W.I.P Extend anp egress peer #447
Conversation
…rt_admin_netpolicy
…ll but: udp 5353 instead of SCTP 1-65535,TCP 1-65535,UDP 1-5352,5354-65535)
…t) for connectionSet
…licies in the input resources
…tend_anp_egress_peer
pkg/netpol/eval/resources.go
Outdated
| @@ -59,8 +61,9 @@ type ( | |||
| ) | |||
|
|
|||
| // NewPolicyEngine returns a new PolicyEngine with an empty initial state | |||
| func NewPolicyEngine() *PolicyEngine { | |||
| func NewPolicyEngine(l logger.Logger) *PolicyEngine { | |||
There was a problem hiding this comment.
can avoid breaking current exported functions API ?
There was a problem hiding this comment.
reverted this change
pkg/netpol/eval/resources.go
Outdated
| @@ -71,16 +74,16 @@ func NewPolicyEngine() *PolicyEngine { | |||
| } | |||
| } | |||
|
|
|||
| func NewPolicyEngineWithObjects(objects []parser.K8sObject) (*PolicyEngine, error) { | |||
| pe := NewPolicyEngine() | |||
| func NewPolicyEngineWithObjects(objects []parser.K8sObject, l logger.Logger) (*PolicyEngine, error) { | |||
There was a problem hiding this comment.
reverted this change
pkg/netpol/eval/resources.go
Outdated
| err := pe.addObjectsByKind(objects) | ||
| return pe, err | ||
| } | ||
|
|
||
| // NewPolicyEngineWithOptions returns a new policy engine with an empty state but updating the exposure analysis flag | ||
| // TBD: currently exposure-analysis is the only option supported by policy-engine, so no need for options list param | ||
| func NewPolicyEngineWithOptions(exposureFlag bool) *PolicyEngine { | ||
| pe := NewPolicyEngine() | ||
| func NewPolicyEngineWithOptions(exposureFlag bool, l logger.Logger) *PolicyEngine { |
There was a problem hiding this comment.
there is an option WithLogger in connlist, can it be used here as well, as an option for NewPolicyEngineWithOptions ?
Instead of breaking the exported functions API?
better using same pattern as in connlist, have dedicated function "With.." for each option, and a dedicated type such as type ConnlistAnalyzerOption func(*ConnlistAnalyzer).
There was a problem hiding this comment.
is it ok to change the input parameter of NewPolicyEngineWithOptions to be a list of options ...PolicyEngineOption?
(the options will include both the exposure flag and logger)
or this will be considered as API breaking?
There was a problem hiding this comment.
this is also API breaking..
can add new func NewPolicyEngineWithOptionsList to be used with the new type of options, and add a comment for the NewPolicyEngineWithOptions that it is deprecated.
| //////////////////////////////////////////////////////////////////////////////////////////// | ||
|
|
||
| // AdminNetworkPolicy is an alias for k8s adminNetworkPolicy object | ||
| type AdminNetworkPolicy apisv1a.AdminNetworkPolicy | ||
| type AdminNetworkPolicy struct { |
There was a problem hiding this comment.
please move this type to be at the top of this file (also for banp)
There was a problem hiding this comment.
done; (the banp struct is on top of its file)
There was a problem hiding this comment.
why is the ingress connections cidrs split, if not impacted by netpols?
if this is due to computation of disjoint cidrs, should consider separate the computation to ingress and egress, so that refinement is not "global", but per each direction separately.
There was a problem hiding this comment.
warning formats: be consistent with current format, for example:
$ ./bin/k8snetpolicy list --dirpath tests/bad_netpols/subdir5/
2024/12/01 15:12:11 Network policy "default/shippingservice-netpol": port name: "abc" has no match in the configuration of the destination peer "default/shippingservice-1"; it will be ignored, and will not appear in the connectivity results.
0.0.0.0-255.255.255.255 => default/adservice[Deployment] : All Connections
0.0.0.0-255.255.255.255 => default/cartservice[Deployment] : All Connections
0.0.0.0-255.255.255.255 => default/checkoutservice[Deployment] : All Connections
and example from current implementation:
r$ ./bin/k8snetpolicy list --dirpath tests/anp_and_banp_using_networks_with_ipv6_test/
2024/12/01 15:14:13 admin network policy "network-as-egress-peer": Warning in rule "allow-all-egress-to-intranet": IPv6 addresses are not supported; it will be ignored, and will not appear in the connectivity results.
can be changed to:
admin network policy "network-as-egress-peer": in rule "allow-all-egress-to-intranet": IPv6 addresses are not supported
also, better explain the impact of the "IPV6 not supported" warning in the README documentation.
Also, in this example (from anp_and_banp_using_networks_with_ipv6_test) there are 2 actual warnings, repeated multiple times in the log.. can this be fixed? |
There was a problem hiding this comment.
can enhance this example with some cidr range contained in "pass" to be allowed by regular network policy, and so that there is another cidr range in "pass" reaching the "base" ANP as in the current example. (so that it demonstrates effect of both levels of NP and BANP for pass of IP-block).
| minimumPort = 1 | ||
| maximumPort = 65535 |
There was a problem hiding this comment.
ports are already defined in pkg/netpol/internal/common/portset.go (can be exported and used from there)
| // raising a warning that the "named port" of the rule is ignored, since it has no match in the pod config. | ||
| np.Logger.Warnf(np.netpolWarning(alerts.WarnUnmatchedNamedPort(portName, dst.String()))) | ||
| } | ||
| } // @tbd should raise a warning/error if the portRange is empty (when also namedPort is empty) |
There was a problem hiding this comment.
as for "tbd should raise a warning/error if the portRange is empty" :
please add an example test covering this case.. what is the output currently? can a warning by sufficient? (rule becomes ineffective?)
There was a problem hiding this comment.
added a test.
currently an empty port range is ignored (skipped);
so on one hand I can add a warning (since no problems are caused); but on the other hand according to this
end port:
This field cannot be defined if the port field is not defined or if the port field is defined as a named (string) port. The endPort must be equal or greater than port
.
so it is illegal; does this mean we should raise an error?
There was a problem hiding this comment.
ok, so let's change to an error (to be consistent, if for other invalid values in policy resource an error is issued).
| @@ -185,9 +412,15 @@ func ruleConnections(ports *[]apisv1a.AdminNetworkPolicyPort, dst Peer) (*common | |||
| } | |||
| portSet.AddPort(intstr.FromInt32(anpPort.PortNumber.Port)) | |||
| case anpPort.NamedPort != nil: | |||
| if dst.PeerType() == IPBlockType { | |||
| // IPblock does not have named-ports defined | |||
| // @tbd should return error? (a rule that combines networks and pods may have such port?) | |||
There was a problem hiding this comment.
as for "tbd" comment: can add an example test for this case as well?
if a consistent connectivity output is possible, a warning is preferred.
There was a problem hiding this comment.
done; added test anp_test_named_ports_multiple_peers with a warning that the named-port is ignored for an IP-Block
made tiny fixes so warnings from netpols and ANPs be consistent (actually, both warnings from netpols and anps were added in this PR). |
the warning is logged each time the rule is scanned - for finding allowed conns between two peers (different peers each time); |
ok, let's fix this in this branch |
base PR: #380
issue: #442
Networksfield inAdminNetworkPolicyEgressPeer