diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go
index aee266e8..db6d013a 100644
--- a/pkg/netpol/connlist/connlist.go
+++ b/pkg/netpol/connlist/connlist.go
@@ -95,7 +95,7 @@ func (ca *ConnlistAnalyzer) ConnlistFromDirPath(dirPath string) ([]Peer2PeerConn
var ValidFormats = []string{output.TextFormat, output.JSONFormat, output.DOTFormat,
output.CSVFormat, output.MDFormat}
-var ExposureValidFormats = []string{output.TextFormat}
+var ExposureValidFormats = []string{output.TextFormat, output.DOTFormat}
// ConnlistAnalyzerOption is the type for specifying options for ConnlistAnalyzer,
// using Golang's Options Pattern (https://golang.cafe/blog/golang-functional-options-pattern.html).
diff --git a/pkg/netpol/connlist/connlist_test.go b/pkg/netpol/connlist/connlist_test.go
index b67030c7..a6947450 100644
--- a/pkg/netpol/connlist/connlist_test.go
+++ b/pkg/netpol/connlist/connlist_test.go
@@ -18,7 +18,6 @@ const DirPathFunc = "ConnlistFromDirPath"
const currentPkg = "connlist"
const notEmptyMsg = "expecting non-empty analysis res"
-var allFormats = []string{output.TextFormat, output.JSONFormat, output.CSVFormat, output.MDFormat, output.DOTFormat}
var connlistTestedAPIS = []string{ResourceInfosFunc, DirPathFunc}
/*
@@ -574,31 +573,31 @@ var goodPathTests = []struct {
},
{
testDirName: "acs_security_frontend_demos",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "demo_app_with_routes_and_ingress",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "k8s_ingress_test",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "multiple_ingress_objects_with_different_ports",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "one_ingress_multiple_ports",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "one_ingress_multiple_services",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "acs-security-demos",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "acs-security-demos-with-netpol-list",
@@ -614,7 +613,7 @@ var goodPathTests = []struct {
},
{
testDirName: "netpol-analysis-example-minimal",
- outputFormats: allFormats,
+ outputFormats: ValidFormats,
},
{
testDirName: "with_end_port_example",
@@ -753,71 +752,86 @@ var goodPathTests = []struct {
{
testDirName: "acs-security-demos",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_allow_all",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_allow_all_in_cluster",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_allow_egress_deny_ingress",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_allow_ingress_deny_egress",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_matched_and_unmatched_rules",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_only_matched_rules",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_multiple_unmatched_rules",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_new_namespace_conn_and_entire_cluster",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_same_unmatched_rule_in_ingress_egress",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_with_no_netpols",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_egress_to_entire_cluster_with_named_ports",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_ingress_from_entire_cluster_with_named_ports",
exposureAnalysis: true,
- outputFormats: []string{output.TextFormat},
+ outputFormats: ExposureValidFormats,
},
{
testDirName: "test_egress_exposure_with_named_port",
exposureAnalysis: true,
+ outputFormats: ExposureValidFormats,
+ },
+ {
+ testDirName: "test_exposure_to_namespace_with_multiple_labels",
+ exposureAnalysis: true,
+ outputFormats: ExposureValidFormats,
+ },
+ {
+ testDirName: "test_pod_exposed_only_to_representative_peers",
+ exposureAnalysis: false,
outputFormats: []string{output.TextFormat},
},
+ {
+ testDirName: "test_pod_exposed_only_to_representative_peers",
+ exposureAnalysis: true,
+ outputFormats: ExposureValidFormats,
+ },
}
diff --git a/pkg/netpol/connlist/conns_formatter_dot.go b/pkg/netpol/connlist/conns_formatter_dot.go
index fba0ff2f..12ff7022 100644
--- a/pkg/netpol/connlist/conns_formatter_dot.go
+++ b/pkg/netpol/connlist/conns_formatter_dot.go
@@ -10,21 +10,29 @@ import (
)
const (
- ipColor = "red2"
- nonIPPeerColor = "blue"
+ ipColor = "red2"
+ nonIPPeerColor = "blue"
+ representativeObjColor = "red2"
+ entireClusterShape = " shape=diamond"
+ peerLineClosing = "]"
+ allPeersLbl = "all pods"
)
+var edgeLineFormat = fmt.Sprintf("\t%%q -> %%q [label=%%q color=\"gold2\" fontcolor=\"darkgreen\"]")
+var peerLineFormatPrefix = fmt.Sprintf("\t%%q [label=%%q color=%%q fontcolor=%%q")
+
// formatDOT: implements the connsFormatter interface for dot output format
type formatDOT struct {
}
-// formats an edge line from a singleConnFields struct , to be used for dot graph
+// getEdgeLine formats an edge line from a Peer2PeerConnection struct , to be used for dot graph
func getEdgeLine(c Peer2PeerConnection) string {
connStr := common.ConnStrFromConnProperties(c.AllProtocolsAndPorts(), c.ProtocolsAndPorts())
- return fmt.Sprintf("\t%q -> %q [label=%q color=\"gold2\" fontcolor=\"darkgreen\"]", c.Src().String(), c.Dst().String(), connStr)
+ return fmt.Sprintf(edgeLineFormat, c.Src().String(), c.Dst().String(), connStr)
}
-// returns the peer label and color to be represented in the graph, and whether the peer is external to cluster's namespaces
+// peerNameAndColorByType returns the peer label and color to be represented in the graph, and whether the peer is
+// external to cluster's namespaces
func peerNameAndColorByType(peer Peer) (nameLabel, color string, isExternal bool) {
if peer.IsPeerIPType() {
return peer.String(), ipColor, true
@@ -34,49 +42,139 @@ func peerNameAndColorByType(peer Peer) (nameLabel, color string, isExternal bool
return dotformatting.NodeClusterPeerLabel(peer.Name(), peer.Kind()), nonIPPeerColor, false
}
-// formats a peer line for dot graph
+// getPeerLine formats a peer line for dot graph
func getPeerLine(peer Peer) (string, bool) {
peerNameLabel, peerColor, isExternalPeer := peerNameAndColorByType(peer)
- return fmt.Sprintf("\t%q [label=%q color=%q fontcolor=%q]", peer.String(), peerNameLabel, peerColor, peerColor), isExternalPeer
+ return fmt.Sprintf(peerLineFormatPrefix+peerLineClosing, peer.String(), peerNameLabel, peerColor, peerColor), isExternalPeer
}
// returns a dot string form of connections from list of Peer2PeerConnection objects
-// this format is not supported with exposure analysis; exposureConns is not used;
+// and from exposure-analysis results if exists
func (d *formatDOT) writeOutput(conns []Peer2PeerConnection, exposureConns []ExposedPeer) (string, error) {
+ // 1. declaration of maps and slices to be used for forming the graph lines
nsPeers := make(map[string][]string) // map from namespace to its peers (grouping peers by namespaces)
+ nsRepPeers := make(map[string][]string) // map from representative namespace to its representative peers
externalPeersLines := make([]string, 0) // list of peers which are not in a cluster's namespace (will not be grouped)
- edgeLines := make([]string, len(conns)) // list of edges lines
+ edgeLines := make([]string, 0) // list of edges lines (connections of connlist + exposure)
peersVisited := make(map[string]bool, 0) // acts as a set
- for index := range conns {
- srcStr, dstStr := conns[index].Src().String(), conns[index].Dst().String()
- edgeLines[index] = getEdgeLine(conns[index])
- if !peersVisited[srcStr] {
- peersVisited[srcStr] = true
- peerLine, isExternalPeer := getPeerLine(conns[index].Src())
- if isExternalPeer { // peer that does not belong to a cluster's namespace (i.e. ip/ ingress-controller)
- externalPeersLines = append(externalPeersLines, peerLine)
- } else { // add to Ns group
- dotformatting.AddPeerToNsGroup(conns[index].Src().Namespace(), peerLine, nsPeers)
- }
- }
- if !peersVisited[dstStr] {
- peersVisited[dstStr] = true
- peerLine, isExternalPeer := getPeerLine(conns[index].Dst())
- if isExternalPeer {
- externalPeersLines = append(externalPeersLines, peerLine)
- } else {
- dotformatting.AddPeerToNsGroup(conns[index].Dst().Namespace(), peerLine, nsPeers)
- }
- }
- }
- // sort graph lines
+ // 2. add connlist results to the graph lines
+ connsEdges, connsExternalPeers := addConnlistOutputData(conns, nsPeers, peersVisited)
+ edgeLines = append(edgeLines, connsEdges...)
