[StatefulSet],All Connections -network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],All Connections +network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],SCTP 9003 network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],network-policy-conformance-slytherin/draco-malfoy[StatefulSet],"SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535" network-policy-conformance-slytherin/draco-malfoy[StatefulSet],0.0.0.0-255.255.255.255,All Connections network-policy-conformance-slytherin/draco-malfoy[StatefulSet],network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],"SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535" diff --git a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot index 01764191..3cd1c146 100644 --- a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot +++ b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot @@ -27,16 +27,14 @@ digraph { "0.0.0.0-255.255.255.255" -> "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "0.0.0.0-255.255.255.255" -> "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "0.0.0.0-255.255.255.255" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] - "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" [label="UDP 53" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="SCTP 1-65535,TCP 1-79,81-65535,UDP 1-65535" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] - "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" [label="TCP 80" color="gold2" fontcolor="darkgreen" weight=1] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" [label="SCTP 9003" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" -> "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] - "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" -> "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] + "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" -> "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" [label="SCTP 9003" color="gold2" fontcolor="darkgreen" weight=1] "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535" color="gold2" fontcolor="darkgreen" weight=0.5] "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen" weight=1] "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" -> "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" [label="SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535" color="gold2" fontcolor="darkgreen" weight=1] diff --git a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.png b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.png index a83030d6..73ca32dd 100644 Binary files a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.png and b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.png differ diff --git a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.svg b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.svg index 04bd1fa5..f8072660 100644 --- a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.svg +++ b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.dot.svg @@ -4,178 +4,164 @@ - - - + + + cluster_network_policy_conformance_gryffindor - -network-policy-conformance-gryffindor + +network-policy-conformance-gryffindor + + +cluster_network_policy_conformance_slytherin + +network-policy-conformance-slytherin cluster_network_policy_conformance_hufflepuff - -network-policy-conformance-hufflepuff + +network-policy-conformance-hufflepuff cluster_network_policy_conformance_ravenclaw - -network-policy-conformance-ravenclaw - - -cluster_network_policy_conformance_slytherin - -network-policy-conformance-slytherin + +network-policy-conformance-ravenclaw network-policy-conformance-gryffindor/harry-potter[StatefulSet] - -harry-potter[StatefulSet] - - - -network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - -cedric-diggory[StatefulSet] - - - -network-policy-conformance-gryffindor/harry-potter[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -UDP 53 + +harry-potter[StatefulSet] network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - -luna-lovegood[StatefulSet] + +luna-lovegood[StatefulSet] - + network-policy-conformance-gryffindor/harry-potter[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - -draco-malfoy[StatefulSet] + +draco-malfoy[StatefulSet] - + network-policy-conformance-gryffindor/harry-potter[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -SCTP 1-65535,TCP 1-79,81-65535,UDP 1-65535 + + +SCTP 1-65535,TCP 1-79,81-65535,UDP 1-65535 - - -network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-gryffindor/harry-potter[StatefulSet] - - -TCP 80 + + +network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] + +cedric-diggory[StatefulSet] - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -SCTP 9003 + + +SCTP 9003 - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 + + +SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 0.0.0.0-255.255.255.255 - -0.0.0.0-255.255.255.255 + +0.0.0.0-255.255.255.255 - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +SCTP 9003 - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535 + + +SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535 - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 + + +SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535 + + +SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535 - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections diff --git a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.json b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.json index fc81a71a..b938c05b 100644 --- a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.json +++ b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.json @@ -14,11 +14,6 @@ "dst": "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]", "conn": "All Connections" }, - { - "src": "network-policy-conformance-gryffindor/harry-potter[StatefulSet]", - "dst": "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]", - "conn": "UDP 53" - }, { "src": "network-policy-conformance-gryffindor/harry-potter[StatefulSet]", "dst": "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]", @@ -34,11 +29,6 @@ "dst": "0.0.0.0-255.255.255.255", "conn": "All