diff --git a/README.md b/README.md index 97e36b7b..42ae7dbb 100644 --- a/README.md +++ b/README.md @@ -71,9 +71,26 @@ Global Flags: -v, --verbose Runs with more informative messages printed to log ``` +### Diff command +``` +Reports all differences in allowed connections between two different directories of YAML manifests. + +Usage: + k8snetpolicy diff [flags] +Examples: + # Get list of different allowed connections between two resources dir paths + k8snetpolicy diff --dir1 ./resources_dir/ --dir2 ./other_resources_dir/ + +Flags: + --dir1 string First resources dir path + --dir2 string Second resources dir path to be compared with the first dir path + -o, --output string Required output format (txt, csv, md) (default "txt") + -h, --help help for diff +``` ### Example outputs: + ``` $ k8snetpolicy eval --dirpath tests/onlineboutique -s adservice-77d5cd745d-t8mx4 -d emailservice-54c7c5d9d-vp27n -p 80 @@ -101,6 +118,20 @@ default/loadgenerator[Deployment] => default/frontend[Deployment] : TCP 8080 default/recommendationservice[Deployment] => default/productcatalogservice[Deployment] : TCP 3550 default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections + + +$ ./bin/k8snetpolicy diff --dir1 tests/onlineboutique_workloads --dir2 tests/onlineboutique_workloads_changed_netpols +Connectivity diff: +source: default/checkoutservice[Deployment], destination: default/cartservice[Deployment], dir1: TCP 7070, dir2: TCP 8000, diff-type: changed +source: default/checkoutservice[Deployment], destination: default/emailservice[Deployment], dir1: TCP 8080, dir2: TCP 8080,9555, diff-type: changed +source: default/cartservice[Deployment], destination: default/emailservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added +source: default/checkoutservice[Deployment], destination: default/adservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added +source: 128.0.0.0-255.255.255.255, destination: default/redis-cart[Deployment], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/checkoutservice[Deployment], destination: default/currencyservice[Deployment], dir1: TCP 7000, dir2: No Connections, diff-type: removed +source: default/frontend[Deployment], destination: default/adservice[Deployment], dir1: TCP 9555, dir2: No Connections, diff-type: removed +source: default/redis-cart[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed + + ``` Additional details about the connectivity analysis and its output is specified [here](docs/connlist_output.md). diff --git a/cmd/netpolicy/cmd/command_test.go b/cmd/netpolicy/cmd/command_test.go index fd22ec72..40b69833 100644 --- a/cmd/netpolicy/cmd/command_test.go +++ b/cmd/netpolicy/cmd/command_test.go @@ -87,7 +87,7 @@ type cmdTest struct { isErr bool } -func TestCommannds(t *testing.T) { +func TestCommands(t *testing.T) { tests := []cmdTest{ { name: "test_illegal_command", @@ -105,6 +105,34 @@ func TestCommannds(t *testing.T) { isErr: true, }, + { + name: "test_illegal_diff_no_args", + args: []string{"diff"}, + expectedOutput: "both directory paths dir1 and dir2 are required", + containment: true, + isErr: true, + }, + { + name: "test_illegal_diff_unsupported_args", + args: []string{"diff", "--dirpath", filepath.Join(getTestsDir(), "onlineboutique")}, + expectedOutput: "dirpath flag is not used with diff command", + containment: true, + isErr: true, + }, + { + name: "test_illegal_diff_output_format", + args: []string{ + "diff", + "--dir1", + filepath.Join(getTestsDir(), "onlineboutique_workloads"), + "--dir2", + filepath.Join(getTestsDir(), "onlineboutique_workloads_changed_workloads"), + "-o", + "png"}, + expectedOutput: "png output format is not supported.", + containment: true, + isErr: true, + }, { name: "test_illegal_eval_peer_not_found", args: []string{ @@ -268,6 +296,65 @@ func TestCommannds(t *testing.T) { containment: true, isErr: true, }, + { + name: "test_legal_diff_txt_output", + args: []string{ + "diff", + "--dir1", + filepath.Join(getTestsDir(), "onlineboutique_workloads"), + "--dir2", + filepath.Join(getTestsDir(), "onlineboutique_workloads_changed_workloads"), + "--output", + "txt", + }, + // expected first 3 rows + expectedOutput: "Connectivity diff:\n" + + "source: 0.0.0.0-255.255.255.255, destination: default/unicorn[Deployment], " + + "dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added)\n" + + "source: default/redis-cart[Deployment], destination: default/unicorn[Deployment], " + + "dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added)", + containment: true, + isErr: false, + }, + { + name: "test_legal_diff_csv_output", + args: []string{ + "diff", + "--dir1", + filepath.Join(getTestsDir(), "onlineboutique_workloads"), + "--dir2", + filepath.Join(getTestsDir(), "onlineboutique_workloads_changed_workloads"), + "--output", + "csv", + }, + // expected first 3 rows + expectedOutput: "source,destination,dir1,dir2,diff-type\n" + + "0.0.0.0-255.255.255.255,default/unicorn[Deployment],No Connections," + + "All Connections,added (workload default/unicorn[Deployment] added)\n" + + "default/redis-cart[Deployment],default/unicorn[Deployment],No Connections,All Connections," + + "added (workload default/unicorn[Deployment] added)", + containment: true, + isErr: false, + }, + { + name: "test_legal_diff_md_output", + args: []string{ + "diff", + "--dir1", + filepath.Join(getTestsDir(), "onlineboutique_workloads"), + "--dir2", + filepath.Join(getTestsDir(), "onlineboutique_workloads_changed_workloads"), + "--output", + "md", + }, + // expected first 3 rows + expectedOutput: "| source | destination | dir1 | dir2 | diff-type |\n" + + "|--------|-------------|------|------|-----------|\n" + + "| 0.0.0.0-255.255.255.255 | default/unicorn[Deployment] | No Connections | All Connections |" + + " added (workload default/unicorn[Deployment] added) |", + containment: true, + isErr: false, + }, } for _, test := range tests { diff --git a/cmd/netpolicy/cmd/diff.go b/cmd/netpolicy/cmd/diff.go new file mode 100644 index 