+ externalPeersLines = append(externalPeersLines, connsExternalPeers...)
+ // 3. add exposure-analysis results to the graph lines
+ entireClusterLine, exposureEdges := addExposureOutputData(exposureConns, peersVisited, nsPeers, nsRepPeers)
+ externalPeersLines = append(externalPeersLines, entireClusterLine...)
+ edgeLines = append(edgeLines, exposureEdges...)
+ // 4. sort graph lines
sort.Strings(edgeLines)
sort.Strings(externalPeersLines)
- // collect all lines by order
+ // 5. collect all lines by order
allLines := []string{dotformatting.DotHeader}
- allLines = append(allLines, dotformatting.AddNsGroups(nsPeers)...)
+ allLines = append(allLines, dotformatting.AddNsGroups(nsPeers, dotformatting.DefaultNsGroupColor)...)
+ allLines = append(allLines, dotformatting.AddNsGroups(nsRepPeers, representativeObjColor)...)
allLines = append(allLines, externalPeersLines...)
allLines = append(allLines, edgeLines...)
allLines = append(allLines, dotformatting.DotClosing)
return strings.Join(allLines, newLineChar), nil
}
+
+// addConnlistOutputData updates namespace peers groups and returns edge lines and external peers lines from connlist results
+func addConnlistOutputData(conns []Peer2PeerConnection, nsPeers map[string][]string,
+ peersVisited map[string]bool) (eLines, externalPeersLines []string) {
+ edgeLines := make([]string, len(conns))
+ for index := range conns {
+ edgeLines[index] = getEdgeLine(conns[index])
+ externalPeersLines = append(externalPeersLines, addConnlistPeerLine(conns[index].Src(), nsPeers, peersVisited)...)
+ externalPeersLines = append(externalPeersLines, addConnlistPeerLine(conns[index].Dst(), nsPeers, peersVisited)...)
+ }
+ return edgeLines, externalPeersLines
+}
+
+// addConnlistPeerLine if the given peer is not visited yet, adds it to the relevant lines' group (namespace group/ external)
+func addConnlistPeerLine(peer Peer, nsPeers map[string][]string, peersVisited map[string]bool) (externalPeerLine []string) {
+ if !peersVisited[peer.String()] {
+ peersVisited[peer.String()] = true
+ peerLine, isExternalPeer := getPeerLine(peer)
+ if isExternalPeer { // peer that does not belong to a cluster's namespace (i.e. ip/ ingress-controller)
+ externalPeerLine = []string{peerLine}
+ } else { // add to Ns group
+ dotformatting.AddPeerToNsGroup(peer.Namespace(), peerLine, nsPeers)
+ }
+ }
+ return externalPeerLine
+}
+
+// addExposureOutputData gets the exposure-analysis results, updates the namespaces peers groups lines for both real exposed peers and
+// representative peers and returns the exposure edges and entire cluster line (as external peer line)
+func addExposureOutputData(exposureConns []ExposedPeer, peersVisited map[string]bool,
+ nsPeers, nsRepPeers map[string][]string) (entireClusterLine, exposureEdges []string) {
+ representativeVisited := make(map[string]bool, 0) // acts as a set
+ for _, ep := range exposureConns {
+ if !peersVisited[ep.ExposedPeer().String()] { // an exposed peer is a real peer from the manifests,
+ // updated in the real namespaces map
+ exposedPeerLine, _ := getPeerLine(ep.ExposedPeer())
+ dotformatting.AddPeerToNsGroup(ep.ExposedPeer().Namespace(), exposedPeerLine, nsPeers)
+ }
+ ingressExpEdges := getXgressExposureEdges(ep.ExposedPeer().String(), ep.IngressExposure(), ep.IsProtectedByIngressNetpols(),
+ true, representativeVisited, nsRepPeers)
+ exposureEdges = append(exposureEdges, ingressExpEdges...)
+ egressExpEdges := getXgressExposureEdges(ep.ExposedPeer().String(), ep.EgressExposure(), ep.IsProtectedByEgressNetpols(),
+ false, representativeVisited, nsRepPeers)
+ exposureEdges = append(exposureEdges, egressExpEdges...)