Connections" }, - { - "src": "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]", - "dst": "network-policy-conformance-gryffindor/harry-potter[StatefulSet]", - "conn": "TCP 80" - }, { "src": "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]", "dst": "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]", @@ -62,7 +52,7 @@ { "src": "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]", "dst": "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]", - "conn": "All Connections" + "conn": "SCTP 9003" }, { "src": "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]", diff --git a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.md b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.md index 1a497b44..3bf018b7 100644 --- a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.md +++ b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.md @@ -3,16 +3,14 @@ | 0.0.0.0-255.255.255.255 | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | All Connections | | 0.0.0.0-255.255.255.255 | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | All Connections | | 0.0.0.0-255.255.255.255 | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | All Connections | -| network-policy-conformance-gryffindor/harry-potter[StatefulSet] | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | UDP 53 | | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | All Connections | | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | SCTP 1-65535,TCP 1-79,81-65535,UDP 1-65535 | | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | 0.0.0.0-255.255.255.255 | All Connections | -| network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | TCP 80 | | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | SCTP 9003 | | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 | | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | 0.0.0.0-255.255.255.255 | All Connections | | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | All Connections | -| network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | All Connections | +| network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | SCTP 9003 | | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535 | | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | 0.0.0.0-255.255.255.255 | All Connections | | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 | diff --git a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.txt b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.txt index cdba3765..167ae67d 100644 --- a/test_outputs/connlist/anp_test_multiple_anps_connlist_output.txt +++ b/test_outputs/connlist/anp_test_multiple_anps_connlist_output.txt @@ -1,16 +1,14 @@ 0.0.0.0-255.255.255.255 => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] : All Connections 0.0.0.0-255.255.255.255 => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] : All Connections 0.0.0.0-255.255.255.255 => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] : All Connections -network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] : UDP 53 network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] : All Connections network-policy-conformance-gryffindor/harry-potter[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-65535 network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => 0.0.0.0-255.255.255.255 : All Connections -network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet] : TCP 80 network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] : SCTP 9003 network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] : SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => 0.0.0.0-255.255.255.255 : All Connections network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-gryffindor/harry-potter[StatefulSet] : All Connections -network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] : All Connections +network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] : SCTP 9003 network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] => network-policy-conformance-slytherin/draco-malfoy[StatefulSet] : SCTP 1-9002,9004-65535,TCP 1-65535,UDP 1-65535 network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => 0.0.0.0-255.255.255.255 : All Connections network-policy-conformance-slytherin/draco-malfoy[StatefulSet] => network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] : SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535 diff --git a/test_outputs/connlist/test14_anp_banp_unmatched_ingress_egress_from_parsed_res.txt b/test_outputs/connlist/test14_anp_banp_unmatched_ingress_egress_from_parsed_res.txt index 1e93b0a5..dcc54a08 100644 --- a/test_outputs/connlist/test14_anp_banp_unmatched_ingress_egress_from_parsed_res.txt +++ b/test_outputs/connlist/test14_anp_banp_unmatched_ingress_egress_from_parsed_res.txt @@ -11,10 +11,10 @@ x/b[Pod] => x/a[Pod] : All Connections x/b[Pod] => y/a[Pod] : All Connections x/b[Pod] => y/b[Pod] : All Connections y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections -y/a[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535 -y/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535 +y/a[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535 +y/a[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535 y/a[Pod] => y/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535 y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections -y/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535 -y/b[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-79,81-65535,UDP 1-79,81-65535 +y/b[Pod] => x/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535 +y/b[Pod] => x/b[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535 y/b[Pod] => y/a[Pod] : SCTP 1-65535,TCP 1-65535,UDP 1-79,81-65535 \ No newline at end of file diff --git a/test_outputs/connlist/test3_anp_banp_unmatched_ingress_egress_from_parsed_res.txt b/test_outputs/connlist/test3_anp_banp_unmatched_ingress_egress_from_parsed_res.txt index 7368a949..88b2a5c5 100644 --- a/test_outputs/connlist/test3_anp_banp_unmatched_ingress_egress_from_parsed_res.txt +++ b/test_outputs/connlist/test3_anp_banp_unmatched_ingress_egress_from_parsed_res.txt @@ -11,6 +11,10 @@ x/b[Pod] => x/a[Pod] : All Connections x/b[Pod] => y/a[Pod] : All Connections