handling selectors with matchexpressions (fixed) #377
Conversation
…esentative peers + first examples
shireenf-ibm
changed the title
|
general comment: the expression selectors could be represented as |
I thought about this either but found that it will cost multiple changes and will not differ that much for the "special" cases |
|
some comments regarding the last commit:
a suggestion: (not implemented here)
|
There was a problem hiding this comment.
can you also duplicate these tests for scenarios with actual pods also matched by these selectors?
…ard/netpol-analyzer into new_handling_selectors_with_matchexpressions
| if isRepresentativePod(peer) { | ||
| // representative peer's namespace labels may be inferred from a rule with special matchExpression requirements | ||
| // and also contains the representative ns name label which is not relevant for comparison | ||
| peerMatchesNamespaceSelector, err = SelectorMatchesRepresentativePeerLabels(selector, peerNamespace.Labels, |
There was a problem hiding this comment.
can't we just keep a reference to the selector(s) from which this representative peer was created, and consider a match only if this is the relevant selecotr, instead of implementing containment of selectors comparison?
There was a problem hiding this comment.
I think we still need this containment, some selectors may intersect / be equivalent on one way to other selectors
i.e. a representative peer (built from one selector) may match two or more selectors actually and then the connection contains the ports of all the selectors.
an example : test_exposure_with_different_rules_6 (there are more examples like this too)
| // 1. both selectors point to same reference (rule and its matching representative pod/ns) | ||
| // 2. if the rule's selector is empty (matches all pods/namespaces) | ||
| // 3. if the requirements of both rules are equal (same) | ||
| func areRequirementsEqual(ruleSelector, repSelector *v1.LabelSelector) (bool, error) { |
There was a problem hiding this comment.
function name is misleading? it returns true if the representative peer's selector matches the rule selector?
| if err != nil { | ||
| return false, err | ||
| } | ||
| requirements1, _ := selector1.Requirements() // Requirements() returns sorted by key list |
There was a problem hiding this comment.
where is it documented that Requirements() returns a sorted list?
There was a problem hiding this comment.
I found this by reading the implementation.
LabelSelectorAsSelector builds a new labels.selector by using Requirements.Add which sorts the requirements slice by key.
and Requirements() returns this list
links:
Add
LabelSelectorAsSelector
There was a problem hiding this comment.
- please add links in the comment about the expected sorted result.
- please add unit tests to the functions in this file.
There was a problem hiding this comment.
- please add links in the comment about the expected sorted result.
done
There was a problem hiding this comment.
* please add unit tests to the functions in this file.
done
| // RepresentativeNsLabelSelector points to the namespaceSelector of the policy rule which this | ||
| // representative namespace was inferred from | ||
| // used only with representative peers (exposure-analysis) | ||
| RepresentativeNsLabelSelector *v1.LabelSelector |
There was a problem hiding this comment.
why is this part of the namespace object, and not as part of the representative pod object?
There was a problem hiding this comment.
moved to the pod object
| ruleSel.NsLabels = map[string]string{common.K8sNsNameLabelKey: np.Namespace} | ||
| } else { | ||
| ruleSel.NsLabels = nsSelectorMap | ||
| nsNameLabelSel := map[string]string{common.K8sNsNameLabelKey: np.Namespace} |
There was a problem hiding this comment.
can avoid duplicating the map of single label containing K8sNsNameLabelKey ? there is another function building this map currently
There was a problem hiding this comment.
done.
avoided duplicating: by not duplicating the code lines (not used for same goal, so couldn't avoid building the map in one of the cases)
pkg/netpol/eval/exposure.go
Outdated
| if selectorsLabels[i].PolicyNsFlag { | ||
| _, err = pe.AddPodByNameAndNamespace(generateNewPodName(i), policyNs, &selectorsLabels[i]) | ||
| if selectors[i].PolicyNsFlag { | ||
| _, err = pe.AddPodByNameAndNamespace(generateNewPodName(i), policyNs, &selectors[i]) |
There was a problem hiding this comment.
consider renaming AddPodByNameAndNamespace ? split to the various cases as different functions?
