Moved to models v0.5.0 release (netset instead of iplock package).

More infrastructure changes for explainability
np-guard · Oct 8, 2024 · fe063fe · fe063fe
1 parent f78442f
commit fe063fe
Show file tree

Hide file tree

Showing 11 changed files with 155 additions and 74 deletions.
diff --git a/go.mod b/go.mod
@@ -1,10 +1,12 @@
 module github.com/np-guard/netpol-analyzer
 
-go 1.21
+go 1.23
+
+toolchain go1.23.0
 
 require (
 	github.com/hashicorp/golang-lru/v2 v2.0.7
-	github.com/np-guard/models v0.3.4
+	github.com/np-guard/models v0.5.0
 	github.com/openshift/api v0.0.0-20230502160752-c71432710382
 	github.com/spf13/cobra v1.8.1
 	github.com/stretchr/testify v1.9.0

diff --git a/go.sum b/go.sum
@@ -96,8 +96,8 @@ github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00 h1:n6/
 github.com/monochromegane/go-gitignore v0.0.0-20200626010858-205db1a8cc00/go.mod h1:Pm3mSP3c5uWn86xMLZ5Sa7JB9GsEZySvHYXCTK4E9q4=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 h1:C3w9PqII01/Oq1c1nUAm88MOHcQC9l5mIlSMApZMrHA=
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
-github.com/np-guard/models v0.3.4 h1:HOhVi6wyGvo+KmYBnQ5Km5HYCF+/PQlDs1v7mL1v05g=
-github.com/np-guard/models v0.3.4/go.mod h1:mqE2Irf8r+7HWh8fII0fWbWyQRMHGEo2SgSLN/6VKs8=
+github.com/np-guard/models v0.5.0 h1:P37gCg3RD23hZHymFWtthrF+mGIwyHJkWy0wIWIzokQ=
+github.com/np-guard/models v0.5.0/go.mod h1:29M8utxinyUpYaDuIuOyCcMBf7EsMWZcIrRWCjFm0Bw=
 github.com/onsi/ginkgo/v2 v2.13.0 h1:0jY9lJquiL8fcf3M4LAXN5aMlS/b2BV86HFFPCPMgE4=
 github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
 github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg=

diff --git a/pkg/netpol/connlist/conns_formatter_txt.go b/pkg/netpol/connlist/conns_formatter_txt.go
@@ -34,13 +34,16 @@ func (t *formatText) writeOutput(conns []Peer2PeerConnection, exposureConns []Ex
 
 // writeConnlistOutput writes the section of the connlist result of the output
 func (t *formatText) writeConnlistOutput(conns []Peer2PeerConnection, saveIPConns bool) string {
-	connLines := make([]string, len(conns))
+	connLines := make([]string, 0, len(conns))
 	t.ipMaps = createIPMaps(saveIPConns)
 	for i := range conns {
-		connLines[i] = formSingleP2PConn(conns[i]).string()
-		// if we have exposure analysis results, also check if src/dst is an IP and store the connection
-		if saveIPConns {
-			t.ipMaps.saveConnsWithIPs(conns[i])
+		if p2pConn := formSingleP2PConn(conns[i]); p2pConn.ConnString != "" {
+			// ConnString might be empty if conns[i] does not contain 'InSet' ports
+			connLines = append(connLines, p2pConn.string())
+			// if we have exposure analysis results, also check if src/dst is an IP and store the connection
+			if saveIPConns {
+				t.ipMaps.saveConnsWithIPs(conns[i])
+			}
 		}
 	}
 	sort.Strings(connLines)

diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go
@@ -15,8 +15,7 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
 
