-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
don't remove representative peers in any-namespace #352
Merged
shireenf-ibm
merged 13 commits into
new_exposure_analysis_first_branch
from
sub_task_special_refinement_case
May 21, 2024
Merged
Changes from 1 commit
Commits
Show all changes
13 commits
Select commit
Hold shift + click to select a range
84ddee3
always keep representative peers which match all-namespaces
shireenf-ibm fb29b62
Merge branch 'new_exposure_analysis_first_branch' of github.com:np-gu…
shireenf-ibm 8ef848a
update test output after merge
shireenf-ibm 3c9e430
examples with rules exposing pod to an existing ns
shireenf-ibm e134fa1
Update pkg/netpol/eval/exposure.go
shireenf-ibm 722964f
don't refine rep. peers matching any pod in a namespace + changing so…
shireenf-ibm e4276e4
adding same test with nil podSelector instead of empty one
shireenf-ibm b7c498a
adding test with inaccurate output
shireenf-ibm 124a4f6
fixing comment syntax
shireenf-ibm 256ed88
Update pkg/netpol/connlist/connlist_test.go
shireenf-ibm 58c5df1
gofmt
shireenf-ibm 025ee8f
updating comments in yaml
shireenf-ibm 7e0595f
tiny fix
shireenf-ibm File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
17 changes: 17 additions & 0 deletions
17
...uts/connlist/exposure_test_exposure_to_any_namespace_with_podSelector_connlist_output.dot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,17 @@ | ||
digraph { | ||
subgraph "cluster_default" { | ||
color="black" | ||
fontcolor="black" | ||
"default/backend[Deployment]" [label="backend[Deployment]" color="blue" fontcolor="blue"] | ||
"default/frontend[Deployment]" [label="frontend[Deployment]" color="blue" fontcolor="blue"] | ||
label="default" | ||
} | ||
subgraph "cluster_all namespaces" { | ||
color="red2" | ||
fontcolor="red2" | ||
"pod with {app=frontend}_in_all namespaces" [label="pod with {app=frontend}" color="red2" fontcolor="red2"] | ||
label="all namespaces" | ||
} | ||
"default/frontend[Deployment]" -> "default/backend[Deployment]" [label="TCP 9090" color="gold2" fontcolor="darkgreen"] | ||
"pod with {app=frontend}_in_all namespaces" -> "default/backend[Deployment]" [label="TCP 9090" color="gold2" fontcolor="darkgreen"] | ||
} |
Binary file added
BIN
+19.5 KB
...xposure_test_exposure_to_any_namespace_with_podSelector_connlist_output.dot.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
54 changes: 54 additions & 0 deletions
54
...xposure_test_exposure_to_any_namespace_with_podSelector_connlist_output.dot.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
6 changes: 6 additions & 0 deletions
6
...uts/connlist/exposure_test_exposure_to_any_namespace_with_podSelector_connlist_output.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
default/frontend[Deployment] => default/backend[Deployment] : TCP 9090 | ||
|
||
Exposure Analysis Result: | ||
|
||
Ingress Exposure: | ||
default/backend[Deployment] <= [all namespaces]/[pod with {app=frontend}] : TCP 9090 |
53 changes: 53 additions & 0 deletions
53
tests/test_exposure_to_any_namespace_with_podSelector/backend.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: backend | ||
spec: | ||
selector: | ||
matchLabels: | ||
app: backendservice | ||
template: | ||
metadata: | ||
labels: | ||
app: backendservice | ||
spec: | ||
containers: | ||
- name: server | ||
image: backendservice | ||
ports: | ||
- containerPort: 9090 | ||
readinessProbe: | ||
initialDelaySeconds: 10 | ||
httpGet: | ||
path: "/_healthz" | ||
port: 9090 | ||
livenessProbe: | ||
initialDelaySeconds: 10 | ||
httpGet: | ||
path: "/_healthz" | ||
port: 9090 | ||
env: | ||
- name: PORT | ||
value: "9090" | ||
resources: | ||
requests: | ||
cpu: 100m | ||
memory: 64Mi | ||
limits: | ||
cpu: 200m | ||
memory: 128Mi | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: backendservice | ||
spec: | ||
type: ClusterIP | ||
selector: | ||
app: backendservice | ||
ports: | ||
- name: http | ||
port: 9090 | ||
targetPort: 9090 | ||
|
67 changes: 67 additions & 0 deletions
67
tests/test_exposure_to_any_namespace_with_podSelector/frontend.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
--- | ||
apiVersion: apps/v1 | ||
kind: Deployment | ||
metadata: | ||
name: frontend | ||
spec: | ||
selector: | ||
matchLabels: | ||
app: frontend | ||
template: | ||
metadata: | ||
labels: | ||
app: frontend | ||
spec: | ||
containers: | ||
- name: server | ||
image: frontend | ||
ports: | ||
- containerPort: 8080 | ||
readinessProbe: | ||
initialDelaySeconds: 10 | ||
httpGet: | ||
path: "/_healthz" | ||
port: 8080 | ||
livenessProbe: | ||
initialDelaySeconds: 10 | ||
httpGet: | ||
path: "/_healthz" | ||
port: 8080 | ||
env: | ||
- name: PORT | ||
value: "8080" | ||
- name: BACKEND_SERVICE_ADDR | ||
value: "backendservice:9090" | ||