00000000..f9845eff --- /dev/null +++ b/cmd/netpolicy/cmd/diff.go @@ -0,0 +1,88 @@ +// Copyright 2022 +// +// Licensed under the Apache License, Version 2.0 (the "License"); +// you may not use this file except in compliance with the License. +// You may obtain a copy of the License at +// +// http://www.apache.org/licenses/LICENSE-2.0 +// +// Unless required by applicable law or agreed to in writing, software +// distributed under the License is distributed on an "AS IS" BASIS, +// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +// See the License for the specific language governing permissions and +// limitations under the License. +package cmd + +import ( + "errors" + "fmt" + "strings" + + "github.com/spf13/cobra" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/diff" +) + +var ( + dir1 string + dir2 string + outFormat string +) + +func runDiffCommand() error { + var connsDiff diff.ConnectivityDiff + var err error + + diffAnalyzer := diff.NewDiffAnalyzer(diff.WithOutputFormat(outFormat)) + + connsDiff, err = diffAnalyzer.ConnDiffFromDirPaths(dir1, dir2) + if err != nil { + return err + } + out, err := diffAnalyzer.ConnectivityDiffToString(connsDiff) + if err != nil { + return err + } + fmt.Printf("%s", out) + return nil +} + +func newCommandDiff() *cobra.Command { + c := &cobra.Command{ + Use: "diff", + Short: "Reports semantic-diff of allowed connectivity ", + Long: `Reports all differences in allowed connections between two different directories of YAML manifests.`, + Example: ` # Get list of different allowed connections between two resources dir paths + k8snetpolicy diff --dir1 ./resources_dir/ --dir2 ./other_resources_dir/`, + + PersistentPreRunE: func(cmd *cobra.Command, args []string) error { + if dirPath != "" { + return errors.New("dirpath flag is not used with diff command") + } + if dir1 == "" || dir2 == "" { + return errors.New("both directory paths dir1 and dir2 are required") + } + if err := diff.ValidateDiffOutputFormat(outFormat); err != nil { + return err + } + return nil + }, + + RunE: func(cmd *cobra.Command, args []string) error { + if err := runDiffCommand(); err != nil { + return err + } + return nil + }, + } + + // define any flags and configuration settings. + c.Flags().StringVarP(&dir1, "dir1", "", "", "Original Resources path to be compared") + c.Flags().StringVarP(&dir2, "dir2", "", "", "New Resources path to compare with original resources path") + supportedDiffFormats := strings.Join(diff.ValidDiffFormats, ",") + c.Flags().StringVarP(&outFormat, "output", "o", common.DefaultFormat, "Required output format ("+supportedDiffFormats+")") + + return c +} diff --git a/cmd/netpolicy/cmd/list.go b/cmd/netpolicy/cmd/list.go index 2d5907e6..0294da84 100644 --- a/cmd/netpolicy/cmd/list.go +++ b/cmd/netpolicy/cmd/list.go @@ -19,6 +19,8 @@ import ( "github.com/spf13/cobra" + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" + "github.com/np-guard/netpol-analyzer/pkg/netpol/connlist" "github.com/np-guard/netpol-analyzer/pkg/netpol/logger" ) @@ -38,9 +40,9 @@ func runListCommand() error { connlist.WithOutputFormat(output)) if dirPath != "" { - conns, err = analyzer.ConnlistFromDirPath(dirPath) + conns, _, err = analyzer.ConnlistFromDirPath(dirPath) } else { - conns, err = analyzer.ConnlistFromK8sCluster(clientset) + conns, _, err = analyzer.ConnlistFromK8sCluster(clientset) } if err != nil { return err @@ -96,7 +98,7 @@ defined`, c.Flags().StringVarP(&focusWorkload, "focusworkload", "", "", "Focus connections of specified workload name in the output") // output format - default txt supportedFormats := strings.Join(connlist.ValidFormats, ",") - c.Flags().StringVarP(&output, "output", "o", connlist.DefaultFormat, "Required output format ("+supportedFormats+")") + c.Flags().StringVarP(&output, "output", "o", common.DefaultFormat, "Required output format ("+supportedFormats+")") return c } diff --git a/cmd/netpolicy/cmd/root.go b/cmd/netpolicy/cmd/root.go index dcdfc927..d76d513a 100644 --- a/cmd/netpolicy/cmd/root.go +++ b/cmd/netpolicy/cmd/root.go @@ -99,6 +99,7 @@ func newCommandRoot() *cobra.Command { // add sub-commands c.AddCommand(newCommandEvaluate()) c.AddCommand(newCommandList()) + c.AddCommand(newCommandDiff()) return c } diff --git a/pkg/netpol/eval/internal/k8s/ipBlock.go b/pkg/netpol/common/ipBlock.go similarity index 86% rename from pkg/netpol/eval/internal/k8s/ipBlock.go rename to pkg/netpol/common/ipBlock.go index a8faf1d0..3c6c0fa2 100644 --- a/pkg/netpol/eval/internal/k8s/ipBlock.go +++ b/pkg/netpol/common/ipBlock.go @@ -1,4 +1,4 @@ -package k8s +package common import ( "encoding/binary" @@ -7,8 +7,6 @@ import ( "sort" "strconv" "strings" - - "github.com/np-guard/netpol-analyzer/pkg/netpol/common" ) const ( @@ -22,7 +20,7 @@ const ( // IPBlock captures a set of ip ranges type IPBlock struct { - ipRange common.CanonicalIntervalSet + ipRange CanonicalIntervalSet } // ToIPRanges returns a string of the ip ranges in the current IPBlock object @@ -61,12 +59,12 @@ func (b *IPBlock) ipCount() int { return res } -// split returns a set of IpBlock objects, each with a single range of ips -func (b *IPBlock) split() []*IPBlock { +// Split returns a set of IpBlock objects, each with a single range of ips +func (b *IPBlock) Split() []*IPBlock { res := make([]*IPBlock, len(b.ipRange.IntervalSet)) for index, ipr := range b.ipRange.IntervalSet { newBlock := IPBlock{} - newBlock.ipRange.IntervalSet = append(newBlock.ipRange.IntervalSet, common.Interval{Start: ipr.Start, End: ipr.End}) + newBlock.ipRange.IntervalSet = append(newBlock.ipRange.IntervalSet, Interval{Start: ipr.Start, End: ipr.End}) res[index] = &newBlock } return res @@ -127,14 +125,14 @@ func addIntervalToList(ipbNew *IPBlock, ipbList []*IPBlock) []*IPBlock { break } } - ipbList = append(ipbList, ipbNew.split()...) + ipbList = append(ipbList, ipbNew.Split()...) ipbList = append(ipbList, toAdd...) return ipbList } // NewIPBlock returns an IPBlock object from input cidr str an