Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat(Policy Assistant): data structures simulating connectivity for (B)ANP #159

Merged

Conversation

huntergregory
Copy link
Contributor

@huntergregory huntergregory commented Oct 18, 2023

Fixes #152. Related to #150.

This PR makes Cyclonus support ANP/BANP/NetPol v1 and their interactions. Simulated prober is showing correct connectivity matrix results for these.

This PR also introduces an integration/debugging test suite.

Implementation

  • Wraps/modifies existing types to support ANP/BANP. Bulk of changes is in the matcher pkg, starting at BuildV1AndV2NetPols().
  • Includes validation of ANP/BANP (e.g., exactly one of Pods or Namespaces field is set).

Testing

  • Integration tests (test/integration/integration_test.go)
  • No regressions to v1 NetPols. Can still:
    • make cyclonus
    • Table summary: cyclonus analyze --mode=explain
    • Conformance tests: cyclonus generate ...

Example Connectivity Matrix

=== RUN   TestANPWithBANP/BANP_deny_all_after_ANP
    integration_test.go:1363: validated ingress:
        +--------+---------+---------+---------+---------+
        | TCP/80 |   X/A   |   X/B   |   Y/A   |   Y/B   |
        | TCP/81 |         |         |         |         |
        | UDP/80 |         |         |         |         |
        | UDP/81 |         |         |         |         |
        +--------+---------+---------+---------+---------+
        | x/a    | X X . X | X X X X | X X X X | X X X X |
        +--------+---------+---------+---------+---------+
        | x/b    | X X . X | X X X X | X X X X | X X X X |
        +--------+---------+---------+---------+---------+
        | y/a    | X X X X | X X X X | X X X X | X X X X |
        +--------+---------+---------+---------+---------+
        | y/b    | X X X X | X X X X | X X X X | X X X X |
        +--------+---------+---------+---------+---------+

Example 2

=== RUN   TestANPConnectivity/ingress_same_labels_port_range
    integration_test.go:1363: validated ingress:
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | TCP/80 |   X/A   |   X/B   |   X/C   |   Y/A   |   Y/B   |   Y/C   |   Z/A   |   Z/B   |   Z/C   |
        | TCP/81 |         |         |         |         |         |         |         |         |         |
        | UDP/80 |         |         |         |         |         |         |         |         |         |
        | UDP/81 |         |         |         |         |         |         |         |         |         |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | x/a    | X X . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | x/b    | X X . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | x/c    | X X . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | y/a    | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | y/b    | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | y/c    | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | z/a    | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | z/b    | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+
        | z/c    | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . | . . . . |
        +--------+---------+---------+---------+---------+---------+---------+---------+---------+---------+

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Oct 18, 2023
@netlify
Copy link

netlify bot commented Oct 18, 2023

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
🔨 Latest commit 0c79736
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-network-policy-api/deploys/6543f0993a1eba0008e11152
😎 Deploy Preview https://deploy-preview-159--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@k8s-ci-robot k8s-ci-robot added the needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. label Oct 18, 2023
@k8s-ci-robot
Copy link
Contributor

Hi @huntergregory. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added the size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files. label Oct 18, 2023
@huntergregory huntergregory changed the title feat(Netpol Assistant): data structures simulating connectivity matrix for ANP/BANP feat(Netpol Assistant): data structures simulating connectivity for (B)ANP Oct 18, 2023
@@ -23,7 +22,6 @@ import (
const (
ParseMode = "parse"
ExplainMode = "explain"
LintMode = "lint"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Removing Lint mode since it had compile issues with new structures. This mode flagged Pods (Targets) with NetworkPolicies that fail certain checks e.g. all ingress denied or NetPol doesn’t define the protocol (defaulting to TCP))

@@ -26,6 +29,73 @@ type Table struct {
Wrapped *TruthTable
}

func NewTableWithDefaultConnectivity(r *Resources, ingress, egress Connectivity) *Table {
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Additions to the probe pkg are just utils for integration testing and debugging

@astoycos
Copy link
Member

/ok-to-test

@k8s-ci-robot k8s-ci-robot added ok-to-test Indicates a non-member PR verified by an org member that is safe to test. and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels Oct 20, 2023
@astoycos astoycos self-assigned this Oct 20, 2023
@mattfenwick
Copy link
Contributor

Hi @huntergregory thanks for picking this up , I'm excited about where you're taking this!

I'll take some time over the next couple of days to dig into this PR; if there's anything else I can do to help please let me know!

Copy link
Member

@astoycos astoycos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Took a first pass here and it LGTM I know this is just the beginning of a larger development task.

Thanks for the work @huntergregory!! Once these small comments are addressed I'll approve just barring any changes @mattfenwick Want's to see 👍

One thing to think about though is let's start thinking about

  • Documentation
  • Automatic artifact deploying
  • Automated CI

most likely best done in follow ups.

