handling selectors with matchexpressions (fixed)

pkg/netpol/connlist/connlist_test.go

@@ -956,4 +956,137 @@ var goodPathTests = []struct {
 		exposureAnalysis: true,
 		outputFormats:    ValidFormats,
 	},
+	// tests on exposure with matchExpression selectors (generating representative peers from selectors with matchExpression
+	// requires special handling)
+	{
+		testDirName:      "test_exposure_with_match_expression_not_in_op",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_match_expression_in_op",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_match_expression_exists_op",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_match_expression_does_not_exist_op",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_rule_with_multiple_match_expressions",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_1",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_2",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_3",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_4",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_5",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_6",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_multiple_policies_1", // one workload in manifests
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_multiple_policies_2", // two workloads in manifests, each policy captures one
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	// some exposure tests with matching expressions (from above) with also matching pod/s in the manifests
+	{
+		testDirName:      "test_egress_exposure_with_named_port_with_matching_pod",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_rule_with_multiple_match_expressions_with_matching_pod",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_2_with_matching_pod",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_3_with_matching_pod",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_4_with_matching_pods",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_5_with_matching_pods",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_different_rules_6_with_matching_pods",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_match_expression_does_not_exist_op_with_matching_pods",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_match_expression_exists_op_with_matching_pods",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_match_expression_in_op_with_matching_pod",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_match_expression_not_in_op_with_matching_pods",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_new_namespace_conn_and_entire_cluster_with_matching_pod",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
+	{
+		testDirName:      "test_exposure_with_multiple_policies_1_with_matching_pod",
+		exposureAnalysis: true,
+		outputFormats:    ValidFormats,
+	},
 }

pkg/netpol/connlist/conns_formatter.go

@@ -11,6 +11,7 @@ import (
 	"sort"
 	"strings"
 
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
 
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
@@ -77,11 +78,16 @@ func formSingleP2PConn(conn Peer2PeerConnection) singleConnFields {
 	return singleConnFields{Src: conn.Src().String(), Dst: conn.Dst().String(), ConnString: connStr}
 }
 
+// commonly (to be) used for exposure analysis output formatters
 const (
 	entireCluster          = "entire-cluster"
 	exposureAnalysisHeader = "Exposure Analysis Result:"
 	egressExposureHeader   = "Egress Exposure:"
 	ingressExposureHeader  = "Ingress Exposure:"
+	stringInBrackets       = "[%s]"
+	mapOpen                = "{"
+	mapClose               = "}"
+	comma                  = ","
 )
 
 // formSingleExposureConn returns a representation of single exposure connection fields as singleConnFields object
@@ -108,24 +114,46 @@ func convertLabelsMapToString(labelsMap map[string]string) string {
 	return labels.SelectorFromSet(labels.Set(labelsMap)).String()
 }
 
-const (
-	stringInBrackets = "[%s]"
-	mapOpen          = "{"
-	mapClose         = "}"
-)
+// convertRequirementsToString returns a string representation of the given requirements list
+func convertRequirementsToString(reqs []v1.LabelSelectorRequirement) string {
+	const strPrefix = "&LabelSelectorRequirement"
+	reqStrings := make([]string, len(reqs))
+	for i, req := range reqs {
+		reqStrings[i] = strings.ReplaceAll(req.String(), strPrefix, "")
+	}
+	sort.Strings(reqStrings)
+	return strings.Join(reqStrings, comma)
+}
+
+// writeLabelSelectorAsString returns a string representation of the label selector
+func writeLabelSelectorAsString(labelSel v1.LabelSelector) string {
+	var res string
+	if len(labelSel.MatchLabels) > 0 {
+		res = convertLabelsMapToString(labelSel.MatchLabels)
+	}
+	if len(labelSel.MatchExpressions) > 0 {
+		if len(labelSel.MatchLabels) > 0 {
+			res += comma
+		}
+		res += convertRequirementsToString(labelSel.MatchExpressions)
+	}
+	return res
+}
 