+ }
+ // if the entire-cluster marked as visited add its line too (this ensures the entire-cluster is added only once to the graph)
+ if representativeVisited[entireCluster] {
+ entireClusterLine = []string{getEntireClusterLine()}
+ }
+ return entireClusterLine, exposureEdges
+}
+
+// getXgressExposureEdges returns the edges' lines of the exposure data in the given direction ingress/egress
+func getXgressExposureEdges(exposedPeerStr string, xgressExpData []XgressExposureData, isProtected, isIngress bool,
+ representativeVisited map[string]bool, nsRepPeers map[string][]string) (xgressEdges []string) {
+ if !isProtected { // a connection to entire cluster is enabled, (connection to all ips is already in the graph)
+ representativeVisited[entireCluster] = true
+ xgressEdges = append(xgressEdges, getExposureEdgeLine(exposedPeerStr, entireCluster, isIngress, common.MakeConnectionSet(true)))
+ } else { // protected, having exposure details
+ for _, data := range xgressExpData {
+ if data.IsExposedToEntireCluster() {
+ representativeVisited[entireCluster] = true
+ xgressEdges = append(xgressEdges, getExposureEdgeLine(exposedPeerStr, entireCluster, isIngress,
+ data.PotentialConnectivity().(*common.ConnectionSet)))
+ continue // if a data contains exposure to entire cluster it does not specify labels
+ }
+ // @todo consider data.PodLabels
+ if len(data.NamespaceLabels()) > 0 {
+ nsRepLabel := convertLabelsMapToString(data.NamespaceLabels())
+ repPeersStr := allPeersLbl + "_in_" + nsRepLabel // used for getting a unique node name for the peer in the graph
+ if !representativeVisited[repPeersStr] {
+ representativeVisited[repPeersStr] = true
+ dotformatting.AddPeerToNsGroup(peerStrWithNsLabels(data.NamespaceLabels()), getRepPeerLine(repPeersStr), nsRepPeers)
+ }
+ xgressEdges = append(xgressEdges, getExposureEdgeLine(exposedPeerStr, repPeersStr, isIngress,
+ data.PotentialConnectivity().(*common.ConnectionSet)))
+ }
+ }
+ }
+ return xgressEdges
+}
+
+// getEntireClusterLine formats entire cluster line for dot graph
+func getEntireClusterLine() string {
+ return fmt.Sprintf(peerLineFormatPrefix+entireClusterShape+peerLineClosing, entireCluster, entireCluster, representativeObjColor,
+ representativeObjColor)
+}
+
+// getExposureEdgeLine formats an exposure connection edge line for dot graph
+func getExposureEdgeLine(realPeerStr, repPeerStr string, isIngress bool, conn *common.ConnectionSet) string {
+ if isIngress {
+ return fmt.Sprintf(edgeLineFormat, repPeerStr, realPeerStr, conn.String())
+ }
+ return fmt.Sprintf(edgeLineFormat, realPeerStr, repPeerStr, conn.String())
+}
+
+// getRepPeerLine formats a representative peer line for dot graph
+func getRepPeerLine(peerStr string) string {
+ // todo : support cases of peer is representative is with pod selector labels
+ return fmt.Sprintf(peerLineFormatPrefix+peerLineClosing, peerStr, allPeersLbl, representativeObjColor, representativeObjColor)
+}
diff --git a/pkg/netpol/diff/diff_formatter_dot.go b/pkg/netpol/diff/diff_formatter_dot.go
index d4956a92..f5cf28f6 100644
--- a/pkg/netpol/diff/diff_formatter_dot.go
+++ b/pkg/netpol/diff/diff_formatter_dot.go
@@ -51,7 +51,7 @@ func (df *diffFormatDOT) writeDiffOutput(connsDiff ConnectivityDiff) (string, er
// write graph
allLines := []string{dotformatting.DotHeader}
- allLines = append(allLines, dotformatting.AddNsGroups(nsPeers)...)
+ allLines = append(allLines, dotformatting.AddNsGroups(nsPeers, dotformatting.DefaultNsGroupColor)...)
allLines = append(allLines, externalPeersLines...)
allLines = append(allLines, edgeLines...)
allLines = append(allLines, ingressAnalyzerEdges...)
diff --git a/pkg/netpol/internal/dotformatting/dot_output_formatting.go b/pkg/netpol/internal/dotformatting/dot_output_formatting.go
index c7c82ea9..84b77624 100644
--- a/pkg/netpol/internal/dotformatting/dot_output_formatting.go
+++ b/pkg/netpol/internal/dotformatting/dot_output_formatting.go
@@ -1,14 +1,16 @@
package dotformatting
import (
+ "fmt"
"sort"
"strings"
)
// common dot output formatting consts and funcs
const (
- DotHeader = "digraph {"
- DotClosing = "}"
+ DotHeader = "digraph {"
+ DotClosing = "}"
+ DefaultNsGroupColor = "black"
)
// AddPeerToNsGroup adds the peer line to the namespace list in the given map.
@@ -26,7 +28,7 @@ func NodeClusterPeerLabel(name, kind string) string {
// AddNsGroups gets namespace to peers-lines map, writes a dot subgraph for each namespace with its peers' lines
// returns all subgraphs sorted by namespace name and each subgraph internally sorted by peers' names
-func AddNsGroups(nsPeersMap map[string][]string) []string {
+func AddNsGroups(nsPeersMap map[string][]string, subgraphColor string) []string {
res := []string{}
// sort namespaces (map's keys) to ensure same output always
nsKeys := sortMapKeys(nsPeersMap)
@@ -35,8 +37,10 @@ func AddNsGroups(nsPeersMap map[string][]string) []string {
peersLines := nsPeersMap[ns]
sort.Strings(peersLines)
// create ns subgraph cluster
- nsLabel := strings.ReplaceAll(ns, "-", "_") // dot format does not accept "-" in its sub-graphs names (headers)
- nsLines := []string{"\tsubgraph cluster_" + nsLabel + " {"} // subgraph header
+ nsLabel := strings.ReplaceAll(ns, "-", "_") // dot format does not accept "-" in its sub-graphs names (headers)
+ nsLines := []string{"\tsubgraph " + "\"cluster_" + nsLabel + "\" {"} // subgraph header
+ nsLines = append(nsLines, fmt.Sprintf("\t\tcolor=%q", subgraphColor),
+ fmt.Sprintf("\t\tfontcolor=%q", subgraphColor))
nsLines = append(nsLines, peersLines...)