There was a problem hiding this comment.
done.
-
reverted all changes to
AddPodByNameAndNamespace(to the main branch version) so it applies only for ingress-controller cases (renaming this func, if needed - should be done in the ingress-analysis branch, not here) -
added a new function
addRepresentativePodfor our use-case (exposure-analysis). -
by the way, reverted changes to
resolveSingleMissingNamespace(also to the main version) since representative namespaces will not be generated anymore (a representative pod will have no-namespace , unless it was generated in the real namespace of the policy containing its source rule)
|
attaching a list of the tests that were added in this PR, later will update the file with all tests of exposure-analysis |
…ull match for rep selector in case of empty rule
done |
done , described the changes in the PR's description above too |
…ard/netpol-analyzer into new_handling_selectors_with_matchexpressions
shireenf-ibm
merged commit 796ae5f
into
new_exposure_analysis_first_branch
* exposure-analysis flag * initial support of exposure from only namespaceSelectors * lint gofmt * wip - defining an interface for exposure-analysis results (#295) * wip - define an interface for the new returned value (new API) * Update pkg/netpol/connlist/exposed_pods.go Co-authored-by: Adi Sosnovich <[email protected]> * wip- some updates to the interfaces (only) * Update pkg/netpol/connlist/exposed_pods.go Co-authored-by: Adi Sosnovich <[email protected]> * interface doc update * fixes * Update pkg/netpol/connlist/exposed_peer.go Co-authored-by: Adi Sosnovich <[email protected]> --------- Co-authored-by: Adi Sosnovich <[email protected]> * connlist implementing exposure analysis (#296) * connlist implementing exposure analysis * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * fix rep. pod name * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposed_peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposed_peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * add func that updates the protected flag of a pod * return error values * avoid fields dups among types * update func doc * getConnectionsBetweenPeers update doc + returns the exposureMap * move connection interface, avoid code dup, and compare conns using ConnectionSet * make the func an exposureMap func * fixing issue of same string in podsOwnerMap * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * renaming Connection interface + move PortRange * struct embedding * using connectionSet internally + move the refinement to one iter at the end * Update pkg/netpol/connection/connection.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis.go Co-authored-by: Adi Sosnovich <[email protected]> * rename AllConnections * verify conversion * storing the maximum entire cluster connection --------- Co-authored-by: Adi Sosnovich <[email protected]> * Revert api changes (#298) * revert Connection, diff AllowedConnectivity, PortRange , ConnectionSet * revert connlist API changes * revert eval API changes * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/connlist.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * renaming funcs * exposing common.Connection as connlist.AllowedSet * revert exposing common.Connection as connlist.AllowedSet --------- Co-authored-by: Adi Sosnovich <[email protected]> * Exposure analysis unit tests (#299) * unit tests for the functionality of connlist/exposure_analysis.go * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * adding getallTCPconnections --------- Co-authored-by: Adi Sosnovich <[email protected]> * Entire cluster exposure opt (#304) * optimizing entire cluster exposure * optimizing performance - compute entire cluster exposure only once * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * multiple fixes * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * using empty connswt instead of nil * add pod exposure data struct * exporting podExposureInfo --------- Co-authored-by: Adi Sosnovich <[email protected]> * pre proccessing policy for general conns (#306) * first commit: pre proccessing policy for general conns * func doc * fixing to PortSet; instead of PortSet{}, call MakePortSet(false) to ensure initializing empty maps for named ports * fixing handling connections with namedPort * fixing lint issued by github - not relevant to PR * tiny fix * fixes * Policy engine with new api func for exposure analysis (#307) * task1 add new api func to policy-engine; so pre-process runs only for exposure-analysis * task2 on exposure analysis benefit from the stored data * eliminate isRuleGeneral; skip