exceptions cidr str func NewIPBlock(cidr string, exceptions []string) (*IPBlock, error) { - res := IPBlock{ipRange: common.CanonicalIntervalSet{}} + res := IPBlock{ipRange: CanonicalIntervalSet{}} interval, err := cidrToInterval(cidr) if err != nil { return nil, err @@ -172,10 +170,25 @@ func cidrToIPRange(cidr string) (beginning, end int64, err error) { return int64(start), int64(finish), nil } -func cidrToInterval(cidr string) (*common.Interval, error) { +func cidrToInterval(cidr string) (*Interval, error) { start, end, err := cidrToIPRange(cidr) if err != nil { return nil, err } - return &common.Interval{Start: start, End: end}, nil + return &Interval{Start: start, End: end}, nil +} + +func (b *IPBlock) ContainedIn(other *IPBlock) bool { + return b.ipRange.ContainedIn(other.ipRange) +} + +func MergeIPBlocksList(inputList []*IPBlock) []*IPBlock { + if len(inputList) == 0 { + return inputList + } + union := inputList[0].Copy() + for i := 1; i < len(inputList); i++ { + union.ipRange.Union(inputList[i].ipRange) + } + return union.Split() } diff --git a/pkg/netpol/eval/internal/k8s/ipBlock_test.go b/pkg/netpol/common/ipBlock_test.go similarity index 97% rename from pkg/netpol/eval/internal/k8s/ipBlock_test.go rename to pkg/netpol/common/ipBlock_test.go index f0fab259..aaea6c7d 100644 --- a/pkg/netpol/eval/internal/k8s/ipBlock_test.go +++ b/pkg/netpol/common/ipBlock_test.go @@ -1,4 +1,4 @@ -package k8s +package common import ( "fmt" diff --git a/pkg/netpol/common/outputFormats.go b/pkg/netpol/common/outputFormats.go new file mode 100644 index 00000000..3f9b1506 --- /dev/null +++ b/pkg/netpol/common/outputFormats.go @@ -0,0 +1,11 @@ +package common + +// formats supported for output of various commands +const ( + DefaultFormat = "txt" + TextFormat = "txt" + JSONFormat = "json" + DOTFormat = "dot" + CSVFormat = "csv" + MDFormat = "md" +) diff --git a/pkg/netpol/connlist/connlist.go b/pkg/netpol/connlist/connlist.go index 6810dcf2..72b1c90d 100644 --- a/pkg/netpol/connlist/connlist.go +++ b/pkg/netpol/connlist/connlist.go @@ -28,15 +28,6 @@ import ( "github.com/np-guard/netpol-analyzer/pkg/netpol/scan" ) -// ConnlistError holds information about a single error/warning that occurred during -// the parsing and connectivity analysis of k8s-app with network policies -type ConnlistError interface { - IsFatal() bool - IsSevere() bool - Error() error - Location() string -} - // A ConnlistAnalyzer provides API to recursively scan a directory for Kubernetes resources including network policies, // and get the list of permitted connectivity between the workloads of the K8s application managed in this directory. type ConnlistAnalyzer struct { @@ -49,17 +40,9 @@ type ConnlistAnalyzer struct { outputFormat string } -const ( - DefaultFormat = "txt" - TextFormat = "txt" - JSONFormat = "json" - DOTFormat = "dot" - CSVFormat = "csv" - MDFormat = "md" -) - // ValidFormats array of possible values of output format -var ValidFormats = []string{TextFormat, JSONFormat, DOTFormat, CSVFormat, MDFormat} +var ValidFormats = []string{common.TextFormat, common.JSONFormat, common.DOTFormat, + common.CSVFormat, common.MDFormat} // ConnlistAnalyzerOption is the type for specifying options for ConnlistAnalyzer, // using Golang's Options Pattern (https://golang.cafe/blog/golang-functional-options-pattern.html). @@ -95,7 +78,7 @@ func WithFocusWorkload(workload string) ConnlistAnalyzerOption { } } -// WithOutputFormat is a functional option, allowing user to choose the output format txt/json. +// WithOutputFormat is a functional option, allowing user to choose the output format txt/json/dot/csv/md. func WithOutputFormat(outputFormat string) ConnlistAnalyzerOption { return func(p *ConnlistAnalyzer) { p.outputFormat = outputFormat @@ -110,7 +93,7 @@ func NewConnlistAnalyzer(options ...ConnlistAnalyzerOption) *ConnlistAnalyzer { stopOnError: false, errors: []ConnlistError{}, walkFn: filepath.WalkDir, - outputFormat: DefaultFormat, + outputFormat: common.DefaultFormat, } for _, o := range options { o(ca) @@ -144,7 +127,8 @@ func (ca *ConnlistAnalyzer) hasFatalError() error { } // ConnlistFromDirPath returns the allowed connections list from dir path containing k8s resources -func (ca *ConnlistAnalyzer) ConnlistFromDirPath(dirPath string) ([]Peer2PeerConnection, error) { +// and list of all workloads from the parsed resources +func (ca *ConnlistAnalyzer) ConnlistFromDirPath(dirPath string) ([]Peer2PeerConnection, []eval.Peer, error) { objectsList, processingErrs := ca.scanner.FilesToObjectsList(dirPath) for i := range processingErrs { ca.errors = append(ca.errors, &processingErrs[i]) @@ -152,15 +136,16 @@ func (ca *ConnlistAnalyzer) ConnlistFromDirPath(dirPath string) ([]Peer2PeerConn if ca.stopProcessing() { if err := ca.hasFatalError(); err != nil { - return nil, err + return nil, nil, err } - return []Peer2PeerConnection{}, nil + return []Peer2PeerConnection{}, []eval.Peer{}, nil } return ca.connslistFromParsedResources(objectsList) } // ConnlistFromYAMLManifests returns the allowed connections list from input YAML manifests -func (ca *ConnlistAnalyzer) ConnlistFromYAMLManifests(manifests []scan.YAMLDocumentIntf) ([]Peer2PeerConnection, error) { +// and list of all workloads from the parsed resources +func (ca *ConnlistAnalyzer) ConnlistFromYAMLManifests(manifests []scan.YAMLDocumentIntf) ([]Peer2PeerConnection, []eval.Peer, error) { objectsList, processingErrs := ca.scanner.YAMLDocumentsToObjectsList(manifests) for i := range processingErrs { ca.errors = append(ca.errors, &processingErrs[i]) @@ -168,31 +153,31 @@ func (ca *ConnlistAnalyzer) ConnlistFromYAMLManifests(manifests []scan.YAMLDocum if ca.stopProcessing() { if err := ca.hasFatalError(); err != nil { - return nil, err + return nil, nil, err } - return []Peer2PeerConnection{}, nil + return []Peer2PeerConnection{}, []eval.Peer{}, nil } return ca.connslistFromParsedResources(objectsList) } -func (ca *ConnlistAnalyzer) connslistFromParsedResources(objectsList []scan.K8sObject) ([]Peer2PeerConnection, error) { +func (ca *ConnlistAnalyzer) connslistFromParsedResources(objectsList []scan.K8sObject) ([]Peer2PeerConnection, []eval.Peer, error) { // TODO: do we need logger in policyEngine? pe, err := eval.NewPolicyEngineWithObjects(objectsList) if err != nil { ca.errors = append(ca.errors, newResourceEvaluationError(err)) - return nil, err + return nil, nil, err } ia, err := ingressanalyzer.NewIngressAnalyzerWithObjects(objectsList, pe, ca.logger) if err != nil { ca.errors = append(ca.errors, newResourceEvaluationError(err)) - return nil, err + return nil, nil, err } return ca.getConnectionsList(pe, ia) } -// ConnlistFromK8sCluster returns the allowed connections list from k8s cluster resources -func (ca *ConnlistAnalyzer) ConnlistFromK8sCluster(clientset *kubernetes.Clientset) ([]Peer2PeerConnection, error) { +// ConnlistFromK8sCluster returns the allowed connections list from k8s cluster resources and a list of all peers names +func (ca *ConnlistAnalyzer) ConnlistFromK8sCluster(clientset *kubernetes.Clientset) ([]Peer2PeerConnection, []eval.Peer, error) { pe := eval.NewPolicyEngine() // get all resources from k8s cluster @@ -203,34 +188,34 @@ func (ca *ConnlistAnalyzer) ConnlistFromK8sCluster(clientset *kubernetes.Clients // get all namespaces nsList, apierr := clientset.CoreV1().Namespaces().List(ctx, metav1.ListOptions{}) if apierr != nil { - return nil, apierr + return nil, nil, apierr } for i := range nsList.Items { ns := &nsList.Items[i] if err := pe.UpsertObject(ns); err != nil { - return nil, err + return nil, nil, err } } // get all pods podList, apierr := clientset.CoreV1().Pods(metav1.NamespaceAll).List(ctx, metav1.ListOptions{}) if apierr != nil { - return nil, apierr + return nil, nil, apierr } for i := range podList.Items { if err := pe.UpsertObject(&podList.Items[i]); err != nil { - return nil, err + return nil, nil, err } } // get all netpols npList, apierr := clientset.NetworkingV1().NetworkPolicies(metav1.NamespaceAll).List(ctx, metav1.ListOptions{}) if apierr != nil { - return nil, apierr + return nil, nil, apierr } for i := range npList.Items { if err := pe.UpsertObject(&npList.Items[i]); err != nil { - return nil, err + return nil, nil, err } } return ca.getConnectionsList(pe, nil) @@ -267,15 +252,15 @@ func getFormatter(format string) (connsFormatter, error) { return nil, err } switch format { - case JSONFormat: + case common.JSONFormat: return formatJSON{}, nil - case TextFormat: + case common.TextFormat: return formatText{}, nil - case DOTFormat: + case common.DOTFormat: return formatDOT{}, nil - case CSVFormat: + case common.CSVFormat: return formatCSV{}, nil - case MDFormat: + case common.MDFormat: return formatMD{}, nil default: return formatText{}, nil @@ -284,18 +269,6 @@ func getFormatter(format string) (connsFormatter, error) { ////////////////////////////////////////////////////////////////////////////////////////////// -// Peer2PeerConnection encapsulates the allowed connectivity result between two peers. -type Peer2PeerConnection interface { - // Src returns the source peer - Src() eval.Peer - // Dst returns the destination peer - Dst() eval.Peer - // AllProtocolsAndPorts returns true if all ports are allowed for all protocols - AllProtocolsAndPorts() bool - // ProtocolsAndPorts returns the set of allowed connections - ProtocolsAndPorts() map[v1.Protocol][]common.PortRange -} - ////////////////////////////////////////////////////////////////////////////////////////////// // internal type definitions below @@ -326,7 +299,7 @@ func (c *connection) ProtocolsAndPorts() map[v1.Protocol][]common.PortRange { } // return a string representation of a connection type (protocols and ports) -func getProtocolsAndPortsStr(c Peer2PeerConnection) string { +func GetProtocolsAndPortsStr(c Peer2PeerConnection) string { if c.AllProtocolsAndPorts() { return "All Connections" } @@ -345,6 +318,19 @@ func getProtocolsAndPortsStr(c Peer2PeerConnection) string { return connStr } +// returns a *common.ConnectionSet from Peer2PeerConnection data +func GetConnectionSetFromP2PConnection(c Peer2PeerConnection) *common.ConnectionSet { + protocolsToPortSetMap := make(map[v1.Protocol]*common.PortSet, len(c.ProtocolsAndPorts())) + for protocol, portRageArr := range c.ProtocolsAndPorts() { + protocolsToPortSetMap[protocol] = &common.PortSet{} + for _, portRange := range portRageArr { + protocolsToPortSetMap[protocol].AddPortRange(portRange.Start(), portRange.End()) + } + } + connectionSet := &common.ConnectionSet{AllowAll: c.AllProtocolsAndPorts(), AllowedProtocols: protocolsToPortSetMap} + return connectionSet +} + ////////////////////////////////////////////////////////////////////////////////////////////// func (ca *ConnlistAnalyzer) includePairOfWorkloads(src, dst eval.Peer) bool { @@ -370,59 +356,60 @@ func (ca *ConnlistAnalyzer) includePairOfWorkloads(src, dst eval.Peer) bool { } // getConnectionsList returns connections list from PolicyEngine and ingressAnalyzer objects -func (ca *ConnlistAnalyzer) getConnectionsList(pe *eval.PolicyEngine, ia *ingressanalyzer.IngressAnalyzer) ([]Peer2PeerConnection, error) { - res := make([]Peer2PeerConnection, 0) +func (ca *ConnlistAnalyzer) getConnectionsList(pe *eval.PolicyEngine, ia *ingressanalyzer.IngressAnalyzer) ([]Peer2PeerConnection, + []eval.Peer, error) { + connsRes := make([]Peer2PeerConnection, 0) if !pe.HasPodPeers() { - return res, nil + return connsRes, []eval.Peer{}, nil } // compute connections between peers based on pe analysis of network policies - peersAllowedConns, err := ca.getConnectionsBetweenPeers(pe) + peersAllowedConns, peersRes, err := ca.getConnectionsBetweenPeers(pe) if err != nil { ca.errors = append(ca.errors, newResourceEvaluationError(err)) - return nil, err + return nil, nil, err } - res = peersAllowedConns + connsRes = peersAllowedConns if ia == nil || ia.IsEmpty() { - return res, nil + return connsRes, peersRes, nil } // analyze ingress