nsLines = append(nsLines, "\t\tlabel=\""+ns+"\"", "\t}")
// add ns section to the res
diff --git a/test_outputs/cli/onlineboutique_workloads_focus_workload_emailservice_connlist_output.dot b/test_outputs/cli/onlineboutique_workloads_focus_workload_emailservice_connlist_output.dot
index a93f1036..081ed821 100644
--- a/test_outputs/cli/onlineboutique_workloads_focus_workload_emailservice_connlist_output.dot
+++ b/test_outputs/cli/onlineboutique_workloads_focus_workload_emailservice_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/checkoutservice[Deployment]" [label="checkoutservice[Deployment]" color="blue" fontcolor="blue"]
"default/emailservice[Deployment]" [label="emailservice[Deployment]" color="blue" fontcolor="blue"]
label="default"
diff --git a/test_outputs/connlist/acs-security-demos_connlist_output.dot b/test_outputs/connlist/acs-security-demos_connlist_output.dot
index 34494b17..2c1771f4 100644
--- a/test_outputs/connlist/acs-security-demos_connlist_output.dot
+++ b/test_outputs/connlist/acs-security-demos_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_backend {
+ subgraph "cluster_backend" {
+ color="black"
+ fontcolor="black"
"backend/catalog[Deployment]" [label="catalog[Deployment]" color="blue" fontcolor="blue"]
"backend/checkout[Deployment]" [label="checkout[Deployment]" color="blue" fontcolor="blue"]
"backend/notification[Deployment]" [label="notification[Deployment]" color="blue" fontcolor="blue"]
@@ -8,12 +10,16 @@ digraph {
"backend/shipping[Deployment]" [label="shipping[Deployment]" color="blue" fontcolor="blue"]
label="backend"
}
- subgraph cluster_frontend {
+ subgraph "cluster_frontend" {
+ color="black"
+ fontcolor="black"
"frontend/asset-cache[Deployment]" [label="asset-cache[Deployment]" color="blue" fontcolor="blue"]
"frontend/webapp[Deployment]" [label="webapp[Deployment]" color="blue" fontcolor="blue"]
label="frontend"
}
- subgraph cluster_payments {
+ subgraph "cluster_payments" {
+ color="black"
+ fontcolor="black"
"payments/gateway[Deployment]" [label="gateway[Deployment]" color="blue" fontcolor="blue"]
"payments/mastercard-processor[Deployment]" [label="mastercard-processor[Deployment]" color="blue" fontcolor="blue"]
"payments/visa-processor[Deployment]" [label="visa-processor[Deployment]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/connlist/demo_app_with_routes_and_ingress_connlist_output.dot b/test_outputs/connlist/demo_app_with_routes_and_ingress_connlist_output.dot
index f6f0726f..d141a1d0 100644
--- a/test_outputs/connlist/demo_app_with_routes_and_ingress_connlist_output.dot
+++ b/test_outputs/connlist/demo_app_with_routes_and_ingress_connlist_output.dot
@@ -1,13 +1,19 @@
digraph {
- subgraph cluster_helloworld {
+ subgraph "cluster_helloworld" {
+ color="black"
+ fontcolor="black"
"helloworld/hello-world[Deployment]" [label="hello-world[Deployment]" color="blue" fontcolor="blue"]
label="helloworld"
}
- subgraph cluster_ingressworld {
+ subgraph "cluster_ingressworld" {
+ color="black"
+ fontcolor="black"
"ingressworld/ingress-world[Deployment]" [label="ingress-world[Deployment]" color="blue" fontcolor="blue"]
label="ingressworld"
}
- subgraph cluster_routeworld {
+ subgraph "cluster_routeworld" {
+ color="black"
+ fontcolor="black"
"routeworld/route-world[Deployment]" [label="route-world[Deployment]" color="blue" fontcolor="blue"]
label="routeworld"
}
diff --git a/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot b/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot
new file mode 100644
index 00000000..be08ac3b
--- /dev/null
+++ b/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot
@@ -0,0 +1,51 @@
+digraph {
+ subgraph "cluster_backend" {
+ color="black"
+ fontcolor="black"
+ "backend/catalog[Deployment]" [label="catalog[Deployment]" color="blue" fontcolor="blue"]
+ "backend/checkout[Deployment]" [label="checkout[Deployment]" color="blue" fontcolor="blue"]
+ "backend/notification[Deployment]" [label="notification[Deployment]" color="blue" fontcolor="blue"]
+ "backend/recommendation[Deployment]" [label="recommendation[Deployment]" color="blue" fontcolor="blue"]
+ "backend/reports[Deployment]" [label="reports[Deployment]" color="blue" fontcolor="blue"]
+ "backend/shipping[Deployment]" [label="shipping[Deployment]" color="blue" fontcolor="blue"]
+ label="backend"
+ }
+ subgraph "cluster_frontend" {
+ color="black"
+ fontcolor="black"
+ "frontend/asset-cache[Deployment]" [label="asset-cache[Deployment]" color="blue" fontcolor="blue"]
+ "frontend/webapp[Deployment]" [label="webapp[Deployment]" color="blue" fontcolor="blue"]
+ label="frontend"
+ }
+ subgraph "cluster_payments" {
+ color="black"
+ fontcolor="black"
+ "payments/gateway[Deployment]" [label="gateway[Deployment]" color="blue" fontcolor="blue"]
+ "payments/mastercard-processor[Deployment]" [label="mastercard-processor[Deployment]" color="blue" fontcolor="blue"]
+ "payments/visa-processor[Deployment]" [label="visa-processor[Deployment]" color="blue" fontcolor="blue"]
+ label="payments"
+ }
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "{ingress-controller}" [label="{ingress-controller}" color="blue" fontcolor="blue"]
+ "backend/checkout[Deployment]" -> "backend/notification[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "backend/checkout[Deployment]" -> "backend/recommendation[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "backend/checkout[Deployment]" -> "entire-cluster" [label="UDP 5353" color="gold2" fontcolor="darkgreen"]
+ "backend/checkout[Deployment]" -> "payments/gateway[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "backend/recommendation[Deployment]" -> "backend/catalog[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "backend/recommendation[Deployment]" -> "entire-cluster" [label="UDP 5353" color="gold2" fontcolor="darkgreen"]
+ "backend/reports[Deployment]" -> "backend/catalog[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "backend/reports[Deployment]" -> "backend/recommendation[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "backend/reports[Deployment]" -> "entire-cluster" [label="UDP 5353" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "frontend/asset-cache[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "frontend/webapp[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "frontend/webapp[Deployment]" -> "backend/checkout[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "frontend/webapp[Deployment]" -> "backend/recommendation[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "frontend/webapp[Deployment]" -> "backend/reports[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "frontend/webapp[Deployment]" -> "backend/shipping[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "frontend/webapp[Deployment]" -> "entire-cluster" [label="UDP 5353" color="gold2" fontcolor="darkgreen"]
+ "payments/gateway[Deployment]" -> "entire-cluster" [label="UDP 5353" color="gold2" fontcolor="darkgreen"]
+ "payments/gateway[Deployment]" -> "payments/mastercard-processor[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "payments/gateway[Deployment]" -> "payments/visa-processor[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "{ingress-controller}" -> "frontend/asset-cache[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+ "{ingress-controller}" -> "frontend/webapp[Deployment]" [label="TCP 8080" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot.png b/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot.png
new file mode 100644
index 00000000..7f50b1da
Binary files /dev/null and b/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot.svg b/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot.svg
new file mode 100644
index 00000000..02ff911a
--- /dev/null
+++ b/test_outputs/connlist/exposure_acs-security-demos_connlist_output.dot.svg
@@ -0,0 +1,252 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot b/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot
new file mode 100644
index 00000000..c8063873
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot
@@ -0,0 +1,14 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot.png b/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot.png
new file mode 100644
index 00000000..753459cd
Binary files /dev/null and b/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot.svg
new file mode 100644