resources: | ||
requests: | ||
cpu: 100m | ||
memory: 64Mi | ||
limits: | ||
cpu: 200m | ||
memory: 128Mi | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: frontend | ||
spec: | ||
type: ClusterIP | ||
selector: | ||
app: frontend | ||
ports: | ||
- name: http | ||
port: 80 | ||
targetPort: 8080 | ||
--- | ||
apiVersion: v1 | ||
kind: Service | ||
metadata: | ||
name: frontend-external | ||
spec: | ||
type: LoadBalancer | ||
selector: | ||
app: frontend | ||
ports: | ||
- name: http | ||
port: 80 | ||
targetPort: 8080 |
59 changes: 59 additions & 0 deletions
59
tests/test_exposure_to_any_namespace_with_podSelector/netpols.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,59 @@ | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
creationTimestamp: null | ||
name: backend-netpol | ||
spec: | ||
ingress: | ||
- from: | ||
- namespaceSelector: {} | ||
podSelector: | ||
matchLabels: | ||
app: frontend | ||
ports: | ||
- port: 9090 | ||
protocol: TCP | ||
podSelector: | ||
matchLabels: | ||
app: backendservice | ||
policyTypes: | ||
- Ingress | ||
- Egress | ||
status: {} | ||
|
||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
creationTimestamp: null | ||
name: frontend-netpol | ||
spec: | ||
egress: | ||
- ports: | ||
- port: 9090 | ||
protocol: TCP | ||
to: | ||
- podSelector: | ||
matchLabels: | ||
app: backendservice | ||
podSelector: | ||
matchLabels: | ||
app: frontend | ||
policyTypes: | ||
- Ingress | ||
- Egress | ||
status: {} | ||
|
||
--- | ||
apiVersion: networking.k8s.io/v1 | ||
kind: NetworkPolicy | ||
metadata: | ||
creationTimestamp: null | ||
name: default-deny-in-namespace | ||
spec: | ||
podSelector: {} | ||
policyTypes: | ||
- Ingress | ||
- Egress | ||
status: {} | ||
|
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does it differentiate between
(which is any namespace)
to
(which is the network policy namespace)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
and what about
this creates exposure to all pods in a certain namespace..
does this require indication as exposure?
it's not as matching pod with certain labels..
do we have any example test capturing this case with current implementation?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes, it does
examples:
tests/test_conn_with_pod_selector_in_any_ns
with :(output:
test_outputs\connlist\exposure_test_conn_with_pod_selector_in_any_ns_connlist_output.dot.png
)tests/test_conn_with_only_pod_selector
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we have following example:
test:
tests\test_conn_to_all_pods_in_a_new_ns
with:
output:
test_outputs\connlist\exposure_test_conn_to_all_pods_in_a_new_ns_connlist_output.dot.png
in this example the
backend
ns is not in the manifests and we have no real pods in this ns so we see an exposure to representative peersbackend\[all pods]
.if we had a real pod in the namespace backend : it would be a match and we won't see the exposure line.(like all cases where the podSelector was not used, if there is a pod in the namespace the it is a match)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would add another example where there is a real pod in the namespace backend
ok, the question is - should we consider changing this behavior (when the policy permits all pods in a real namespace)? if all pods in a namespace are permitted, it might be relevant as exposure info, even if there is a certain real pod in the namespace. (BTW there could be a real pod in that namespace on which there is a certain policy that blocks such a connection for this pod.. in such a case the connection to this pod is not in the report, nor the exposure to this namespace). [consider adding such an example as well]
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will add an example to see the behavior and update
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
added an example locally, the exposure analysis of bar still shows the line:
bar/workload-a[Deployment] => foo/[all pods] : All Connections
even that we have default-deny-in-foo for ingress
should fix the bug in this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
create new item and implement in a separate PR .
analysis should generate representative peers by also considering policies that capture them, and separate into sub-sections (sub-peers) that are having different connectivity by the policies (for example pods in ns with certain labels, and pods in ns without these labels).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, let's have this change in this PR , including adding the relevant examples , and mark by the example which has inaccurate output, a TODO comment, to make sure it is fixed in the next PR .
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done