general rules in ruleSelectsPeer * missing func doc * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * todo comment * revert initiating conns between two peers * avoid iterating policy if its general conns are all conns * todo comment --------- Co-authored-by: Adi Sosnovich <[email protected]> * adding representativePeer struct (#309) * adding representativePeer struct * Update pkg/netpol/eval/internal/k8s/peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * gofmt * connlist if-else fix * fixes to exposure_map.go * fixing connlist includePairOfWorkloads * fix GetPeerList() - separate GetRepresentativePeersList * comment how Pod of representative peer is originated --------- Co-authored-by: Adi Sosnovich <[email protected]> * Optimize representative peers generation (#314) * add representative peers for all non-empty rules while policies upsert * refine pods that has a match in the resources - first commit * handling returned err from convertPeerToPodPeer * handle case of namespaceSelector containing name key * generate unizue rep peers and refine while upsering objects * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * fixes --------- Co-authored-by: Adi Sosnovich <[email protected]> * go fmt * lint fix * exposure analysis test (#316) * exposure analysis test * exposure data comparison and new test * using ca calls to compute exposed peers * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/connlist/exposure_analysis_test.go Co-authored-by: Adi Sosnovich <[email protected]> * lint fix * flattening tests dir * exposure map fixes * 3 values of protected data * splitting exposure map into two maps * fixes * required changes * code fixes * typo fix * a new test for increasing coverage * new test * comment update --------- Co-authored-by: Adi Sosnovich <[email protected]> * delete unused file * textual output with exposure analysis (#331) * textual output with exposure analysis * tiny code enhancement * readme update * output change + code modify * fixes * dot output with exposure results (#333) * dot output with exposure results * tiny fix * new tests * fixing golangci-lint 1.58.0 errors * exposure analysis with pod selectors (#343) * code changes + new tests with pod selectors * fixes and new test * running onlineboutique_workloads with exposure * running k8s_ingress_test_new with exposure * linter fix - headers * exposure analysis with focus-workload (#349) * exposure analysis with focus-workload * focus-workload fixes * textual output enhancement (adding [] to strings with multiple words) * fix * enhancing dot view (#353) * don't remove representative peers in any-namespace (#352) * always keep representative peers which match all-namespaces * update test output after merge * examples with rules exposing pod to an existing ns * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * don't refine rep. peers matching any pod in a namespace + changing some tests to keep initial purpose+updating results of existing tests * adding same test with nil podSelector instead of empty one * adding test with inaccurate output * fixing comment syntax * Update pkg/netpol/connlist/connlist_test.go Co-authored-by: Adi Sosnovich <[email protected]> * gofmt * updating comments in yaml * tiny fix --------- Co-authored-by: Adi Sosnovich <[email protected]> * supporting csv, md and json formats (#360) * supporting csv, md and json formats * fixing after merge with base branch * consider real exposure flag * csv, md, json are consistent with txt - two sections * dot graphs with exposure edges dashed and with different colors * merging with master branch * empty_commit * handling selectors with matchexpressions (fixed) (#377) * support match expression operators for generating and selecting representative peers + first examples * more tests * more tests * updating code with label selectors * merge fixes * duplicated tests with matching pods * fixing code + tests with multiple policies * update comments in exposure.go * renaming function and updating comments and doc of representative_selectors.go * move `RepresentativeNsLabelSelector` field from namespace.go to pod.go * 1. reverting changes to AddPodByNameAndNamespace and resolveSingleMissingNamespace (to original version from main branch) 2. creating a new func for adding representative pods to the policy-engine, without representative namespaces. a representative pod which should not be in a real namespace, will have no namespace * avoid duplicating code of generating the default namespace name map; and some updates to netpol.go * eliminate representativePeer.PotentialNamespaceLabelSelector