index 00000000..4470ca01
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_all_connlist_output.dot.svg
@@ -0,0 +1,63 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot b/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot
new file mode 100644
index 00000000..7691d155
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot
@@ -0,0 +1,11 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot.png b/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot.png
new file mode 100644
index 00000000..2cfba6e5
Binary files /dev/null and b/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot.svg
new file mode 100644
index 00000000..563b131a
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_all_in_cluster_connlist_output.dot.svg
@@ -0,0 +1,43 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot b/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot
new file mode 100644
index 00000000..b1b4b934
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot
@@ -0,0 +1,12 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot.png b/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot.png
new file mode 100644
index 00000000..a0185708
Binary files /dev/null and b/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot.svg
new file mode 100644
index 00000000..2e61b233
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_egress_deny_ingress_connlist_output.dot.svg
@@ -0,0 +1,49 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot b/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot
new file mode 100644
index 00000000..946354ef
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot
@@ -0,0 +1,12 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot.png b/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot.png
new file mode 100644
index 00000000..3fea97cf
Binary files /dev/null and b/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot.svg
new file mode 100644
index 00000000..dd9b903a
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_allow_ingress_deny_egress_connlist_output.dot.svg
@@ -0,0 +1,49 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot b/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot
new file mode 100644
index 00000000..74b2f34d
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot
@@ -0,0 +1,17 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ subgraph "cluster_namespace with foo.com/managed_state=managed" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_foo.com/managed-state=managed" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with foo.com/managed-state=managed"
+ }
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="TCP 8000" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "all pods_in_foo.com/managed-state=managed" [label="TCP http" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot.png b/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot.png
new file mode 100644
index 00000000..ddf33d44
Binary files /dev/null and b/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot.svg
new file mode 100644
index 00000000..ee67f6f7
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.dot.svg
@@ -0,0 +1,54 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot b/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot
new file mode 100644
index 00000000..cb4661d3
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot
@@ -0,0 +1,13 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="TCP http,local-dns" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot.png b/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot.png
new file mode 100644
index 00000000..9bc187a7
Binary files /dev/null and b/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot.svg
new file mode 100644
index 00000000..f383374c
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_egress_to_entire_cluster_with_named_ports_connlist_output.dot.svg
@@ -0,0 +1,56 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot
new file mode 100644
index 00000000..276d8c3c
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot
@@ -0,0 +1,19 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ subgraph "cluster_namespace with effect=NoSchedule,release=stable" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_effect=NoSchedule,release=stable" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with effect=NoSchedule,release=stable"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "all pods_in_effect=NoSchedule,release=stable" -> "hello-world/workload-a[Deployment]" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot.png b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot.png
new file mode 100644
index 00000000..f8081292
Binary files /dev/null and b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot.svg
new file mode 100644
index 00000000..624401d9
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.dot.svg
@@ -0,0 +1,67 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.txt b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.txt
new file mode 100644
index 00000000..c0346b9d
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.txt
@@ -0,0 +1,12 @@
+hello-world/workload-a[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+
+Exposure Analysis Result:
+Egress Exposure:
+hello-world/workload-a[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+hello-world/workload-a[Deployment] => entire-cluster : All Connections
+
+Ingress Exposure:
+hello-world/workload-a[Deployment] <= namespace with effect=NoSchedule,release=stable : TCP 8050
+
+Workloads not protected by network policies:
+hello-world/workload-a[Deployment] is not protected on Egress
diff --git a/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot b/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot
new file mode 100644
index 00000000..3b9c32a0
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot
@@ -0,0 +1,13 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="TCP 8000,8090" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot.png b/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot.png
new file mode 100644
index 00000000..577f3884
Binary files /dev/null and b/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot.svg
new file mode 100644
index 00000000..e62a2c8b
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_ingress_from_entire_cluster_with_named_ports_connlist_output.dot.svg
@@ -0,0 +1,56 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot b/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot
new file mode 100644
index 00000000..f38b4b98
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot
@@ -0,0 +1,20 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ "hello-world/workload-b[Deployment]" [label="workload-b[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot.png b/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot.png
new file mode 100644
index 00000000..8bd11244
Binary files /dev/null and b/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot.svg
new file mode 100644
index 00000000..e2d1206d
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_matched_and_unmatched_rules_connlist_output.dot.svg
@@ -0,0 +1,104 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot b/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot
new file mode 100644
index 00000000..ed9c1971
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot
@@ -0,0 +1,33 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ subgraph "cluster_namespace with effect=NoSchedule" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_effect=NoSchedule" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with effect=NoSchedule"
+ }
+ subgraph "cluster_namespace with foo.com/managed_state=managed" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_foo.com/managed-state=managed" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with foo.com/managed-state=managed"
+ }
+ subgraph "cluster_namespace with release=stable" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_release=stable" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with release=stable"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "all pods_in_effect=NoSchedule" -> "hello-world/workload-a[Deployment]" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+ "all pods_in_foo.com/managed-state=managed" -> "hello-world/workload-a[Deployment]" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+ "all pods_in_release=stable" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot.png b/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot.png