-	"github.com/np-guard/models/pkg/ipblock"
-
+	"github.com/np-guard/models/pkg/netset"
 	"github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
@@ -299,7 +298,7 @@ func (pe *PolicyEngine) allowedXgressConnection(src, dst k8s.Peer, isIngress boo
 // isPeerNodeIP returns true if peer1 is an IP address of a node and peer2 is a pod on that node
 func isPeerNodeIP(peer1, peer2 k8s.Peer) bool {
 	if peer2.PeerType() == k8s.PodType && peer1.PeerType() == k8s.IPBlockType {
-		ip2, err := ipblock.FromIPAddress(peer2.GetPeerPod().HostIP)
+		ip2, err := netset.IPBlockFromIPAddress(peer2.GetPeerPod().HostIP)
 		if err != nil {
 			return peer1.GetPeerIPBlock().Equal(ip2)
 		}
@@ -322,15 +321,15 @@ func isPodToItself(peer1, peer2 k8s.Peer) bool {
 func (pe *PolicyEngine) getPeer(p string) (k8s.Peer, error) {
 	// check if input peer is cidr
 	if _, _, err := net.ParseCIDR(p); err == nil {
-		peerIPBlock, err := ipblock.FromCidr(p)
+		peerIPBlock, err := netset.IPBlockFromCidr(p)
 		if err != nil {
 			return nil, err
 		}
 		return &k8s.IPBlockPeer{IPBlock: peerIPBlock}, nil
 	}
 	// check if input peer is an ip address
 	if net.ParseIP(p) != nil {
-		peerIPBlock, err := ipblock.FromIPAddress(p)
+		peerIPBlock, err := netset.IPBlockFromIPAddress(p)
 		if err != nil {
 			return nil, err
 		}

diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go
@@ -18,7 +18,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
-	"github.com/np-guard/models/pkg/ipblock"
+	"github.com/np-guard/models/pkg/netset"
 
 	"github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
@@ -255,7 +255,7 @@ func (np *NetworkPolicy) ruleSelectsPeer(rulePeers []netv1.NetworkPolicyPeer, pe
 			}
 
 			peerIPBlock := peer.GetPeerIPBlock()
-			res := peerIPBlock.ContainedIn(ruleIPBlock)
+			res := peerIPBlock.IsSubset(ruleIPBlock)
 			if res {
 				return true, nil
 			}
@@ -389,8 +389,8 @@ func (np *NetworkPolicy) netpolErr(title, description string) error {
 	return fmt.Errorf("network policy %s %s: %s", np.fullName(), title, description)
 }
 
-func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*ipblock.IPBlock, error) {
-	ipb, err := ipblock.FromCidr(cidr)
+func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*netset.IPBlock, error) {
+	ipb, err := netset.IPBlockFromCidr(cidr)
 	if err != nil {
 		return nil, np.netpolErr(netpolerrors.CidrErrTitle, err.Error())
 	}
@@ -409,8 +409,8 @@ func (np *NetworkPolicy) parseNetpolLabelSelector(selector *metav1.LabelSelector
 	return selectorRes, nil
 }
 
-func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPolicyPeer) ([]*ipblock.IPBlock, error) {
-	res := []*ipblock.IPBlock{}
+func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPolicyPeer) ([]*netset.IPBlock, error) {
+	res := []*netset.IPBlock{}
 	for _, peerObj := range rulePeers {
 		if peerObj.IPBlock != nil {
 			ipb, err := np.parseNetpolCIDR(peerObj.IPBlock.CIDR, peerObj.IPBlock.Except)
@@ -424,8 +424,8 @@ func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPo
 }
 
 // GetReferencedIPBlocks: return list of IPBlock objects referenced in the current network policy
-func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*ipblock.IPBlock, error) {
-	res := []*ipblock.IPBlock{}
+func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*netset.IPBlock, error) {
+	res := []*netset.IPBlock{}
 	for _, rule := range np.Spec.Ingress {
 		ruleRes, err := np.rulePeersReferencedIPBlocks(rule.From)
 		if err != nil {

diff --git a/pkg/netpol/eval/internal/k8s/peer.go b/pkg/netpol/eval/internal/k8s/peer.go
@@ -9,7 +9,7 @@ package k8s
 import (
 	"k8s.io/apimachinery/pkg/types"
 
-	"github.com/np-guard/models/pkg/ipblock"
+	"github.com/np-guard/models/pkg/netset"
 )
 
