np-guard · shireenf-ibm · May 12, 2024 · May 9, 2024 · May 12, 2024 · May 12, 2024
diff --git a/pkg/netpol/connlist/conns_formatter.go b/pkg/netpol/connlist/conns_formatter.go
@@ -68,8 +68,8 @@ func formExposureItemAsSingleConnFiled(peerStr string, exposureItem XgressExposu
 	if exposureItem.IsExposedToEntireCluster() {
 		return formSingleExposureConn(peerStr, entireCluster, exposureItem.PotentialConnectivity(), isIngress)
 	}
-	repPeerStr := getRepresentativeNamespaceString(exposureItem.NamespaceLabels()) + "/" +
-		getRepresentativePodString(exposureItem.PodLabels())
+	repPeerStr := getRepresentativeNamespaceString(exposureItem.NamespaceLabels(), true) + "/" +
+		getRepresentativePodString(exposureItem.PodLabels(), true)
 	return formSingleExposureConn(peerStr, repPeerStr, exposureItem.PotentialConnectivity(), isIngress)
 }
 
@@ -79,27 +79,49 @@ func convertLabelsMapToString(labelsMap map[string]string) string {
 }
 
 const (
-	mapOpen  = "{"
-	mapClose = "}"
+	bracketOpen  = "["
+	bracketClose = "]"
+	mapOpen      = "{"
+	mapClose     = "}"
 )
 
-// getRepresentativeNamespaceString returns a string representation of a potential peer with namespace labels
-func getRepresentativeNamespaceString(nsLabels map[string]string) string {
+// getRepresentativeNamespaceString returns a string representation of a potential peer with namespace labels.
+// if namespace with multiple words adds [] , in case of textual (non-graphical) output
+func getRepresentativeNamespaceString(nsLabels map[string]string, txtOutFlag bool) string {
 	nsName, ok := nsLabels[common.K8sNsNameLabelKey]
 	if len(nsLabels) == 1 && ok {
 		return nsName
 	}
+	res := ""
+	if txtOutFlag {
+		res += bracketOpen
+	}
 	if len(nsLabels) > 0 {
-		return "namespace with " + mapOpen + convertLabelsMapToString(nsLabels) + mapClose
+		res += "namespace with " + mapOpen + convertLabelsMapToString(nsLabels) + mapClose
+	} else {
+		res += allNamespacesLbl
+	}
+	if txtOutFlag {
+		res += bracketClose
 	}
-	return allNamespacesLbl
+	return res
 }
 
 // getRepresentativePodString returns a string representation of potential peer with pod labels
-// or all pods string for empty pod labels map (which indicates all pods)
-func getRepresentativePodString(podLabels map[string]string) string {
+// or all pods string for empty pod labels map (which indicates all pods).
+// adds [] in case of textual (non-graphical) output
+func getRepresentativePodString(podLabels map[string]string, txtOutFlag bool) string {
+	res := ""
+	if txtOutFlag {
+		res += bracketOpen
+	}
 	if len(podLabels) == 0 {
-		return allPeersLbl
+		res += allPeersLbl
+	} else {
+		res += "pod with " + mapOpen + convertLabelsMapToString(podLabels) + mapClose
+	}
+	if txtOutFlag {
+		res += bracketClose
 	}
-	return "pod with " + mapOpen + convertLabelsMapToString(podLabels) + mapClose
+	return res
 }
diff --git a/pkg/netpol/connlist/conns_formatter_dot.go b/pkg/netpol/connlist/conns_formatter_dot.go
@@ -144,17 +144,17 @@ func getXgressExposureEdges(exposedPeerStr string, xgressExpData []XgressExposur
 					data.PotentialConnectivity().(*common.ConnectionSet)))
 				continue // if a data contains exposure to entire cluster it does not specify labels
 			}
-			nsRepLabel := getRepresentativeNamespaceString(data.NamespaceLabels())
-			repPeerLabel := getRepresentativePodString(data.PodLabels())
+			nsRepLabel := getRepresentativeNamespaceString(data.NamespaceLabels(), false)
+			repPeerLabel := getRepresentativePodString(data.PodLabels(), false)
 			repPeersStr := repPeerLabel + "_in_" + nsRepLabel // to get a unique string name of the peer node
 			if !representativeVisited[repPeersStr] {
 				representativeVisited[repPeersStr] = true
 				peerLine := getRepPeerLine(repPeersStr, repPeerLabel)
 				// ns label maybe a name of an existing namespace, so check where to add the peer
 				if _, ok := nsPeers[nsRepLabel]; ok { // in real ns
-					dotformatting.AddPeerToNsGroup(getRepresentativeNamespaceString(data.NamespaceLabels()), peerLine, nsPeers)
+					dotformatting.AddPeerToNsGroup(nsRepLabel, peerLine, nsPeers)
 				} else { // in a representative ns
-					dotformatting.AddPeerToNsGroup(getRepresentativeNamespaceString(data.NamespaceLabels()), peerLine, nsRepPeers)
+					dotformatting.AddPeerToNsGroup(nsRepLabel, peerLine, nsRepPeers)
 				}
 			}
 			xgressEdges = append(xgressEdges, getExposureEdgeLine(exposedPeerStr, repPeersStr, isIngress,