new file mode 100644
index 00000000..c81990cb
Binary files /dev/null and b/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot.svg
new file mode 100644
index 00000000..4acad08c
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.dot.svg
@@ -0,0 +1,103 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot b/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot
new file mode 100644
index 00000000..9ee54a8d
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot
@@ -0,0 +1,27 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ "hello-world/workload-b[Deployment]" [label="workload-b[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ subgraph "cluster_namespace with foo.com/managed_state=managed" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_foo.com/managed-state=managed" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with foo.com/managed-state=managed"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "all pods_in_foo.com/managed-state=managed" -> "hello-world/workload-a[Deployment]" [label="TCP 8050,8090" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot.png b/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot.png
new file mode 100644
index 00000000..b63b170e
Binary files /dev/null and b/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot.svg
new file mode 100644
index 00000000..0b3d6060
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.dot.svg
@@ -0,0 +1,122 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot b/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot
new file mode 100644
index 00000000..617e402c
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot
@@ -0,0 +1,17 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ "hello-world/workload-b[Deployment]" [label="workload-b[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "hello-world/workload-b[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot.png b/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot.png
new file mode 100644
index 00000000..8411c07d
Binary files /dev/null and b/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot.svg
new file mode 100644
index 00000000..a49f7010
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_only_matched_rules_connlist_output.dot.svg
@@ -0,0 +1,83 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot
new file mode 100644
index 00000000..b325367d
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot
@@ -0,0 +1,23 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ "hello-world/workload-b[Deployment]" [label="workload-b[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ subgraph "cluster_namespace with foo.com/managed_state=managed" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_foo.com/managed-state=managed" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with foo.com/managed-state=managed"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "all pods_in_foo.com/managed-state=managed" -> "hello-world/workload-b[Deployment]" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-b[Deployment]" -> "all pods_in_foo.com/managed-state=managed" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot.png b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot.png
new file mode 100644
index 00000000..4a7e5cd7
Binary files /dev/null and b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot.svg
new file mode 100644
index 00000000..5204e778
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.dot.svg
@@ -0,0 +1,94 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.txt b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.txt
new file mode 100644
index 00000000..02ad938a
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.txt
@@ -0,0 +1,17 @@
+0.0.0.0-255.255.255.255 => hello-world/workload-a[Deployment] : All Connections
+hello-world/workload-a[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+
+Exposure Analysis Result:
+Egress Exposure:
+hello-world/workload-a[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
+hello-world/workload-a[Deployment] => entire-cluster : All Connections
+hello-world/workload-b[Deployment] => namespace with foo.com/managed-state=managed : TCP 8050
+
+Ingress Exposure:
+hello-world/workload-a[Deployment] <= 0.0.0.0-255.255.255.255 : All Connections
+hello-world/workload-a[Deployment] <= entire-cluster : All Connections
+hello-world/workload-b[Deployment] <= namespace with foo.com/managed-state=managed : TCP 8050
+
+Workloads not protected by network policies:
+hello-world/workload-a[Deployment] is not protected on Egress
+hello-world/workload-a[Deployment] is not protected on Ingress
diff --git a/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot b/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot
new file mode 100644
index 00000000..0958bec7
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot
@@ -0,0 +1,18 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ subgraph "cluster_namespace with foo.com/managed_state=managed" {
+ color="red2"
+ fontcolor="red2"
+ "all pods_in_foo.com/managed-state=managed" [label="all pods" color="red2" fontcolor="red2"]
+ label="namespace with foo.com/managed-state=managed"
+ }
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "all pods_in_foo.com/managed-state=managed" -> "hello-world/workload-a[Deployment]" [label="TCP 8000,8090" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="TCP 8000" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "all pods_in_foo.com/managed-state=managed" [label="TCP 8050" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot.png b/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot.png
new file mode 100644
index 00000000..f6969d8b
Binary files /dev/null and b/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot.svg
new file mode 100644
index 00000000..23d1fa62
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.dot.svg
@@ -0,0 +1,61 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot b/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot
new file mode 100644
index 00000000..c8063873
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot
@@ -0,0 +1,14 @@
+digraph {
+ subgraph "cluster_hello_world" {
+ color="black"
+ fontcolor="black"
+ "hello-world/workload-a[Deployment]" [label="workload-a[Deployment]" color="blue" fontcolor="blue"]
+ label="hello-world"
+ }
+ "0.0.0.0-255.255.255.255" [label="0.0.0.0-255.255.255.255" color="red2" fontcolor="red2"]
+ "entire-cluster" [label="entire-cluster" color="red2" fontcolor="red2" shape=diamond]
+ "0.0.0.0-255.255.255.255" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "entire-cluster" -> "hello-world/workload-a[Deployment]" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "0.0.0.0-255.255.255.255" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+ "hello-world/workload-a[Deployment]" -> "entire-cluster" [label="All Connections" color="gold2" fontcolor="darkgreen"]
+}
\ No newline at end of file
diff --git a/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot.png b/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot.png
new file mode 100644
index 00000000..753459cd
Binary files /dev/null and b/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot.png differ
diff --git a/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot.svg b/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot.svg
new file mode 100644
index 00000000..4470ca01
--- /dev/null
+++ b/test_outputs/connlist/exposure_test_with_no_netpols_connlist_output.dot.svg
@@ -0,0 +1,63 @@
+
+
+
+
+
diff --git a/test_outputs/connlist/k8s_ingress_test_connlist_output.dot b/test_outputs/connlist/k8s_ingress_test_connlist_output.dot
index 83348928..4d2e6f6f 100644
--- a/test_outputs/connlist/k8s_ingress_test_connlist_output.dot
+++ b/test_outputs/connlist/k8s_ingress_test_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/details-v1-79f774bdb9[ReplicaSet]" [label="details-v1-79f774bdb9[ReplicaSet]" color="blue" fontcolor="blue"]
"default/productpage-v1-6b746f74dc[ReplicaSet]" [label="productpage-v1-6b746f74dc[ReplicaSet]" color="blue" fontcolor="blue"]