 // getRepresentativeNamespaceString returns a string representation of a potential peer with namespace labels.
 // if namespace with multiple words adds [] , in case of textual (non-graphical) output
-func getRepresentativeNamespaceString(nsLabels map[string]string, txtOutFlag bool) string {
-	nsName, ok := nsLabels[common.K8sNsNameLabelKey]
-	if len(nsLabels) == 1 && ok {
+func getRepresentativeNamespaceString(nsLabels v1.LabelSelector, txtOutFlag bool) string {
+	// if ns selector contains only namespace name label - return ns name
+	nsName, ok := nsLabels.MatchLabels[common.K8sNsNameLabelKey]
+	if len(nsLabels.MatchLabels) == 1 && len(nsLabels.MatchExpressions) == 0 && ok {
 		return nsName
 	}
-	res := ""
-	if len(nsLabels) > 0 {
-		res += "namespace with " + mapOpen + convertLabelsMapToString(nsLabels) + mapClose
+	// else if ns labels are empty - res = all namespaces
+	var res string
+	if nsLabels.Size() == 0 {
+		res = allNamespacesLbl
 	} else {
-		res += allNamespacesLbl
+		res = "namespace with " + mapOpen + writeLabelSelectorAsString(nsLabels) + mapClose
 	}
 	if txtOutFlag {
 		return fmt.Sprintf(stringInBrackets, res)
@@ -136,12 +164,12 @@ func getRepresentativeNamespaceString(nsLabels map[string]string, txtOutFlag boo
 // getRepresentativePodString returns a string representation of potential peer with pod labels
 // or all pods string for empty pod labels map (which indicates all pods).
 // adds [] in case of textual (non-graphical) output
-func getRepresentativePodString(podLabels map[string]string, txtOutFlag bool) string {
-	res := ""
-	if len(podLabels) == 0 {
-		res += allPeersLbl
+func getRepresentativePodString(podLabels v1.LabelSelector, txtOutFlag bool) string {
+	var res string
+	if podLabels.Size() == 0 {
+		res = allPeersLbl
 	} else {
-		res += "pod with " + mapOpen + convertLabelsMapToString(podLabels) + mapClose
+		res = "pod with " + mapOpen + writeLabelSelectorAsString(podLabels) + mapClose
 	}
 	if txtOutFlag {
 		return fmt.Sprintf(stringInBrackets, res)

pkg/netpol/connlist/exposed_peer.go

@@ -5,7 +5,11 @@ SPDX-License-Identifier: Apache-2.0
 */
 package connlist
 
-import "github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
+import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
+)
 
 // ExposedPeer captures potential ingress and egress connections data for an exposed Peer
 type ExposedPeer interface {
@@ -32,10 +36,10 @@ type ExposedPeer interface {
 type XgressExposureData interface {
 	// IsExposedToEntireCluster indicates if the peer is exposed to all namespaces in the cluster for the relevant direction
 	IsExposedToEntireCluster() bool
-	// NamespaceLabels are matchLabels of potential namespaces which the peer might be exposed to
-	NamespaceLabels() map[string]string
-	// PodLabels are matchLabels of potential pods which the peer might be exposed to
-	PodLabels() map[string]string
+	// NamespaceLabels are label selectors of potential namespaces which the peer might be exposed to
+	NamespaceLabels() v1.LabelSelector
+	// PodLabels are label selectors of potential pods which the peer might be exposed to
+	PodLabels() v1.LabelSelector
 	// PotentialConnectivity the potential connectivity of the exposure
 	PotentialConnectivity() common.Connection
 }

pkg/netpol/connlist/exposure_analysis.go

@@ -6,6 +6,8 @@ SPDX-License-Identifier: Apache-2.0
 package connlist
 
 import (
+	v1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
 	"github.com/np-guard/netpol-analyzer/pkg/netpol/internal/common"
 )
 
@@ -34,12 +36,12 @@ type peerXgressExposureData struct {
 type xgressExposure struct {
 	// exposedToEntireCluster indicates if the peer is exposed to all namespaces in the cluster for the relevant direction
 	exposedToEntireCluster bool
-	// namespaceLabels are matchLabels of potential namespaces which the peer might be exposed to.
+	// namespaceLabels are label selectors of potential namespaces which the peer might be exposed to.
 	// if exposedToEntireCluster is true, this field will be empty
-	namespaceLabels map[string]string
-	// podLabels are matchLabels of potential pods which the peer might be exposed to.
+	namespaceLabels v1.LabelSelector
+	// podLabels are label selectors of potential pods which the peer might be exposed to.
 	// if exposedToEntireCluster is true, this field will be empty
-	podLabels map[string]string
+	podLabels v1.LabelSelector
 	// potentialConn the potential connectivity of the exposure
 	potentialConn *common.ConnectionSet
 }
@@ -48,11 +50,11 @@ func (e *xgressExposure) IsExposedToEntireCluster() bool {
 	return e.exposedToEntireCluster
 }
 
-func (e *xgressExposure) NamespaceLabels() map[string]string {
+func (e *xgressExposure) NamespaceLabels() v1.LabelSelector {
 	return e.namespaceLabels
 }
 
-func (e *xgressExposure) PodLabels() map[string]string {
+func (e *xgressExposure) PodLabels() v1.LabelSelector {
 	return e.podLabels
 }
 

pkg/netpol/connlist/exposure_analysis_test.go

@@ -9,6 +9,7 @@ import (
 	"testing"
 
 	v1 "k8s.io/api/core/v1"
+	metaV1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/util/intstr"
 
 	"github.com/np-guard/netpol-analyzer/pkg/internal/testutils"
@@ -46,6 +47,9 @@ var peerExposedToEntireClusterOnTCP8050 *xgressExposure = &xgressExposure{
 	potentialConn:          newTCPConnWithPorts([]int{8050}),
 }
 