diff --git a/test_outputs/connlist/exposure_onlineboutique_workloads_connlist_output.txt b/test_outputs/connlist/exposure_onlineboutique_workloads_connlist_output.txt
@@ -18,10 +18,10 @@ default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
 
 Exposure Analysis Result:
 Egress Exposure:
-default/checkoutservice[Deployment]       	=> 	all namespaces/pod with {k8s-app=kube-dns} : UDP 53
-default/frontend[Deployment]              	=> 	all namespaces/pod with {k8s-app=kube-dns} : UDP 53
-default/loadgenerator[Deployment]         	=> 	all namespaces/pod with {k8s-app=kube-dns} : UDP 53
-default/recommendationservice[Deployment] 	=> 	all namespaces/pod with {k8s-app=kube-dns} : UDP 53
+default/checkoutservice[Deployment]       	=> 	[all namespaces]/[pod with {k8s-app=kube-dns}] : UDP 53
+default/frontend[Deployment]              	=> 	[all namespaces]/[pod with {k8s-app=kube-dns}] : UDP 53
+default/loadgenerator[Deployment]         	=> 	[all namespaces]/[pod with {k8s-app=kube-dns}] : UDP 53
+default/recommendationservice[Deployment] 	=> 	[all namespaces]/[pod with {k8s-app=kube-dns}] : UDP 53
 default/redis-cart[Deployment]            	=> 	0.0.0.0-255.255.255.255 : All Connections
 default/redis-cart[Deployment]            	=> 	entire-cluster : All Connections
 

diff --git a/...xposure_onlineboutique_workloads_focus_workload_default_loadgenerator_connlist_output.txt b/...xposure_onlineboutique_workloads_focus_workload_default_loadgenerator_connlist_output.txt
@@ -2,4 +2,4 @@ default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080
 
 Exposure Analysis Result:
 Egress Exposure:
-default/loadgenerator[Deployment] 	=> 	all namespaces/pod with {k8s-app=kube-dns} : UDP 53
+default/loadgenerator[Deployment] 	=> 	[all namespaces]/[pod with {k8s-app=kube-dns}] : UDP 53
diff --git a/test_outputs/connlist/exposure_test_conn_to_all_pods_in_a_new_ns_connlist_output.txt b/test_outputs/connlist/exposure_test_conn_to_all_pods_in_a_new_ns_connlist_output.txt
@@ -3,4 +3,4 @@ Egress Exposure:
 hello-world/workload-a[Deployment] 	=> 	entire-cluster : All Connections
 
 Ingress Exposure:
-hello-world/workload-a[Deployment] 	<= 	backend/all pods : TCP 8050
+hello-world/workload-a[Deployment] 	<= 	backend/[all pods] : TCP 8050
diff --git a/...uts/connlist/exposure_test_conn_with_new_pod_selector_and_ns_selector_connlist_output.txt b/...uts/connlist/exposure_test_conn_with_new_pod_selector_and_ns_selector_connlist_output.txt
@@ -6,7 +6,7 @@ hello-world/workload-a[Deployment] 	=> 	0.0.0.0-255.255.255.255 : All Connection
 hello-world/workload-a[Deployment] 	=> 	entire-cluster : All Connections
 