 // PeerType is a type to indicate the type of a Peer object (Pod or IP address)
@@ -32,7 +32,7 @@ type Peer interface {
 	// else returns nil
 	GetPeerNamespace() *Namespace
 	// GetPeerIPBlock returns a reference to IPBlock if the peer is IP address, else returns nil
-	GetPeerIPBlock() *ipblock.IPBlock
+	GetPeerIPBlock() *netset.IPBlock
 }
 
 // PodPeer implements k8s.Peer interface and eval.Peer interface
@@ -43,7 +43,7 @@ type PodPeer struct {
 
 // IPBlockPeer implements k8s.Peer interface and eval.Peer interface
 type IPBlockPeer struct {
-	IPBlock *ipblock.IPBlock
+	IPBlock *netset.IPBlock
 }
 
 // WorkloadPeer implements eval.Peer interface
@@ -118,7 +118,7 @@ func (p *PodPeer) GetPeerNamespace() *Namespace {
 	return p.NamespaceObject
 }
 
-func (p *PodPeer) GetPeerIPBlock() *ipblock.IPBlock {
+func (p *PodPeer) GetPeerIPBlock() *netset.IPBlock {
 	return nil
 }
 
@@ -160,7 +160,7 @@ func (p *IPBlockPeer) GetPeerNamespace() *Namespace {
 	return nil
 }
 
-func (p *IPBlockPeer) GetPeerIPBlock() *ipblock.IPBlock {
+func (p *IPBlockPeer) GetPeerIPBlock() *netset.IPBlock {
 	return p.IPBlock
 }
 

diff --git a/pkg/netpol/eval/peer.go b/pkg/netpol/eval/peer.go
@@ -9,7 +9,7 @@ package eval
 import (
 	"fmt"
 
-	"github.com/np-guard/models/pkg/ipblock"
+	"github.com/np-guard/models/pkg/netset"
 
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s"
 )
@@ -35,15 +35,15 @@ type Peer interface {
 // then in the result map there would be entries for (str(A), str(A1), A1) and for (str(A), str(A2), A2)
 func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error) {
 	res := map[string]map[string]Peer{}
-	var ipSet1, ipSet2 []*ipblock.IPBlock
+	var ipSet1, ipSet2 []*netset.IPBlock
 	var err error
 	if ipSet1, err = peerIPSetToIPBlockSet(set1); err != nil {
 		return nil, err
 	}
 	if ipSet2, err = peerIPSetToIPBlockSet(set2); err != nil {
 		return nil, err
 	}
-	disjointIPset := ipblock.DisjointIPBlocks(ipSet1, ipSet2)
+	disjointIPset := netset.DisjointIPBlocks(ipSet1, ipSet2)
 
 	for _, ipb := range disjointIPset {
 		addDisjointIPBlockToMap(ipSet1, ipb, res)
@@ -54,9 +54,9 @@ func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error) {
 }
 
 // addDisjointIPBlockToMap updates input map (from peer-str to its disjoint peers) by adding a new disjoint ip
-func addDisjointIPBlockToMap(ipSet []*ipblock.IPBlock, disjointIP *ipblock.IPBlock, m map[string]map[string]Peer) {
+func addDisjointIPBlockToMap(ipSet []*netset.IPBlock, disjointIP *netset.IPBlock, m map[string]map[string]Peer) {
 	for _, ipb1 := range ipSet {
-		if disjointIP.ContainedIn(ipb1) {
+		if disjointIP.IsSubset(ipb1) {
 			updatePeerIPMap(m, ipb1, disjointIP)
 			break
 		}
@@ -65,7 +65,7 @@ func addDisjointIPBlockToMap(ipSet []*ipblock.IPBlock, disjointIP *ipblock.IPBlo
 