"default/ratings-v1-b6994bb9[ReplicaSet]" [label="ratings-v1-b6994bb9[ReplicaSet]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/connlist/multiple_ingress_objects_with_different_ports_connlist_output.dot b/test_outputs/connlist/multiple_ingress_objects_with_different_ports_connlist_output.dot
index 5e112c6c..dc1b7b05 100644
--- a/test_outputs/connlist/multiple_ingress_objects_with_different_ports_connlist_output.dot
+++ b/test_outputs/connlist/multiple_ingress_objects_with_different_ports_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_ingressworld {
+ subgraph "cluster_ingressworld" {
+ color="black"
+ fontcolor="black"
"ingressworld/ingress-world-multiple-ports[Deployment]" [label="ingress-world-multiple-ports[Deployment]" color="blue" fontcolor="blue"]
label="ingressworld"
}
diff --git a/test_outputs/connlist/netpol-analysis-example-minimal_connlist_output.dot b/test_outputs/connlist/netpol-analysis-example-minimal_connlist_output.dot
index bf58a82f..630490fa 100644
--- a/test_outputs/connlist/netpol-analysis-example-minimal_connlist_output.dot
+++ b/test_outputs/connlist/netpol-analysis-example-minimal_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/backend[Deployment]" [label="backend[Deployment]" color="blue" fontcolor="blue"]
"default/frontend[Deployment]" [label="frontend[Deployment]" color="blue" fontcolor="blue"]
label="default"
diff --git a/test_outputs/connlist/one_ingress_multiple_ports_connlist_output.dot b/test_outputs/connlist/one_ingress_multiple_ports_connlist_output.dot
index cf16f0b0..533c652b 100644
--- a/test_outputs/connlist/one_ingress_multiple_ports_connlist_output.dot
+++ b/test_outputs/connlist/one_ingress_multiple_ports_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_ingressworld {
+ subgraph "cluster_ingressworld" {
+ color="black"
+ fontcolor="black"
"ingressworld/ingress-world-multiple-ports[Deployment]" [label="ingress-world-multiple-ports[Deployment]" color="blue" fontcolor="blue"]
label="ingressworld"
}
diff --git a/test_outputs/connlist/one_ingress_multiple_services_connlist_output.dot b/test_outputs/connlist/one_ingress_multiple_services_connlist_output.dot
index cf16f0b0..533c652b 100644
--- a/test_outputs/connlist/one_ingress_multiple_services_connlist_output.dot
+++ b/test_outputs/connlist/one_ingress_multiple_services_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_ingressworld {
+ subgraph "cluster_ingressworld" {
+ color="black"
+ fontcolor="black"
"ingressworld/ingress-world-multiple-ports[Deployment]" [label="ingress-world-multiple-ports[Deployment]" color="blue" fontcolor="blue"]
label="ingressworld"
}
diff --git a/test_outputs/connlist/onlineboutique_workloads_connlist_output.dot b/test_outputs/connlist/onlineboutique_workloads_connlist_output.dot
index d764ae47..b0c95558 100644
--- a/test_outputs/connlist/onlineboutique_workloads_connlist_output.dot
+++ b/test_outputs/connlist/onlineboutique_workloads_connlist_output.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/adservice[Deployment]" [label="adservice[Deployment]" color="blue" fontcolor="blue"]
"default/cartservice[Deployment]" [label="cartservice[Deployment]" color="blue" fontcolor="blue"]
"default/checkoutservice[Deployment]" [label="checkoutservice[Deployment]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/connlist/test_pod_exposed_only_to_representative_peers_connlist_output.txt b/test_outputs/connlist/test_pod_exposed_only_to_representative_peers_connlist_output.txt
new file mode 100644
index 00000000..9f5933e5
--- /dev/null
+++ b/test_outputs/connlist/test_pod_exposed_only_to_representative_peers_connlist_output.txt
@@ -0,0 +1,2 @@
+0.0.0.0-255.255.255.255 => hello-world/workload-a[Deployment] : All Connections
+hello-world/workload-a[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
\ No newline at end of file
diff --git a/test_outputs/diff/TsetOutputWithArgNamesOption_diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot b/test_outputs/diff/TsetOutputWithArgNamesOption_diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot
index 5a28b829..ffbf7231 100644
--- a/test_outputs/diff/TsetOutputWithArgNamesOption_diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot
+++ b/test_outputs/diff/TsetOutputWithArgNamesOption_diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/adservice[Deployment]" [label="adservice[Deployment]" color="blue" fontcolor="blue"]
"default/cartservice[Deployment]" [label="cartservice[Deployment]" color="blue" fontcolor="blue"]
"default/checkoutservice[Deployment]" [label="checkoutservice[Deployment]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/diff/diff_between_acs-security-demos-added-workloads_and_acs-security-demos.dot b/test_outputs/diff/diff_between_acs-security-demos-added-workloads_and_acs-security-demos.dot
index 6dcdd7ac..4f9d0f53 100644
--- a/test_outputs/diff/diff_between_acs-security-demos-added-workloads_and_acs-security-demos.dot
+++ b/test_outputs/diff/diff_between_acs-security-demos-added-workloads_and_acs-security-demos.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_backend {
+ subgraph "cluster_backend" {
+ color="black"
+ fontcolor="black"
"backend/catalog[Deployment]" [label="catalog[Deployment]" color="blue" fontcolor="blue"]
"backend/checkout[Deployment]" [label="checkout[Deployment]" color="blue" fontcolor="blue"]
"backend/notification[Deployment]" [label="notification[Deployment]" color="blue" fontcolor="blue"]
@@ -8,20 +10,26 @@ digraph {
"backend/shipping[Deployment]" [label="shipping[Deployment]" color="blue" fontcolor="blue"]
label="backend"
}
- subgraph cluster_frontend {
+ subgraph "cluster_frontend" {
+ color="black"
+ fontcolor="black"
"frontend/asset-cache[Deployment]" [label="asset-cache[Deployment]" color="blue" fontcolor="blue"]
"frontend/blog[Deployment]" [label="blog[Deployment]" color="#008000" fontcolor="#008000"]
"frontend/webapp[Deployment]" [label="webapp[Deployment]" color="blue" fontcolor="blue"]
label="frontend"
}
- subgraph cluster_payments {
+ subgraph "cluster_payments" {
+ color="black"
+ fontcolor="black"
"payments/gateway[Deployment]" [label="gateway[Deployment]" color="blue" fontcolor="blue"]
"payments/mastercard-processor[Deployment]" [label="mastercard-processor[Deployment]" color="blue" fontcolor="blue"]
"payments/visa-processor-v2[Deployment]" [label="visa-processor-v2[Deployment]" color="#008000" fontcolor="#008000"]
"payments/visa-processor[Deployment]" [label="visa-processor[Deployment]" color="blue" fontcolor="blue"]
label="payments"
}
- subgraph cluster_zeroday {
+ subgraph "cluster_zeroday" {
+ color="black"
+ fontcolor="black"
"zeroday/zeroday[Deployment]" [label="zeroday[Deployment]" color="#008000" fontcolor="#008000"]
label="zeroday"
}
diff --git a/test_outputs/diff/diff_between_acs-security-demos-new_and_acs-security-demos.dot b/test_outputs/diff/diff_between_acs-security-demos-new_and_acs-security-demos.dot
index d00b31e0..ef15efc7 100644
--- a/test_outputs/diff/diff_between_acs-security-demos-new_and_acs-security-demos.dot
+++ b/test_outputs/diff/diff_between_acs-security-demos-new_and_acs-security-demos.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_backend {
+ subgraph "cluster_backend" {
+ color="black"
+ fontcolor="black"
"backend/catalog[Deployment]" [label="catalog[Deployment]" color="blue" fontcolor="blue"]
"backend/checkout[Deployment]" [label="checkout[Deployment]" color="blue" fontcolor="blue"]
"backend/notification[Deployment]" [label="notification[Deployment]" color="blue" fontcolor="blue"]
@@ -8,16 +10,22 @@ digraph {
"backend/shipping[Deployment]" [label="shipping[Deployment]" color="blue" fontcolor="blue"]
label="backend"
}
- subgraph cluster_external {
+ subgraph "cluster_external" {
+ color="black"
+ fontcolor="black"
"external/unicorn[Deployment]" [label="unicorn[Deployment]" color="#008000" fontcolor="#008000"]
label="external"
}
- subgraph cluster_frontend {
+ subgraph "cluster_frontend" {
+ color="black"
+ fontcolor="black"
"frontend/asset-cache[Deployment]" [label="asset-cache[Deployment]" color="blue" fontcolor="blue"]
"frontend/webapp[Deployment]" [label="webapp[Deployment]" color="blue" fontcolor="blue"]
label="frontend"
}
- subgraph cluster_payments {
+ subgraph "cluster_payments" {
+ color="black"
+ fontcolor="black"
"payments/gateway[Deployment]" [label="gateway[Deployment]" color="blue" fontcolor="blue"]