 Ingress Exposure:
-hello-world/workload-a[Deployment] 	<= 	namespace with {effect=NoSchedule}/pod with {role=monitoring} : TCP 8050
+hello-world/workload-a[Deployment] 	<= 	[namespace with {effect=NoSchedule}]/[pod with {role=monitoring}] : TCP 8050
 
 Workloads not protected by network policies:
 hello-world/workload-a[Deployment] is not protected on Egress
diff --git a/test_outputs/connlist/exposure_test_conn_with_only_pod_selector_connlist_output.txt b/test_outputs/connlist/exposure_test_conn_with_only_pod_selector_connlist_output.txt
@@ -6,7 +6,7 @@ hello-world/workload-a[Deployment] 	=> 	0.0.0.0-255.255.255.255 : All Connection
 hello-world/workload-a[Deployment] 	=> 	entire-cluster : All Connections
 
 Ingress Exposure:
-hello-world/workload-a[Deployment] 	<= 	hello-world/pod with {role=monitoring} : TCP 8050
+hello-world/workload-a[Deployment] 	<= 	hello-world/[pod with {role=monitoring}] : TCP 8050
 
 Workloads not protected by network policies:
 hello-world/workload-a[Deployment] is not protected on Egress
diff --git a/test_outputs/connlist/exposure_test_conn_with_pod_selector_in_any_ns_connlist_output.txt b/test_outputs/connlist/exposure_test_conn_with_pod_selector_in_any_ns_connlist_output.txt
@@ -6,7 +6,7 @@ hello-world/workload-a[Deployment] 	=> 	0.0.0.0-255.255.255.255 : All Connection
 hello-world/workload-a[Deployment] 	=> 	entire-cluster : All Connections
 
 Ingress Exposure:
-hello-world/workload-a[Deployment] 	<= 	all namespaces/pod with {role=monitoring} : TCP 8050
+hello-world/workload-a[Deployment] 	<= 	[all namespaces]/[pod with {role=monitoring}] : TCP 8050
 
 Workloads not protected by network policies:
 hello-world/workload-a[Deployment] is not protected on Egress
diff --git a/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.txt b/test_outputs/connlist/exposure_test_egress_exposure_with_named_port_connlist_output.txt
@@ -1,6 +1,6 @@
 Exposure Analysis Result:
 Egress Exposure:
-hello-world/workload-a[Deployment] 	=> 	namespace with {foo.com/managed-state=managed}/all pods : TCP http
+hello-world/workload-a[Deployment] 	=> 	[namespace with {foo.com/managed-state=managed}]/[all pods] : TCP http
 
 Ingress Exposure:
 hello-world/workload-a[Deployment] 	<= 	entire-cluster : TCP 8000
diff --git a/...uts/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.txt b/...uts/connlist/exposure_test_exposure_to_namespace_with_multiple_labels_connlist_output.txt
@@ -6,7 +6,7 @@ hello-world/workload-a[Deployment] 	=> 	0.0.0.0-255.255.255.255 : All Connection
 hello-world/workload-a[Deployment] 	=> 	entire-cluster : All Connections
 
 Ingress Exposure:
-hello-world/workload-a[Deployment] 	<= 	namespace with {effect=NoSchedule,release=stable}/all pods : TCP 8050
+hello-world/workload-a[Deployment] 	<= 	[namespace with {effect=NoSchedule,release=stable}]/[all pods] : TCP 8050
 
 Workloads not protected by network policies:
 hello-world/workload-a[Deployment] is not protected on Egress
diff --git a/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.txt b/test_outputs/connlist/exposure_test_multiple_unmatched_rules_connlist_output.txt
@@ -6,9 +6,9 @@ hello-world/workload-a[Deployment] 	=> 	0.0.0.0-255.255.255.255 : All Connection
 hello-world/workload-a[Deployment] 	=> 	entire-cluster : All Connections
 