+var matchExpression []metaV1.LabelSelectorRequirement = []metaV1.LabelSelectorRequirement{{Key: "foo.com/managed-state",
+	Operator: metaV1.LabelSelectorOpIn, Values: []string{"managed"}}}
+
 func newTCPConnWithPorts(ports []int) *common.ConnectionSet {
 	conn := common.MakeConnectionSet(false)
 	portSet := common.MakePortSet(false)
@@ -56,15 +60,15 @@ func newTCPConnWithPorts(ports []int) *common.ConnectionSet {
 	return conn
 }
 
-func newExpDataWithLabelAndTCPConn(nsLabels, podLabels map[string]string, ports []int) *xgressExposure {
+func newExpDataWithLabelAndTCPConn(nsSel, podSel metaV1.LabelSelector, ports []int) *xgressExposure {
 	conn := common.MakeConnectionSet(true)
 	if len(ports) > 0 {
 		conn = newTCPConnWithPorts(ports)
 	}
 	return &xgressExposure{
 		exposedToEntireCluster: false,
-		namespaceLabels:        nsLabels,
-		podLabels:              podLabels,
+		namespaceLabels:        nsSel,
+		podLabels:              podSel,
 		potentialConn:          conn,
 	}
 }
@@ -149,7 +153,7 @@ func TestExposureBehavior(t *testing.T) {
 				lenIngressExposedConns: 2,
 				ingressExp: []*xgressExposure{
 					peerExposedToEntireClusterOnTCP8050,
-					newExpDataWithLabelAndTCPConn(map[string]string{"foo.com/managed-state": "managed"}, nil, []int{8050, 8090}),
+					newExpDataWithLabelAndTCPConn(metaV1.LabelSelector{MatchExpressions: matchExpression}, metaV1.LabelSelector{}, []int{8050, 8090}),
 				},
 				lenEgressExposedConns: 0,
 			},
@@ -184,9 +188,11 @@ func TestExposureBehavior(t *testing.T) {
 				isEgressProtected:      false,
 				lenIngressExposedConns: 3,
 				ingressExp: []*xgressExposure{
-					newExpDataWithLabelAndTCPConn(map[string]string{"foo.com/managed-state": "managed"}, nil, []int{8050}),
-					newExpDataWithLabelAndTCPConn(map[string]string{"release": "stable"}, nil, []int{}),
-					newExpDataWithLabelAndTCPConn(map[string]string{"effect": "NoSchedule"}, nil, []int{8050}),
+					newExpDataWithLabelAndTCPConn(metaV1.LabelSelector{MatchExpressions: matchExpression}, metaV1.LabelSelector{}, []int{8050}),
+					newExpDataWithLabelAndTCPConn(metaV1.LabelSelector{MatchLabels: map[string]string{"release": "stable"}},
+						metaV1.LabelSelector{}, []int{}),
+					newExpDataWithLabelAndTCPConn(metaV1.LabelSelector{MatchLabels: map[string]string{"effect": "NoSchedule"}},
+						metaV1.LabelSelector{}, []int{8050}),
 				},
 				lenEgressExposedConns: 0,
 			},
@@ -262,8 +268,8 @@ func TestExposureBehavior(t *testing.T) {
 				lenIngressExposedConns: 1,
 				lenEgressExposedConns:  1,
 				ingressExp: []*xgressExposure{
-					newExpDataWithLabelAndTCPConn(map[string]string{common.K8sNsNameLabelKey: "backend"},
-						map[string]string{}, []int{8050}),
+					newExpDataWithLabelAndTCPConn(metaV1.LabelSelector{MatchLabels: map[string]string{common.K8sNsNameLabelKey: "backend"}},
+						metaV1.LabelSelector{}, []int{8050}),
 				},
 				egressExp: []*xgressExposure{
 					peerExposedToEntireCluster,
@@ -280,7 +286,8 @@ func TestExposureBehavior(t *testing.T) {
 				lenIngressExposedConns: 1,
 				lenEgressExposedConns:  0,
 				ingressExp: []*xgressExposure{
-					newExpDataWithLabelAndTCPConn(map[string]string{"effect": "NoSchedule"}, map[string]string{"role": "monitoring"}, []int{8050}),
+					newExpDataWithLabelAndTCPConn(metaV1.LabelSelector{MatchLabels: map[string]string{"effect": "NoSchedule"}},
+						metaV1.LabelSelector{MatchLabels: map[string]string{"role": "monitoring"}}, []int{8050}),
 				},
 			},
 		},
@@ -294,7 +301,8 @@ func TestExposureBehavior(t *testing.T) {
 				lenIngressExposedConns: 1,
 				lenEgressExposedConns:  0,
 				ingressExp: []*xgressExposure{
-					newExpDataWithLabelAndTCPConn(map[string]string{common.K8sNsNameLabelKey: "hello-world"}, map[string]string{"role": "monitoring"},
+					newExpDataWithLabelAndTCPConn(metaV1.LabelSelector{MatchLabels: map[string]string{common.K8sNsNameLabelKey: "hello-world"}},
+						metaV1.LabelSelector{MatchLabels: map[string]string{"role": "monitoring"}},
 						[]int{8050}),
 				},
 			},