 // updatePeerIPMap updates input map (from peer-str to its disjoint peers), given a new disjoint ip (ipb), and its
 // associated original ip-range key from the map (ipb1)
-func updatePeerIPMap(m map[string]map[string]Peer, ipb1, ipb *ipblock.IPBlock) {
+func updatePeerIPMap(m map[string]map[string]Peer, ipb1, ipb *netset.IPBlock) {
 	ipb1Str := ipb1.ToIPRanges()
 	if _, ok := m[ipb1Str]; !ok {
 		m[ipb1Str] = map[string]Peer{}
@@ -74,8 +74,8 @@ func updatePeerIPMap(m map[string]map[string]Peer, ipb1, ipb *ipblock.IPBlock) {
 }
 
 // peerIPSetToIPBlockSet is given as input a list of peers of type ip-block, and returns a list matching IPBlock objects
-func peerIPSetToIPBlockSet(peerSet []Peer) ([]*ipblock.IPBlock, error) {
-	res := make([]*ipblock.IPBlock, len(peerSet))
+func peerIPSetToIPBlockSet(peerSet []Peer) ([]*netset.IPBlock, error) {
+	res := make([]*netset.IPBlock, len(peerSet))
 	for i, p := range peerSet {
 		ipBlock, err := peerIPToIPBlock(p)
 		if err != nil {
@@ -87,17 +87,17 @@ func peerIPSetToIPBlockSet(peerSet []Peer) ([]*ipblock.IPBlock, error) {
 }
 
 // peerIPToIPBlock returns an IPBlock object from a Peer object of IP type
-func peerIPToIPBlock(p Peer) (*ipblock.IPBlock, error) {
+func peerIPToIPBlock(p Peer) (*netset.IPBlock, error) {
 	peerIP, ok := p.(*k8s.IPBlockPeer)
 	if !ok {
 		return nil, fmt.Errorf("input peer not IP block: %s", p.String())
 	}
 	return peerIP.IPBlock, nil
 }
 
-func mergeIPBlocksList(inputList []*ipblock.IPBlock) []*ipblock.IPBlock {
+func mergeIPBlocksList(inputList []*netset.IPBlock) []*netset.IPBlock {
 	if len(inputList) == 0 {
-		return []*ipblock.IPBlock{}
+		return []*netset.IPBlock{}
 	}
 	union := inputList[0].Copy()
 	for i := 1; i < len(inputList); i++ {

diff --git a/pkg/netpol/eval/resources.go b/pkg/netpol/eval/resources.go
@@ -21,8 +21,7 @@ import (
 	"k8s.io/apimachinery/pkg/types"
 	apisv1a "sigs.k8s.io/network-policy-api/apis/v1alpha1"
 
-	"github.com/np-guard/models/pkg/ipblock"
-
+	"github.com/np-guard/models/pkg/netset"
 	"github.com/np-guard/netpol-analyzer/pkg/internal/netpolerrors"
 	"github.com/np-guard/netpol-analyzer/pkg/manifests/parser"
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s"
@@ -652,8 +651,8 @@ func (pe *PolicyEngine) GetRepresentativePeersList() []Peer {
 }
 
 // getDisjointIPBlocks returns a slice of disjoint ip-blocks from all netpols resources
-func (pe *PolicyEngine) getDisjointIPBlocks() ([]*ipblock.IPBlock, error) {
-	var ipbList []*ipblock.IPBlock
+func (pe *PolicyEngine) getDisjointIPBlocks() ([]*netset.IPBlock, error) {
+	var ipbList []*netset.IPBlock
 	for _, nsMap := range pe.netpolsMap {
 		for _, policy := range nsMap {
 			policyIPBlocksList, err := policy.GetReferencedIPBlocks()
@@ -663,8 +662,8 @@ func (pe *PolicyEngine) getDisjointIPBlocks() ([]*ipblock.IPBlock, error) {
 			ipbList = append(ipbList, policyIPBlocksList...)
 		}
 	}
-	newAll := ipblock.GetCidrAll()
-	disjointRes := ipblock.DisjointIPBlocks(ipbList, []*ipblock.IPBlock{newAll})
+	newAll := netset.GetCidrAll()
+	disjointRes := netset.DisjointIPBlocks(ipbList, []*netset.IPBlock{newAll})
 	return disjointRes, nil
 }