x/b[Pod] => y/b[Pod] : All Connections y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/a[Pod] => x/a[Pod] : UDP 80 +y/a[Pod] => x/b[Pod] : UDP 80 y/a[Pod] => y/b[Pod] : UDP 80 y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/b[Pod] => x/a[Pod] : UDP 80 +y/b[Pod] => x/b[Pod] : UDP 80 y/b[Pod] => y/a[Pod] : UDP 80 \ No newline at end of file diff --git a/test_outputs/connlist/test5_anp_banp_unmatched_ingress_egress_from_parsed_res.txt b/test_outputs/connlist/test5_anp_banp_unmatched_ingress_egress_from_parsed_res.txt new file mode 100644 index 00000000..e6bfa627 --- /dev/null +++ b/test_outputs/connlist/test5_anp_banp_unmatched_ingress_egress_from_parsed_res.txt @@ -0,0 +1,14 @@ +0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections +x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +x/a[Pod] => x/b[Pod] : All Connections +x/a[Pod] => y/a[Pod] : All Connections +x/a[Pod] => y/b[Pod] : All Connections +x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections +x/b[Pod] => x/a[Pod] : All Connections +x/b[Pod] => y/a[Pod] : All Connections +x/b[Pod] => y/b[Pod] : All Connections +y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections \ No newline at end of file diff --git a/test_outputs/connlist/test7_anp_unmatched_ingress_egress_from_parsed_res.txt b/test_outputs/connlist/test7_anp_unmatched_ingress_egress_from_parsed_res.txt new file mode 100644 index 00000000..cf31c8f1 --- /dev/null +++ b/test_outputs/connlist/test7_anp_unmatched_ingress_egress_from_parsed_res.txt @@ -0,0 +1,20 @@ +0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections +x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +x/a[Pod] => x/b[Pod] : All Connections +x/a[Pod] => y/a[Pod] : All Connections +x/a[Pod] => y/b[Pod] : All Connections +x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections +x/b[Pod] => x/a[Pod] : All Connections +x/b[Pod] => y/a[Pod] : All Connections +x/b[Pod] => y/b[Pod] : All Connections +y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/a[Pod] => x/a[Pod] : TCP 80-81 +y/a[Pod] => x/b[Pod] : TCP 80-81 +y/a[Pod] => y/b[Pod] : All Connections +y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/b[Pod] => x/a[Pod] : TCP 80-81 +y/b[Pod] => x/b[Pod] : TCP 80-81 +y/b[Pod] => y/a[Pod] : All Connections \ No newline at end of file diff --git a/test_outputs/connlist/test8_anp_np_unmatched_ingress_egress_from_parsed_res.txt b/test_outputs/connlist/test8_anp_np_unmatched_ingress_egress_from_parsed_res.txt new file mode 100644 index 00000000..a15e566a --- /dev/null +++ b/test_outputs/connlist/test8_anp_np_unmatched_ingress_egress_from_parsed_res.txt @@ -0,0 +1,12 @@ +0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections +y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/a[Pod] => x/a[Pod] : All Connections +y/a[Pod] => x/b[Pod] : All Connections +y/a[Pod] => y/b[Pod] : All Connections +y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/b[Pod] => x/a[Pod] : All Connections +y/b[Pod] => x/b[Pod] : All Connections +y/b[Pod] => y/a[Pod] : All Connections \ No newline at end of file diff --git a/test_outputs/connlist/test9_anp_banp_unmatched_ingress_egress_from_parsed_res.txt b/test_outputs/connlist/test9_anp_banp_unmatched_ingress_egress_from_parsed_res.txt new file mode 100644 index 00000000..e7789b7a --- /dev/null +++ b/test_outputs/connlist/test9_anp_banp_unmatched_ingress_egress_from_parsed_res.txt @@ -0,0 +1,16 @@ +0.0.0.0-255.255.255.255 => x/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => x/b[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/a[Pod] : All Connections +0.0.0.0-255.255.255.255 => y/b[Pod] : All Connections +x/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +x/a[Pod] => x/b[Pod] : All Connections +x/a[Pod] => y/a[Pod] : All Connections +x/a[Pod] => y/b[Pod] : All Connections +x/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections +x/b[Pod] => x/a[Pod] : All Connections +x/b[Pod] => y/a[Pod] : All Connections +x/b[Pod] => y/b[Pod] : All Connections +y/a[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/a[Pod] => y/b[Pod] : All Connections +y/b[Pod] => 0.0.0.0-255.255.255.255 : All Connections +y/b[Pod] => y/a[Pod] : All Connections \ No newline at end of file diff --git a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.csv b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.csv index 6ef75e47..e7c07d91 100644 --- a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.csv +++ b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.csv @@ -5,5 +5,4 @@ added,network-policy-conformance-gryffindor/harry-potter[StatefulSet],network-po added,network-policy-conformance-gryffindor/harry-potter[StatefulSet],network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],No Connections,All Connections, added,network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet],network-policy-conformance-gryffindor/harry-potter[StatefulSet],No Connections,All Connections, added,network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet],network-policy-conformance-gryffindor/harry-potter[StatefulSet],No Connections,All Connections, -removed,network-policy-conformance-gryffindor/harry-potter[StatefulSet],network-policy-conformance-slytherin/draco-malfoy[StatefulSet],All Connections,No Connections, removed,network-policy-conformance-slytherin/draco-malfoy[StatefulSet],network-policy-conformance-gryffindor/harry-potter[StatefulSet],All Connections,No Connections, diff --git a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot index 5d7c40f8..164e19e7 100644 --- a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot +++ b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot @@ -31,7 +31,6 @@ digraph { "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="#008000" fontcolor="#008000" weight=1] "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" [label="All Connections" color="#008000" fontcolor="#008000" weight=0.5] "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" [label="All Connections" color="#008000" fontcolor="#008000" weight=0.5] - "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" -> "network-policy-conformance-slytherin/draco-malfoy[StatefulSet]" [label="All