diff --git a/docs/connlist_output.md b/docs/connlist_output.md index 8009de19..85a0ad90 100644 --- a/docs/connlist_output.md +++ b/docs/connlist_output.md @@ -99,7 +99,11 @@ The frames in the graph represent namespaces of the analyzed cluster. ![svg graph](./connlist_example_svg.svg) -### Possible warning +### Possible warnings `Route/Ingress specified workload as a backend, but network policies are blocking ingress connections from an arbitrary in-cluster source to this workload. Connectivity map will not include a possibly allowed connection between the ingress controller and this workload.` Since the analysis assumes the manifest of the ingress controller is unknown, it checks whether an arbitrary workload can access the destination workloads specified in Ingress/Route rules. If such access is not permitted by network policies, this connection is removed from the report. It may be an allowed connection if a network policy specifically allows ingress access to that workload from a specific workload/namespace of the actual ingress controller installed. + +`IPv6 addresses are not supported; it will be ignored, and will not appear in the connectivity results.` + +While egress rules with `networks` field in an (baseline-)admin-network-policy may select an external destination by IPv6 address format, such addresses will be ignored and omitted from the connectivity report, since the analysis supports only IPv4 addresses for external IP-blocks. diff --git a/pkg/netpol/eval/internal/k8s/adminnetpol.go b/pkg/netpol/eval/internal/k8s/adminnetpol.go index 99628531..064b0406 100644 --- a/pkg/netpol/eval/internal/k8s/adminnetpol.go +++ b/pkg/netpol/eval/internal/k8s/adminnetpol.go @@ -71,17 +71,17 @@ func (anp *AdminNetworkPolicy) adminPolicyAffectsDirection(isIngress bool) bool const ( anpErrTitle = "admin network policy" - anpErrWarnFormat = anpErrTitle + " %q: %s in rule %q: %s" + anpErrWarnFormat = anpErrTitle + " %q: in rule %q: %s" ) // anpErr returns string format of an error in a rule in admin netpol func (anp *AdminNetworkPolicy) anpRuleErr(ruleName, description string) error { - return fmt.Errorf(anpErrWarnFormat, anp.Name, ruleErrTitle, ruleName, description) + return fmt.Errorf(anpErrWarnFormat, anp.Name, ruleName, description) } // anpRuleWarning logs a single warning message for an admin network policy rule. func (anp *AdminNetworkPolicy) anpRuleWarning(ruleName, warning string) { - anp.Logger.Warnf(fmt.Sprintf(anpErrWarnFormat, anp.Name, ruleWarningTitle, ruleName, warning)) + anp.Logger.Warnf(fmt.Sprintf(anpErrWarnFormat, anp.Name, ruleName, warning)) } // logWarnings logs any warnings generated for an admin network policy rule. @@ -196,11 +196,6 @@ func (anp *AdminNetworkPolicy) GetReferencedIPBlocks() ([]*netset.IPBlock, error // But use different types for following fields: // Spec, Ingress, Egress, Action, Status - then funcs using/looping any of these fields are not common (sub funcs are common) -const ( - ruleErrTitle = "Error " - ruleWarningTitle = "Warning " -) - // warnings : to contain the warnings from a single rule of an adminNetworkPolicy or a BaselineAdminNetworkPolicy. // global to be used in the common func, initialized (cleared) and logged by the relevant (B)ANP calling funcs var warnings = []string{} diff --git a/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go b/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go index 61973374..2ce81ff8 100644 --- a/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go +++ b/pkg/netpol/eval/internal/k8s/baseline_admin_netpol.go @@ -53,17 +53,17 @@ func (banp *BaselineAdminNetworkPolicy) baselineAdminPolicyAffectsDirection(isIn const ( banpErrTitle = "default baseline admin network policy: " - banpErrWarnFormat = banpErrTitle + " %s in rule %q: %s" + banpErrWarnFormat = banpErrTitle + " in rule %q: %s" ) // banpRuleErr returns string format of an err in a rule in baseline-admin netpol func banpRuleErr(ruleName, description string) error { - return fmt.Errorf(banpErrWarnFormat, ruleErrTitle, ruleName, description) + return fmt.Errorf(banpErrWarnFormat, ruleName, description) } // banpRuleWarning logs a warning message for a specific banp rule. func (banp *BaselineAdminNetworkPolicy) banpRuleWarning(ruleName, warning string) { - banp.Logger.Warnf(banpErrWarnFormat, ruleWarningTitle, ruleName, warning) + banp.Logger.Warnf(banpErrWarnFormat, ruleName, warning) } // logWarnings logs warnings of a given ruleName. diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index 3dcce8cc..031166f0 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -417,7 +417,7 @@ func (np *NetworkPolicy) GetIngressAllowedConns(src, dst Peer) (*common.Connecti } func (np *NetworkPolicy) netpolWarning(description string) string { - return fmt.Sprintf("Network policy %q: %s", np.fullName(), description) + return fmt.Sprintf("network policy %q: %s", np.fullName(), description) } func (np *NetworkPolicy) netpolErr(title, description string) error {