@@ -16,6 +16,8 @@ type Resources struct {
Namespaces map[string]map[string]string
Pods []*Pod
//ExternalIPs []string
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: Do we need all these erroneous externelIP comments? If so let's make an issue for any work that needs to be added for external IP support (Although there may be none and we may be able to just delete these comments)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Created #169. Seems like it could have value

@@ -3,6 +3,8 @@ package connectivity
import (
"github.com/mattfenwick/cyclonus/pkg/connectivity/probe"
"github.com/mattfenwick/cyclonus/pkg/matcher"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should these be vendored from our bits internally?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll circle back on this. Currently getting the following error when running go mod tidy:

go: github.com/mattfenwick/cyclonus/cmd/policy-assistant imports
        sigs.k8s.io/network-policy-api/cmd/policy-assistant/pkg/cli: module sigs.k8s.io/network-policy-api@latest found (v0.1.2), but does not contain package sigs.k8s.io/network-policy-api/cmd/policy-assistant/pkg/cli

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK please make an issue 👍

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tracking here: #170

cmd/cyclonus/pkg/connectivity/stepresult.go Outdated Show resolved Hide resolved
cmd/cyclonus/pkg/matcher/builder.go Outdated Show resolved Hide resolved
cmd/cyclonus/pkg/matcher/builder.go Outdated Show resolved Hide resolved
cmd/cyclonus/pkg/matcher/explain.go Outdated Show resolved Hide resolved
@@ -1,51 +1,16 @@
# Cyclonus
# NetworkPolicy Assistant (derived from Cyclonus)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we just make this Policy Assistant since it's gonna support NP/ANP/BANP etc?

Can you change the cmd/cyclonus dir to cmd/policy-assistant

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also can you change all the make targets / binary name to policy-assistent as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Policy Assistant is much better! Changed the dir to cmd/policy-assistant.

Still need to adjust Makefile and rename cmd/policy-assistant/cmd/cyclonus/. Seems there are 37 non-go files that reference "cyclonus", including some artifacts and CI.

Since the PR is already so large, I'd recommend making those changes in another PR to limit the scope of this one

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yep follow up!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Tracking here: #171

@huntergregory huntergregory changed the title feat(Netpol Assistant): data structures simulating connectivity for (B)ANP feat(Policy Assistant): data structures simulating connectivity for (B)ANP Oct 31, 2023
@huntergregory
Copy link
Contributor Author

Hi @huntergregory thanks for picking this up , I'm excited about where you're taking this!

I'll take some time over the next couple of days to dig into this PR; if there's anything else I can do to help please let me know!

Hey @mattfenwick, gentle ping here. Any thoughts/ideas on this code or this project's trajectory?

// This matcher is modeled after the confusing behavior of v1 NetPol's Port field.
// We map NetworkPolicy v2 to this matcher despite v2's better approach to distinguishing named ports from a port number.
// This matcher requires that you specify the Protocol for a NamedPort.
// In NetPol v1, there is the pathological case where the user can define a NetworkPolicy rule allowing a NamedPort on the wrong Protocol.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I didn't realize this. Glad you pointed this out! 😄

@mattfenwick
Copy link
Contributor

Big hat tip to @huntergregory , I'm on board with these changes ! This looks to me like an effective way to move forward with supporting ANP/BANP.

I'm curious to hear your opinion on whether any parts feel excessively clunky, or if this all feels like something that will fit together well. I personally don't see any risks but just want to hear your opinion on this.

One thing I always struggled with in Cyclonus was naming. Since ANP/BANP has new concepts, this of course means netpol-assistant (sorry: I'm not sure what the new name is?) needs more naming: I like the new Effect, Verdict, SubjectV1, and SubjectAdmin names => and just want to say that I've always found naming to be high-leverage so 👍

I also like the distinction between v1 and v2 netpols, that was a tricky one and I appreciate the way you've handled that.

tl,dr; :shipit:

Anything in particular you'd like me to look at more closely?

@mattfenwick
Copy link
Contributor

/approve

@astoycos
Copy link
Member

astoycos commented Nov 6, 2023

/lgtm
/approve

@huntergregory Asked for like one other issue but otherwise let's keep moving forward!

Thanks for the review @mattfenwick!

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Nov 6, 2023
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: astoycos, huntergregory, mattfenwick

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 6, 2023
@k8s-ci-robot k8s-ci-robot merged commit 6774f36 into kubernetes-sigs:main Nov 6, 2023
3 checks passed
@huntergregory
Copy link
Contributor Author

Thanks @mattfenwick for that review and your perspective!

Anything in particular you'd like me to look at more closely?

Nothing in mind. Thanks!

I'm curious to hear your opinion on whether any parts feel excessively clunky, or if this all feels like something that will fit together well. I personally don't see any risks but just want to hear your opinion on this.

No concerns on my side. I think this design will allow us to simulate connectivity and run conformance tests agnostic to the Policy used (NetPol, ANP, or BANP). Visualizations (e.g. explaining a policy) should be fairly simple too.

Right now, there are a couple type checks for whether a matcher is v1 or v2. Hopefully we can keep that number low and introduce interface methods if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/XXL Denotes a PR that changes 1000+ lines, ignoring generated files.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

[Policy Assistant] Modify Data Structure for (B)ANP
4 participants