Connections" color="red2" fontcolor="red2" weight=0.5] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="grey" fontcolor="grey" weight=1] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "network-policy-conformance-gryffindor/harry-potter[StatefulSet]" [label="All Connections" color="#008000" fontcolor="#008000" weight=1] "network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]" -> "network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]" [label="All Connections" color="grey" fontcolor="grey" weight=0.5] diff --git a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.png b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.png index 9ef0722f..d1b25531 100644 Binary files a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.png and b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.png differ diff --git a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.svg b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.svg index 309f3c9e..6f76ac7d 100644 --- a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.svg +++ b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.dot.svg @@ -4,259 +4,252 @@ - + - - -cluster_network_policy_conformance_hufflepuff - -network-policy-conformance-hufflepuff + + +cluster_network_policy_conformance_ravenclaw + +network-policy-conformance-ravenclaw cluster_network_policy_conformance_slytherin - -network-policy-conformance-slytherin + +network-policy-conformance-slytherin - -cluster_network_policy_conformance_ravenclaw - -network-policy-conformance-ravenclaw + +cluster_network_policy_conformance_hufflepuff + +network-policy-conformance-hufflepuff cluster_network_policy_conformance_gryffindor - -network-policy-conformance-gryffindor + +network-policy-conformance-gryffindor cluster_legend - -Legend + +Legend network-policy-conformance-gryffindor/harry-potter[StatefulSet] - -harry-potter[StatefulSet] + +harry-potter[StatefulSet] network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - -cedric-diggory[StatefulSet] + +cedric-diggory[StatefulSet] network-policy-conformance-gryffindor/harry-potter[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - -luna-lovegood[StatefulSet] + +luna-lovegood[StatefulSet] network-policy-conformance-gryffindor/harry-potter[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections - - - -network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - -draco-malfoy[StatefulSet] - - - -network-policy-conformance-gryffindor/harry-potter[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255 - -0.0.0.0-255.255.255.255 + +0.0.0.0-255.255.255.255 network-policy-conformance-gryffindor/harry-potter[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections + + + +network-policy-conformance-slytherin/draco-malfoy[StatefulSet] + +draco-malfoy[StatefulSet] - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections - + network-policy-conformance-slytherin/draco-malfoy[StatefulSet]->0.0.0.0-255.255.255.255 - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-gryffindor/harry-potter[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] - - -All Connections + + +All Connections 0.0.0.0-255.255.255.255->network-policy-conformance-slytherin/draco-malfoy[StatefulSet] - - -All Connections + + +All Connections - + a->b - - -added connection + + +added connection - + c->d - - -removed connection + + +removed connection - + e->f - - -changed connection + + +changed connection - + g->h - - -unchanged connection + + +unchanged connection np - -new peer + +new peer lp - -lost peer + +lost peer pp - -persistent peer + +persistent peer diff --git a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.md b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.md index 589d4693..7bbf22a8 100644 --- a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.md +++ b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.md @@ -6,5 +6,4 @@ | added | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | No Connections | All Connections | | | added | network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet] | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | No Connections | All Connections | | | added | network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet] | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | No Connections | All Connections | | -| removed | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | All Connections | No Connections | | | removed | network-policy-conformance-slytherin/draco-malfoy[StatefulSet] | network-policy-conformance-gryffindor/harry-potter[StatefulSet] | All Connections | No Connections | | \ No newline at end of file diff --git a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.txt b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.txt index 55e8cedb..69e5deec 100644 --- a/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.txt +++ b/test_outputs/diff/diff_between_anp_banp_core_test_and_anp_np_banp_core_test.txt @@ -5,5 +5,4 @@ diff-type: added, source: network-policy-conformance-gryffindor/harry-potter[Sta diff-type: added, source: network-policy-conformance-gryffindor/harry-potter[StatefulSet], destination: network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet], ref1: No Connections, ref2: All Connections diff-type: added, source: network-policy-conformance-hufflepuff/cedric-diggory[StatefulSet], destination: network-policy-conformance-gryffindor/harry-potter[StatefulSet], ref1: No Connections, ref2: All Connections diff-type: added, source: network-policy-conformance-ravenclaw/luna-lovegood[StatefulSet], destination: network-policy-conformance-gryffindor/harry-potter[StatefulSet], ref1: No Connections, ref2: All Connections -diff-type: removed, source: network-policy-conformance-gryffindor/harry-potter[StatefulSet], destination: network-policy-conformance-slytherin/draco-malfoy[StatefulSet], ref1: All Connections, ref2: No Connections diff-type: removed, source: network-policy-conformance-slytherin/draco-malfoy[StatefulSet], destination: network-policy-conformance-gryffindor/harry-potter[StatefulSet], ref1: All Connections, ref2: No Connections \ No newline at end of file