connections - create connection objects for relevant ingress analyzer connections ingressAllowedConns, err := ca.getIngressAllowedConnections(ia, pe) if err != nil { ca.errors = append(ca.errors, newResourceEvaluationError(err)) - return nil, err + return nil, nil, err } - res = append(res, ingressAllowedConns...) + connsRes = append(connsRes, ingressAllowedConns...) if len(peersAllowedConns) == 0 { ca.logger.Warnf("connectivity analysis found no allowed connectivity between pairs from the configured workloads or external IP-blocks") } - return res, nil + return connsRes, peersRes, nil } -// getConnectionsList returns connections list from PolicyEngine object -func (ca *ConnlistAnalyzer) getConnectionsBetweenPeers(pe *eval.PolicyEngine) ([]Peer2PeerConnection, error) { +// getConnectionsBetweenPeers returns connections list from PolicyEngine object +func (ca *ConnlistAnalyzer) getConnectionsBetweenPeers(pe *eval.PolicyEngine) ([]Peer2PeerConnection, []eval.Peer, error) { // get workload peers and ip blocks peerList, err := pe.GetPeersList() if err != nil { ca.errors = append(ca.errors, newResourceEvaluationError(err)) - return nil, err + return nil, nil, err } - res := make([]Peer2PeerConnection, 0) + connsRes := make([]Peer2PeerConnection, 0) for i := range peerList { + srcPeer := peerList[i] for j := range peerList { - srcPeer := peerList[i] dstPeer := peerList[j] if !ca.includePairOfWorkloads(srcPeer, dstPeer) { continue } allowedConnections, err := pe.AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPeer) if err != nil { - return nil, err + return nil, nil, err } // skip empty connections if allowedConnections.IsEmpty() { @@ -434,10 +421,11 @@ func (ca *ConnlistAnalyzer) getConnectionsBetweenPeers(pe *eval.PolicyEngine) ([ allConnections: allowedConnections.AllConnections(), protocolsAndPorts: allowedConnections.ProtocolsAndPortsMap(), } - res = append(res, p2pConnection) + connsRes = append(connsRes, p2pConnection) } } - return res, nil + + return connsRes, peerList, nil } // getIngressAllowedConnections returns connections list from IngressAnalyzer intersected with PolicyEngine's connections diff --git a/pkg/netpol/connlist/connlist_errors.go b/pkg/netpol/connlist/connlist_errors.go index aa5082cf..7199ed5d 100644 --- a/pkg/netpol/connlist/connlist_errors.go +++ b/pkg/netpol/connlist/connlist_errors.go @@ -1,5 +1,14 @@ package connlist +// ConnlistError holds information about a single error/warning that occurred during +// the parsing and connectivity analysis of k8s-app with network policies +type ConnlistError interface { + IsFatal() bool + IsSevere() bool + Error() error + Location() string +} + // connlistGeneratingError - ConnlistError that may arrise while producing the connections list type connlistGeneratingError struct { err error diff --git a/pkg/netpol/connlist/connlist_test.go b/pkg/netpol/connlist/connlist_test.go index 94395866..4b01035d 100644 --- a/pkg/netpol/connlist/connlist_test.go +++ b/pkg/netpol/connlist/connlist_test.go @@ -7,6 +7,7 @@ import ( "path/filepath" "testing" + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" "github.com/np-guard/netpol-analyzer/pkg/netpol/internal/testutils" "github.com/np-guard/netpol-analyzer/pkg/netpol/scan" @@ -21,7 +22,7 @@ func getConnlistFromDirPathRes(stopOnErr bool, path string) (*ConnlistAnalyzer, analyzer = NewConnlistAnalyzer() } - res, err := analyzer.ConnlistFromDirPath(path) + res, _, err := analyzer.ConnlistFromDirPath(path) return analyzer, res, err } @@ -33,64 +34,66 @@ type testEntry struct { const expectedOutputFileNamePrefix = "connlist_output." +var allFormats = []string{common.TextFormat, common.JSONFormat, common.CSVFormat, common.MDFormat, common.DOTFormat} + // TestConnList tests the output of ConnlistFromDirPath() for valid input resources func TestConnList(t *testing.T) { testingEntries := []testEntry{ { testDirName: "ipblockstest", - outputFormats: []string{TextFormat}, + outputFormats: []string{common.TextFormat}, }, { testDirName: "onlineboutique", - outputFormats: []string{JSONFormat, MDFormat, TextFormat}, + outputFormats: []string{common.JSONFormat, common.MDFormat, common.TextFormat}, }, { testDirName: "onlineboutique_workloads", - outputFormats: []string{CSVFormat, DOTFormat, TextFormat}, + outputFormats: []string{common.CSVFormat, common.DOTFormat, common.TextFormat}, }, { testDirName: "minikube_resources", - outputFormats: []string{TextFormat}, + outputFormats: []string{common.TextFormat}, }, { testDirName: "online_boutique_workloads_no_ns", - outputFormats: []string{TextFormat}, + outputFormats: []string{common.TextFormat}, }, { testDirName: "core_pods_without_host_ip", - outputFormats: []string{TextFormat}, + outputFormats: []string{common.TextFormat}, }, { testDirName: "acs_security_frontend_demos", - outputFormats: []string{TextFormat, JSONFormat, CSVFormat, MDFormat, DOTFormat}, + outputFormats: allFormats, }, { testDirName: "demo_app_with_routes_and_ingress", - outputFormats: []string{TextFormat, JSONFormat, CSVFormat, MDFormat, DOTFormat}, + outputFormats: allFormats, }, { testDirName: "k8s_ingress_test", - outputFormats: []string{TextFormat, JSONFormat, CSVFormat, MDFormat, DOTFormat}, + outputFormats: allFormats, }, { testDirName: "multiple_ingress_objects_with_different_ports", - outputFormats: []string{TextFormat, JSONFormat, CSVFormat, MDFormat, DOTFormat}, + outputFormats: allFormats, }, { testDirName: "one_ingress_multiple_ports", - outputFormats: []string{TextFormat, JSONFormat, CSVFormat, MDFormat, DOTFormat}, + outputFormats: allFormats, }, { testDirName: "one_ingress_multiple_services", - outputFormats: []string{TextFormat, JSONFormat, CSVFormat, MDFormat, DOTFormat}, + outputFormats: allFormats, }, { testDirName: "acs-security-demos", - outputFormats: []string{TextFormat, JSONFormat, CSVFormat, MDFormat, DOTFormat}, + outputFormats: allFormats, }, { testDirName: "acs-security-demos-with-netpol-list", - outputFormats: []string{TextFormat}, + outputFormats: []string{common.TextFormat}, }, } @@ -98,7 +101,7 @@ func TestConnList(t *testing.T) { dirPath := filepath.Join(testutils.GetTestsDir(), entry.testDirName) for _, format := range entry.outputFormats { analyzer := NewConnlistAnalyzer(WithOutputFormat(format)) - res, err := analyzer.ConnlistFromDirPath(dirPath) + res, _, err := analyzer.ConnlistFromDirPath(dirPath) require.Nil(t, err) output, err := analyzer.ConnectionsListToString(res) require.Nil(t, err) @@ -120,7 +123,7 @@ func TestConnList(t *testing.T) { func TestWithFocusWorkload(t *testing.T) { analyzer1 := NewConnlistAnalyzer(WithFocusWorkload("emailservice")) dirPath := filepath.Join(testutils.GetTestsDir(), "onlineboutique_workloads") - res, err := analyzer1.ConnlistFromDirPath(dirPath) + res, _, err := analyzer1.ConnlistFromDirPath(dirPath) require.Len(t, res, 1) require.Nil(t, err) } @@ -238,7 +241,7 @@ func TestConnlistAnalyzerBadDirNoYamls(t *testing.T) { func TestConnlistAnalyzerBadOutputFormat(t *testing.T) { dirPath := filepath.Join(testutils.GetTestsDir(), "onlineboutique") analyzer := NewConnlistAnalyzer(WithOutputFormat("jpeg")) - res, err1 := analyzer.ConnlistFromDirPath(dirPath) + res, _, err1 := analyzer.ConnlistFromDirPath(dirPath) require.Nil(t, err1) _, err2 := analyzer.ConnectionsListToString(res) require.NotNil(t, err2) @@ -250,7 +253,7 @@ func TestConnlistAnalyzerBadOutputFormat(t *testing.T) { func TestWithFocusWorkloadWithReplicasConnections(t *testing.T) { analyzer1 := NewConnlistAnalyzer(WithFocusWorkload("calico-node")) dirPath := filepath.Join(testutils.GetTestsDir(), "ipblockstest") - res, err := analyzer1.ConnlistFromDirPath(dirPath) + res, _, err := analyzer1.ConnlistFromDirPath(dirPath) require.Len(t, res, 49) require.Nil(t, err) out, err := analyzer1.ConnectionsListToString(res) @@ -261,7 +264,7 @@ func TestWithFocusWorkloadWithReplicasConnections(t *testing.T) { func TestWithFocusWorkloadWithIngressObjects(t *testing.T) { analyzer := NewConnlistAnalyzer(WithFocusWorkload("details-v1-79f774bdb9")) dirPath := filepath.Join(testutils.GetTestsDir(), "k8s_ingress_test") - res, err := analyzer.ConnlistFromDirPath(dirPath) + res, _, err := analyzer.ConnlistFromDirPath(dirPath) require.Len(t, res, 13) require.Nil(t, err) out, err := analyzer.ConnectionsListToString(res) diff --git a/pkg/netpol/connlist/conns_formatter.go b/pkg/netpol/connlist/conns_formatter.go index 32d4f7bd..84fcb827 100644 --- a/pkg/netpol/connlist/conns_formatter.go +++ b/pkg/netpol/connlist/conns_formatter.go @@ -11,9 +11,7 @@ import ( "github.com/np-guard/netpol-analyzer/pkg/netpol/eval" ) -func getNewLineChar() string { - return fmt.Sprintln("") -} +var newLineChar = fmt.Sprintln("") // gets the conns array and returns a sorted array of singleConnFields structs. helps with forming the json and csv outputs func sortConnections(conns []Peer2PeerConnection) []singleConnFields { @@ -50,7 +48,7 @@ func (c singleConnFields) string() string { // formSingleConn returns a string representation of single connection fields as singleConnFields object func formSingleConn(conn Peer2PeerConnection) singleConnFields { - connStr := getProtocolsAndPortsStr(conn) + connStr := GetProtocolsAndPortsStr(conn) return singleConnFields{Src: conn.Src().String(), Dst: conn.Dst().String(), ConnString: connStr} } @@ -65,7 +63,7 @@ func (t formatText) writeOutput(conns []Peer2PeerConnection) (string, error) { connLines[i] = formSingleConn(conns[i]).string() } sort.Strings(connLines) - return strings.Join(connLines, getNewLineChar()), nil + return strings.Join(connLines, newLineChar), nil } // formatJSON: implements the connsFormatter interface for JSON output format @@ -134,7 +132,7 @@ func (d formatDOT) writeOutput(conns []Peer2PeerConnection) (string, error) { allLines = append(allLines, peerLines...) allLines = append(allLines, edgeLines...) allLines = append(allLines, dotClosing) - return strings.Join(allLines, getNewLineChar()), nil + return strings.Join(allLines, newLineChar), nil } // formatCSV: implements the connsFormatter interface for csv output format @@ -186,5 +184,5 @@ func (md formatMD) writeOutput(conns []Peer2PeerConnection) (string, error) { sort.Strings(mdLines) allLines := []string{getMDHeader()} allLines = append(allLines, mdLines...) - return strings.Join(allLines, getNewLineChar()), nil + return strings.Join(allLines, newLineChar), nil } diff --git a/pkg/netpol/connlist/peer2peer.go b/pkg/netpol/connlist/peer2peer.go new file mode 100644 index 00000000..2979847f --- /dev/null +++ b/pkg/netpol/connlist/peer2peer.go @@ -0,0 +1,78 @@ +package connlist + +import ( + "errors" + + v1 "k8s.io/api/core/v1" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" + "github.com/np-guard/netpol-analyzer/pkg/netpol/eval" +) + +// Peer2PeerConnection encapsulates the allowed connectivity result between two peers. +type Peer2PeerConnection interface { + // Src returns the source peer + Src() eval.Peer + // Dst returns the destination peer + Dst() eval.Peer + // AllProtocolsAndPorts returns true if all ports are allowed for all protocols + AllProtocolsAndPorts() bool + // ProtocolsAndPorts returns the set of allowed connections + ProtocolsAndPorts() map[v1.Protocol][]common.PortRange +} + +// RefineConnListByDisjointPeers is given as input Peer2PeerConnection slice and a map from peer-str to its disjoint peers, +// and returns a new Peer2PeerConnection slice with refined ip-blocks from their disjoint peers +func RefineConnListByDisjointPeers(conns []Peer2PeerConnection, m map[string]map[string]eval.Peer) ([]Peer2PeerConnection, error) { + res := []Peer2PeerConnection{} + for _, p2p := range conns { + var replacingConns []Peer2PeerConnection + var err error + switch { + case p2p.Src().IsPeerIPType(): + replacingConns, err = refineP2PConnByDisjointPeers(p2p.Src(), true, p2p, m) + case p2p.Dst().IsPeerIPType(): + replacingConns, err = refineP2PConnByDisjointPeers(p2p.Dst(), false, p2p, m) + default: + replacingConns = []Peer2PeerConnection{p2p} + } + if err != nil { + return nil, err + } + res = append(res, replacingConns...) + } + return res, nil +} + +// refineP2PConnByDisjointPeers is given as input Peer2PeerConnection object, a Peer object of ip-type to be refined, +// a flag isSrc indicating if the ip-type is src or dst, and a map from peer-str to its disjoint peers +// it returns Peer2PeerConnection slice with refined ip-type peers +func refineP2PConnByDisjointPeers(p eval.Peer, isSrc bool, conn Peer2PeerConnection, m map[string]map[string]eval.Peer) ( + []Peer2PeerConnection, error) { + replacingPeers, ok := m[p.String()] + if !ok { + return nil, errors.New("missing peer from input disjointPeerIPMap") + } + res := make([]Peer2PeerConnection, len(replacingPeers)) + i := 0 + for _, newPeer := range replacingPeers { + if isSrc { + res[i] = &connection{src: newPeer, dst: conn.Dst(), allConnections: conn.AllProtocolsAndPorts(), + protocolsAndPorts: conn.ProtocolsAndPorts()} + } else { + res[i] = &connection{src: conn.Src(), dst: newPeer, allConnections: conn.AllProtocolsAndPorts(), + protocolsAndPorts: conn.ProtocolsAndPorts()} + } + i += 1 + } + return res, nil +} + +// NewPeer2PeerConnection returns a Peer2PeerConnection object with given src,dst,allConns and conns map +func NewPeer2PeerConnection(src, dst eval.Peer, allConns bool, conns map[v1.Protocol][]common.PortRange) Peer2PeerConnection { + return &connection{src: src, + dst: dst, + allConnections: allConns, + protocolsAndPorts: conns, + } +} diff --git a/pkg/netpol/diff/diff.go b/pkg/netpol/diff/diff.go new file mode 100644 index 00000000..c7eb4821 --- /dev/null +++ b/pkg/netpol/diff/diff.go @@ -0,0 +1,548 @@ +// The diff package of netpol-analyzer allows producing a k8s connectivity semantic-diff report based on several resources: +// k8s NetworkPolicy, k8s Ingress, openshift Route +// It lists the set of changed/removed/added connections between pair of peers (k8s workloads or ip-blocks). +// The resources can be extracted from two directories containing YAML manifests. +// For more information, see https://github.com/np-guard/netpol-analyzer. +package diff + +import ( + "errors" + "path/filepath" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" + "github.com/np-guard/netpol-analyzer/pkg/netpol/connlist" + "github.com/np-guard/netpol-analyzer/pkg/netpol/eval" + "github.com/np-guard/netpol-analyzer/pkg/netpol/logger" + "github.com/np-guard/netpol-analyzer/pkg/netpol/scan" +) + +// A DiffAnalyzer provides API to recursively scan two directories for Kubernetes resources including network policies, +// and get the difference of permitted connectivity between the workloads of the K8s application managed in theses directories. +type DiffAnalyzer struct { + logger logger.Logger + stopOnError bool + errors []DiffError + walkFn scan.WalkFunction + scanner *scan.ResourcesScanner + outputFormat string +} + +// ValidDiffFormats are the supported formats for output generation of the diff command +var ValidDiffFormats = []string{common.TextFormat, common.CSVFormat, common.MDFormat} + +// DiffAnalyzerOption is the type for specifying options for DiffAnalyzer, +// using Golang's Options Pattern (https://golang.cafe/blog/golang-functional-options-pattern.html). +type DiffAnalyzerOption func(*DiffAnalyzer) + +// WithLogger is a functional option which sets the logger for a DiffAnalyzer to use. +// The provided logger must conform with the package's Logger interface. +func WithLogger(l logger.Logger) DiffAnalyzerOption { + return func(c *DiffAnalyzer) { + c.logger = l + } +} + +// WithOutputFormat is a functional option, allowing user to choose the output format txt/csv/md. +func WithOutputFormat(outputFormat string) DiffAnalyzerOption { + return func(d *DiffAnalyzer) { + d.outputFormat = outputFormat + } +} + +// WithStopOnError is a functional option which directs DiffAnalyzer to stop any processing after the +// first severe error. +func WithStopOnError() DiffAnalyzerOption { + return func(d *DiffAnalyzer) { + d.stopOnError = true + } +} + +// NewDiffAnalyzer creates a new instance of DiffAnalyzer, and applies the provided functional options. +func NewDiffAnalyzer(options ...DiffAnalyzerOption) *DiffAnalyzer { + // object with default behavior options + da := &DiffAnalyzer{ + logger: logger.NewDefaultLogger(), + stopOnError: false, + errors: []DiffError{}, + walkFn: filepath.WalkDir, + outputFormat: common.DefaultFormat, + } + for _, o := range options { + o(da) + } + da.scanner = scan.NewResourcesScanner(da.logger, da.stopOnError, da.walkFn) + return da +} + +// Errors returns a slice of DiffError with all warnings and errors encountered during processing. +func (da *DiffAnalyzer) Errors() []DiffError { + return da.errors +} + +// ConnDiffFromDirPaths returns the connectivity diffs from two dir paths containing k8s resources +func (da *DiffAnalyzer) ConnDiffFromDirPaths(dirPath1, dirPath2 string) (ConnectivityDiff, error) { + var caAnalyzer *connlist.ConnlistAnalyzer + if da.stopOnError { + caAnalyzer = connlist.NewConnlistAnalyzer(connlist.WithLogger(da.logger), connlist.WithWalkFn(da.walkFn), + connlist.WithStopOnError()) + } else { + caAnalyzer = connlist.NewConnlistAnalyzer(connlist.WithLogger(da.logger), connlist.WithWalkFn(da.walkFn)) + } + var conns1, conns2 []connlist.Peer2PeerConnection + var workloads1, workloads2 []eval.Peer + var workloadsNames1, workloadsNames2 map[string]bool + var err error + if conns1, workloads1, err = caAnalyzer.ConnlistFromDirPath(dirPath1); err != nil { + da.errors = append(da.errors, newConnectionsAnalyzingError(err, true, false)) + return nil, err + } + if conns2, workloads2, err = caAnalyzer.ConnlistFromDirPath(dirPath2); err != nil { + da.errors = append(da.errors, newConnectionsAnalyzingError(err, true, false)) + return nil, err + } + workloadsNames1, workloadsNames2 = getPeersNamesFromPeersList(workloads1), getPeersNamesFromPeersList(workloads2) + + // appending connlist warnings and