-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(Policy Assistant): data structures simulating connectivity for (B)ANP #159
feat(Policy Assistant): data structures simulating connectivity for (B)ANP #159
Conversation
✅ Deploy Preview for kubernetes-sigs-network-policy-api ready!
To edit notification comments on pull requests, go to your Netlify site configuration. |
Hi @huntergregory. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
@@ -23,7 +22,6 @@ import ( | |||
const ( | |||
ParseMode = "parse" | |||
ExplainMode = "explain" | |||
LintMode = "lint" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removing Lint mode since it had compile issues with new structures. This mode flagged Pods (Targets) with NetworkPolicies that fail certain checks e.g. all ingress denied or NetPol doesn’t define the protocol (defaulting to TCP))
@@ -26,6 +29,73 @@ type Table struct { | |||
Wrapped *TruthTable | |||
} | |||
|
|||
func NewTableWithDefaultConnectivity(r *Resources, ingress, egress Connectivity) *Table { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Additions to the probe pkg are just utils for integration testing and debugging
f7208d9
to
dfb7871
Compare
dfb7871
to
1978a22
Compare
/ok-to-test |
Hi @huntergregory thanks for picking this up , I'm excited about where you're taking this! I'll take some time over the next couple of days to dig into this PR; if there's anything else I can do to help please let me know! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Took a first pass here and it LGTM I know this is just the beginning of a larger development task.
Thanks for the work @huntergregory!! Once these small comments are addressed I'll approve just barring any changes @mattfenwick Want's to see 👍
One thing to think about though is let's start thinking about
- Documentation
- Automatic artifact deploying
- Automated CI
most likely best done in follow ups.
@@ -16,6 +16,8 @@ type Resources struct { | |||
Namespaces map[string]map[string]string | |||
Pods []*Pod | |||
//ExternalIPs []string |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: Do we need all these erroneous externelIP comments? If so let's make an issue for any work that needs to be added for external IP support (Although there may be none and we may be able to just delete these comments)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Created #169. Seems like it could have value
@@ -3,6 +3,8 @@ package connectivity | |||
import ( | |||
"github.com/mattfenwick/cyclonus/pkg/connectivity/probe" | |||
"github.com/mattfenwick/cyclonus/pkg/matcher" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should these be vendored from our bits internally?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'll circle back on this. Currently getting the following error when running go mod tidy
:
go: github.com/mattfenwick/cyclonus/cmd/policy-assistant imports
sigs.k8s.io/network-policy-api/cmd/policy-assistant/pkg/cli: module sigs.k8s.io/network-policy-api@latest found (v0.1.2), but does not contain package sigs.k8s.io/network-policy-api/cmd/policy-assistant/pkg/cli
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK please make an issue 👍
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tracking here: #170
cmd/cyclonus/README.md
Outdated
@@ -1,51 +1,16 @@ | |||
# Cyclonus | |||
# NetworkPolicy Assistant (derived from Cyclonus) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should we just make this Policy Assistant
since it's gonna support NP/ANP/BANP etc?
Can you change the cmd/cyclonus
dir to cmd/policy-assistant
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also can you change all the make targets / binary name to policy-assistent as well?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Policy Assistant is much better! Changed the dir to cmd/policy-assistant
.
Still need to adjust Makefile and rename cmd/policy-assistant/cmd/cyclonus/
. Seems there are 37 non-go files that reference "cyclonus", including some artifacts and CI.
Since the PR is already so large, I'd recommend making those changes in another PR to limit the scope of this one
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yep follow up!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tracking here: #171
Hey @mattfenwick, gentle ping here. Any thoughts/ideas on this code or this project's trajectory? |
// This matcher is modeled after the confusing behavior of v1 NetPol's Port field. | ||
// We map NetworkPolicy v2 to this matcher despite v2's better approach to distinguishing named ports from a port number. | ||
// This matcher requires that you specify the Protocol for a NamedPort. | ||
// In NetPol v1, there is the pathological case where the user can define a NetworkPolicy rule allowing a NamedPort on the wrong Protocol. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Interesting, I didn't realize this. Glad you pointed this out! 😄
Big hat tip to @huntergregory , I'm on board with these changes ! This looks to me like an effective way to move forward with supporting ANP/BANP. I'm curious to hear your opinion on whether any parts feel excessively clunky, or if this all feels like something that will fit together well. I personally don't see any risks but just want to hear your opinion on this. One thing I always struggled with in Cyclonus was naming. Since ANP/BANP has new concepts, this of course means netpol-assistant (sorry: I'm not sure what the new name is?) needs more naming: I like the new I also like the distinction between v1 and v2 netpols, that was a tricky one and I appreciate the way you've handled that. tl,dr; Anything in particular you'd like me to look at more closely? |
/approve |
/lgtm @huntergregory Asked for like one other issue but otherwise let's keep moving forward! Thanks for the review @mattfenwick! |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: astoycos, huntergregory, mattfenwick The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Thanks @mattfenwick for that review and your perspective!
Nothing in mind. Thanks!
No concerns on my side. I think this design will allow us to simulate connectivity and run conformance tests agnostic to the Policy used (NetPol, ANP, or BANP). Visualizations (e.g. explaining a policy) should be fairly simple too. Right now, there are a couple type checks for whether a matcher is v1 or v2. Hopefully we can keep that number low and introduce interface methods if needed. |
…ernetes-sigs#240 (building policies) Signed-off-by: Hunter Gregory <[email protected]>
Fixes #152. Related to #150.
This PR makes Cyclonus support ANP/BANP/NetPol v1 and their interactions. Simulated prober is showing correct connectivity matrix results for these.
This PR also introduces an integration/debugging test suite.
Implementation
matcher
pkg, starting atBuildV1AndV2NetPols()
.Pods
orNamespaces
field is set).Testing
make cyclonus
cyclonus analyze --mode=explain
cyclonus generate ...
Example Connectivity Matrix
Example 2