as it duplicates Pod.RepresentativeNsLabelSelector * renaming the func in representative_selectors.go again * a new test with handling a special case of equiv rules written in a different way * unit test for representative_selectors.go * removing redundant code * updating documentation of new fields in pod.go * fixes in resources.go * fix in check.go * update few comments Signed-off-by: adisos <[email protected]> * renaming AddObjects + updating its documentation * renaming netpol funcs * renaming connPeers * fixing representative pods naming and updating relevant funcs * renaming "GeneralConns" to "ExposedGeneralConns" * removing PolicyNsFlag * no need to split namespaces with policies at first * Revert "no need to split namespaces with policies at first" This reverts commit 03e384e. * rename extractLabelsAndRefineRepresentativePeers and refineRepresentativePeersMatchingLabels * renaming checkIfP2PConnOrExposureConn * lint fix * func allAllowedConnectionsBetweenPeers: remove ingressSet, egressSet * using new terms for general conns : ClusterWideExposure and ExternalExposure * an example why should split namespaces at the beginning with the policies * eliminate RepresentativePeer struct * fixing some typos and adding some very used words to a cspell file * more typos fixes * updating some comments * updating readme (all formats supported) * getting netpols before pods for live cluster - so it works well for both exposure-analysis on/off * Update pkg/netpol/eval/check.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/check.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/exposure.go Co-authored-by: Adi Sosnovich <[email protected]> * rename getSelectorsAndUpdateExposedGeneralConns * rename ScanPolicyRulesAndUpdateExposedWideConns * rename updateNetworkPolicyWideExposureConns * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/peer.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/pod.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/resources.go Co-authored-by: Adi Sosnovich <[email protected]> * fixing lint * Update pkg/netpol/eval/internal/k8s/representative_selectors.go Co-authored-by: Adi Sosnovich <[email protected]> * lint fix * Update pkg/netpol/eval/internal/k8s/representative_selectors.go Co-authored-by: Adi Sosnovich <[email protected]> * fixing the last commit * fixing the SelectorsFullMatch doc * removing unnecessaryDeepCopy calls * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * Update pkg/netpol/eval/internal/k8s/netpol.go Co-authored-by: Adi Sosnovich <[email protected]> * lint fix * some renamings in representative_selectors + document why returning full match for rep selector in case of empty rule * adding line to comment * split funcs in check.go for readability * rename hasRepresentativePod * updating comment * updating comment of storing the named port * updating String() func of workloadpeer * comment update * updating comment * new func of selectors match in `netpol.go` to avoid duplicates * updating comment in pod.go (what do the combinations of rep selectors imply for) * renaming str vars * eliminating addIfMissingNamespace func * new tests - rep peers when there is real ns but no real pods matching * add comment on String() func * rename handleRequirementWithInOpAndSingleValue * renaming test dirs and expected output of exposure-analysis tests * new fixes --------- Signed-off-by: adisos <[email protected]> Co-authored-by: adisos <[email protected]> Co-authored-by: Adi Sosnovich <[email protected]> --------- Signed-off-by: adisos <[email protected]> Co-authored-by: Adi Sosnovich <[email protected]> Co-authored-by: Tanya <[email protected]> Co-authored-by: adisos <[email protected]>
#236
task:
in this PR:
matchExpressionsmatchExpressionswill not be removed if there are real peer matching them (not redundant also: peers matching all-namespaces / peers matching all-pods in a namespace)(1 way containment is not a match)
namespaceSelectorit will be generated in that namespace, otherwise it will have a nil namespace objectRepresentativePeerstruct was eliminated , a representative peer is aWorkloadPeerwithkind == RepresentativePeerNamespacLabelsandPodLabelsof anExposedPeerto beLabelSelectorso it may include bothmatchLabelsandmatchExpressionsmore things where done in this PR :
typosinnetpol-analyzer's codeexposure_, and renaming expected output's suffixes in this way :connlist_output.<format>exposure_output.<format>to identify that the output contains also exposure results.this way also helps to differentiate when a test runs with the flag on/off (even for
exposure_<test_dir>