"payments/mastercard-processor[Deployment]" [label="mastercard-processor[Deployment]" color="red" fontcolor="red"]
"payments/visa-processor[Deployment]" [label="visa-processor[Deployment]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/diff/diff_between_k8s_ingress_test_new_and_k8s_ingress_test.dot b/test_outputs/diff/diff_between_k8s_ingress_test_new_and_k8s_ingress_test.dot
index a8e7c4c7..a421118c 100644
--- a/test_outputs/diff/diff_between_k8s_ingress_test_new_and_k8s_ingress_test.dot
+++ b/test_outputs/diff/diff_between_k8s_ingress_test_new_and_k8s_ingress_test.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/details-v1-79f774bdb9[ReplicaSet]" [label="details-v1-79f774bdb9[ReplicaSet]" color="blue" fontcolor="blue"]
"default/productpage-v1-6b746f74dc[ReplicaSet]" [label="productpage-v1-6b746f74dc[ReplicaSet]" color="blue" fontcolor="blue"]
"default/ratings-v1-b6994bb9[ReplicaSet]" [label="ratings-v1-b6994bb9[ReplicaSet]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/diff/diff_between_multiple_ingress_objects_with_different_ports_new_and_multiple_ingress_objects_with_different_ports.dot b/test_outputs/diff/diff_between_multiple_ingress_objects_with_different_ports_new_and_multiple_ingress_objects_with_different_ports.dot
index 9c597dfe..ed977f87 100644
--- a/test_outputs/diff/diff_between_multiple_ingress_objects_with_different_ports_new_and_multiple_ingress_objects_with_different_ports.dot
+++ b/test_outputs/diff/diff_between_multiple_ingress_objects_with_different_ports_new_and_multiple_ingress_objects_with_different_ports.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_ingressworld {
+ subgraph "cluster_ingressworld" {
+ color="black"
+ fontcolor="black"
"ingressworld/ingress-world-multiple-ports[Deployment]" [label="ingress-world-multiple-ports[Deployment]" color="blue" fontcolor="blue"]
label="ingressworld"
}
diff --git a/test_outputs/diff/diff_between_netpol-diff-example-minimal_and_netpol-analysis-example-minimal.dot b/test_outputs/diff/diff_between_netpol-diff-example-minimal_and_netpol-analysis-example-minimal.dot
index 003c02d4..2c89c1f8 100644
--- a/test_outputs/diff/diff_between_netpol-diff-example-minimal_and_netpol-analysis-example-minimal.dot
+++ b/test_outputs/diff/diff_between_netpol-diff-example-minimal_and_netpol-analysis-example-minimal.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/backend[Deployment]" [label="backend[Deployment]" color="blue" fontcolor="blue"]
"default/frontend[Deployment]" [label="frontend[Deployment]" color="blue" fontcolor="blue"]
label="default"
diff --git a/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot b/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot
index 62b5a336..5a6802c7 100644
--- a/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot
+++ b/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_onlineboutique_workloads.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/adservice[Deployment]" [label="adservice[Deployment]" color="blue" fontcolor="blue"]
"default/cartservice[Deployment]" [label="cartservice[Deployment]" color="blue" fontcolor="blue"]
"default/checkoutservice[Deployment]" [label="checkoutservice[Deployment]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_workloads_and_onlineboutique_workloads.dot b/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_workloads_and_onlineboutique_workloads.dot
index 026f58de..38c94cf4 100644
--- a/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_workloads_and_onlineboutique_workloads.dot
+++ b/test_outputs/diff/diff_between_onlineboutique_workloads_changed_netpols_and_workloads_and_onlineboutique_workloads.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/adservice[Deployment]" [label="adservice[Deployment]" color="blue" fontcolor="blue"]
"default/cartservice[Deployment]" [label="cartservice[Deployment]" color="blue" fontcolor="blue"]
"default/checkoutservice[Deployment]" [label="checkoutservice[Deployment]" color="blue" fontcolor="blue"]
diff --git a/test_outputs/diff/diff_between_onlineboutique_workloads_changed_workloads_and_onlineboutique_workloads.dot b/test_outputs/diff/diff_between_onlineboutique_workloads_changed_workloads_and_onlineboutique_workloads.dot
index caddf447..ededb460 100644
--- a/test_outputs/diff/diff_between_onlineboutique_workloads_changed_workloads_and_onlineboutique_workloads.dot
+++ b/test_outputs/diff/diff_between_onlineboutique_workloads_changed_workloads_and_onlineboutique_workloads.dot
@@ -1,5 +1,7 @@
digraph {
- subgraph cluster_default {
+ subgraph "cluster_default" {
+ color="black"
+ fontcolor="black"
"default/adservice[Deployment]" [label="adservice[Deployment]" color="blue" fontcolor="blue"]
"default/cartservice[Deployment]" [label="cartservice[Deployment]" color="blue" fontcolor="blue"]
"default/checkoutservice[Deployment]" [label="checkoutservice[Deployment]" color="blue" fontcolor="blue"]
diff --git a/tests/test_exposure_to_namespace_with_multiple_labels/netpol.yaml b/tests/test_exposure_to_namespace_with_multiple_labels/netpol.yaml
new file mode 100644
index 00000000..e9dfa196
--- /dev/null
+++ b/tests/test_exposure_to_namespace_with_multiple_labels/netpol.yaml
@@ -0,0 +1,18 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+ name: exposure-ns-with-multiple-labels
+ namespace: hello-world
+spec:
+ podSelector:
+ matchLabels:
+ app: a-app
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchLabels:
+ release : "stable"
+ effect: "NoSchedule"
+ ports:
+ - port: 8050
+ protocol: TCP
diff --git a/tests/test_exposure_to_namespace_with_multiple_labels/ns_and_deployments.yaml b/tests/test_exposure_to_namespace_with_multiple_labels/ns_and_deployments.yaml
new file mode 100644
index 00000000..3fc694b8
--- /dev/null
+++ b/tests/test_exposure_to_namespace_with_multiple_labels/ns_and_deployments.yaml
@@ -0,0 +1,31 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: hello-world
+spec: {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: workload-a
+ namespace: hello-world
+ labels:
+ app: a-app
+spec:
+ selector:
+ matchLabels:
+ app: a-app
+ template:
+ metadata:
+ labels:
+ app: a-app
+ spec:
+ containers:
+ - name: hello-world
+ image: quay.io/shfa/hello-world:latest
+ ports:
+ - containerPort: 8000 # containerport1
+ - containerPort: 8050 # containerport2
+ - containerPort: 8090 # containerport3
+---
diff --git a/tests/test_pod_exposed_only_to_representative_peers/namespace_and_deployments.yaml b/tests/test_pod_exposed_only_to_representative_peers/namespace_and_deployments.yaml
new file mode 100644
index 00000000..528cef18
--- /dev/null
+++ b/tests/test_pod_exposed_only_to_representative_peers/namespace_and_deployments.yaml
@@ -0,0 +1,52 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: hello-world
+spec: {}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: workload-a
+ namespace: hello-world
+ labels:
+ app: a-app
+spec:
+ selector:
+ matchLabels:
+ app: a-app
+ template:
+ metadata:
+ labels:
+ app: a-app
+ spec:
+ containers:
+ - name: hello-world
+ image: quay.io/shfa/hello-world:latest
+ ports:
+ - containerPort: 8000 # containerport1
+ - containerPort: 8050 # containerport2
+ - containerPort: 8090 # containerport3
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: workload-b
+ namespace: hello-world
+ labels:
+ app: b-app
+spec:
+ selector:
+ matchLabels:
+ app: b-app
+ template:
+ metadata:
+ labels:
+ app: b-app
+ spec:
+ containers:
+ - name: hello-world
+ image: quay.io/shfa/hello-world:latest
+ ports:
+ - containerPort: 8050
diff --git a/tests/test_pod_exposed_only_to_representative_peers/netpol.yaml b/tests/test_pod_exposed_only_to_representative_peers/netpol.yaml
new file mode 100644
index 00000000..6e0804df
--- /dev/null
+++ b/tests/test_pod_exposed_only_to_representative_peers/netpol.yaml
@@ -0,0 +1,31 @@
+kind: NetworkPolicy
+apiVersion: networking.k8s.io/v1
+metadata:
+ name: same-rule-in-different-directions
+ namespace: hello-world
+spec:
+ podSelector:
+ matchLabels:
+ app: b-app
+ ingress:
+ - from:
+ - namespaceSelector:
+ matchExpressions:
+ - key: foo.com/managed-state
+ operator: In
+ values:
+ - managed
+ ports:
+ - port: 8050
+ protocol: TCP
+ egress:
+ - to:
+ - namespaceSelector:
+ matchExpressions:
+ - key: foo.com/managed-state
+ operator: In
+ values:
+ - managed
+ ports:
+ - port: 8050
+ protocol: TCP
\ No newline at end of file