 Ingress Exposure:
-hello-world/workload-a[Deployment] 	<= 	namespace with {effect=NoSchedule}/all pods : TCP 8050
-hello-world/workload-a[Deployment] 	<= 	namespace with {foo.com/managed-state=managed}/all pods : TCP 8050
-hello-world/workload-a[Deployment] 	<= 	namespace with {release=stable}/all pods : All Connections
+hello-world/workload-a[Deployment] 	<= 	[namespace with {effect=NoSchedule}]/[all pods] : TCP 8050
+hello-world/workload-a[Deployment] 	<= 	[namespace with {foo.com/managed-state=managed}]/[all pods] : TCP 8050
+hello-world/workload-a[Deployment] 	<= 	[namespace with {release=stable}]/[all pods] : All Connections
 
 Workloads not protected by network policies:
 hello-world/workload-a[Deployment] is not protected on Egress
diff --git a/..._outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.txt b/..._outputs/connlist/exposure_test_new_namespace_conn_and_entire_cluster_connlist_output.txt
@@ -12,8 +12,8 @@ hello-world/workload-b[Deployment] 	=> 	0.0.0.0-255.255.255.255 : All Connection
 hello-world/workload-b[Deployment] 	=> 	entire-cluster : All Connections
 
 Ingress Exposure:
+hello-world/workload-a[Deployment] 	<= 	[namespace with {foo.com/managed-state=managed}]/[all pods] : TCP 8050,8090
 hello-world/workload-a[Deployment] 	<= 	entire-cluster : TCP 8050
-hello-world/workload-a[Deployment] 	<= 	namespace with {foo.com/managed-state=managed}/all pods : TCP 8050,8090
 hello-world/workload-b[Deployment] 	<= 	0.0.0.0-255.255.255.255 : All Connections
 hello-world/workload-b[Deployment] 	<= 	entire-cluster : All Connections
 

diff --git a/...tputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.txt b/...tputs/connlist/exposure_test_pod_exposed_only_to_representative_peers_connlist_output.txt
@@ -5,12 +5,12 @@ Exposure Analysis Result:
 Egress Exposure:
 hello-world/workload-a[Deployment] 	=> 	0.0.0.0-255.255.255.255 : All Connections
 hello-world/workload-a[Deployment] 	=> 	entire-cluster : All Connections
-hello-world/workload-b[Deployment] 	=> 	namespace with {foo.com/managed-state=managed}/all pods : TCP 8050
+hello-world/workload-b[Deployment] 	=> 	[namespace with {foo.com/managed-state=managed}]/[all pods] : TCP 8050
 
 Ingress Exposure:
 hello-world/workload-a[Deployment] 	<= 	0.0.0.0-255.255.255.255 : All Connections
 hello-world/workload-a[Deployment] 	<= 	entire-cluster : All Connections
-hello-world/workload-b[Deployment] 	<= 	namespace with {foo.com/managed-state=managed}/all pods : TCP 8050
+hello-world/workload-b[Deployment] 	<= 	[namespace with {foo.com/managed-state=managed}]/[all pods] : TCP 8050
 
 Workloads not protected by network policies:
 hello-world/workload-a[Deployment] is not protected on Egress

diff --git a/..._outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.txt b/..._outputs/connlist/exposure_test_same_unmatched_rule_in_ingress_egress_connlist_output.txt
@@ -1,7 +1,7 @@
 Exposure Analysis Result:
 Egress Exposure:
-hello-world/workload-a[Deployment] 	=> 	namespace with {foo.com/managed-state=managed}/all pods : TCP 8050
+hello-world/workload-a[Deployment] 	=> 	[namespace with {foo.com/managed-state=managed}]/[all pods] : TCP 8050
 
 Ingress Exposure:
+hello-world/workload-a[Deployment] 	<= 	[namespace with {foo.com/managed-state=managed}]/[all pods] : TCP 8000,8090
 hello-world/workload-a[Deployment] 	<= 	entire-cluster : TCP 8000
-hello-world/workload-a[Deployment] 	<= 	namespace with {foo.com/managed-state=managed}/all pods : TCP 8000,8090