severe errors to diff_errors + for _, e := range caAnalyzer.Errors() { + da.errors = append(da.errors, e) + } + + // get disjoint ip-blocks from both configs + ipPeers1, ipPeers2 := getIPblocksFromConnList(conns1), getIPblocksFromConnList(conns2) + disjointPeerIPMap, err := eval.DisjointPeerIPMap(ipPeers1, ipPeers2) + if err != nil { + da.errors = append(da.errors, newHandlingIPpeersError(err)) + return nil, err + } + + // refine conns1,conns2 based on common disjoint ip-blocks + conns1Refined, err := connlist.RefineConnListByDisjointPeers(conns1, disjointPeerIPMap) + if err != nil { + da.errors = append(da.errors, newHandlingIPpeersError(err)) + return nil, err + } + conns2Refined, err := connlist.RefineConnListByDisjointPeers(conns2, disjointPeerIPMap) + if err != nil { + da.errors = append(da.errors, newHandlingIPpeersError(err)) + return nil, err + } + + // get the diff w.r.t refined sets of connectivity + return diffConnectionsLists(conns1Refined, conns2Refined, workloadsNames1, workloadsNames2) +} + +// create set from peers-strings +func getPeersNamesFromPeersList(peers []eval.Peer) map[string]bool { + peersSet := make(map[string]bool, 0) + for _, peer := range peers { + if !peer.IsPeerIPType() { + peersSet[peer.String()] = true + } + } + return peersSet +} + +// getIPblocksFromConnList returns the list of peers of IP type from Peer2PeerConnection slice +func getIPblocksFromConnList(conns []connlist.Peer2PeerConnection) []eval.Peer { + peersMap := map[string]eval.Peer{} + for _, p2p := range conns { + if p2p.Src().IsPeerIPType() { + peersMap[p2p.Src().String()] = p2p.Src() + } + if p2p.Dst().IsPeerIPType() { + peersMap[p2p.Dst().String()] = p2p.Dst() + } + } + res := make([]eval.Peer, len(peersMap)) + i := 0 + for _, p := range peersMap { + res[i] = p + i += 1 + } + return res +} + +// getKeyFromP2PConn returns the form of `src;dst“ from Peer2PeerConnection object, to be used as key in diffMap +func getKeyFromP2PConn(c connlist.Peer2PeerConnection) string { + src := c.Src() + dst := c.Dst() + return src.String() + keyElemSep + dst.String() +} + +const ( + // diff types + changedType = "changed" + removedType = "removed" + addedType = "added" +) + +// ConnsPair captures a pair of Peer2PeerConnection from two dir paths +// the src,dst of firstConn and secondConn are assumed to be the same +// with info on the diffType and if any of the peers is lost/new +// (exists only in one dir for cases of removed/added connections) +type ConnsPair struct { + firstConn connlist.Peer2PeerConnection + secondConn connlist.Peer2PeerConnection + diffType string + newOrLostSrc bool + newOrLostDst bool +} + +// update func of ConnsPair obj, updates the pair with input Peer2PeerConnection, at first or second conn +func (c *ConnsPair) updateConn(isFirst bool, conn connlist.Peer2PeerConnection) { + if isFirst { + c.firstConn = conn + } else { + c.secondConn = conn + } +} + +// isSrcOrDstPeerIPType returns whether src (if checkSrc is true) or dst (if checkSrc is false) is of IP type +func (c *ConnsPair) isSrcOrDstPeerIPType(checkSrc bool) bool { + var src, dst eval.Peer + if c.firstConn != nil { + src = c.firstConn.Src() + dst = c.firstConn.Dst() + } else { + src = c.secondConn.Src() + dst = c.secondConn.Dst() + } + return (checkSrc && src.IsPeerIPType()) || (!checkSrc && dst.IsPeerIPType()) +} + +// helpers to check if a peer is ingress-controller (a peer created while ingress analysis) +const ingressControllerPodName = "{ingress-controller}" + +func isIngressControllerPeer(peer eval.Peer) bool { + return peer.String() == ingressControllerPodName +} + +// updateNewOrLostFields updates ConnsPair's newOrLostSrc and newOrLostDst values +func (c *ConnsPair) updateNewOrLostFields(isFirst bool, peersSet map[string]bool) { + var src, dst eval.Peer + if isFirst { + src, dst = c.firstConn.Src(), c.firstConn.Dst() + } else { + src, dst = c.secondConn.Src(), c.secondConn.Dst() + } + // update src/dst status based on the peersSet , ignore ips/ingress-controller pod + if !(src.IsPeerIPType() || isIngressControllerPeer(src)) && !peersSet[src.String()] { + c.newOrLostSrc = true + } + if !(dst.IsPeerIPType() || isIngressControllerPeer(dst)) && !peersSet[dst.String()] { + c.newOrLostDst = true + } +} + +// diffMap captures connectivity-diff as a map from src-dst key to ConnsPair object +type diffMap map[string]*ConnsPair + +// update func of diffMap, updates the map input key and Peer2PeerConnection, at first or second conn +func (d diffMap) update(key string, isFirst bool, c connlist.Peer2PeerConnection) { + if _, ok := d[key]; !ok { + d[key] = &ConnsPair{} + } + d[key].updateConn(isFirst, c) +} + +// type mapListConnPairs is a map from key (src-or-dst)+conns1+conns2 to []ConnsPair (where dst-or-src is ip-block) +// it is used to group disjoint ip-blocks and merge overlapping/touching ip-blocks when possible +type mapListConnPairs map[string][]*ConnsPair + +const keyElemSep = ";" + +// addConnsPair is given ConnsPair with src or dst as ip-block, and updates mapListConnPairs +func (m mapListConnPairs) addConnsPair(c *ConnsPair, isSrcAnIP bool) error { + // new key is src+conns1+conns2 if dst is ip, and dst+conns1+conns2 if src is ip + var srcOrDstKey string + var p connlist.Peer2PeerConnection + var peerIP eval.Peer + if c.firstConn != nil { + p = c.firstConn + } else { + p = c.secondConn + } + if isSrcAnIP { + peerIP = p.Src() + srcOrDstKey = p.Dst().String() + } else { + peerIP = p.Dst() + srcOrDstKey = p.Src().String() + } + if !peerIP.IsPeerIPType() { + return errors.New("src/dst is not IP type as expected") + } + + conn1, conn2, err := getConnStringsFromConnsPair(c) + if err != nil { + return err + } + + newKey := srcOrDstKey + keyElemSep + conn1 + keyElemSep + conn2 + + if _, ok := m[newKey]; !ok { + m[newKey] = []*ConnsPair{} + } + m[newKey] = append(m[newKey], c) + + return nil +} + +// getConnStringsFromConnsPair returns string representation of connections from the pair at ConnsPair +func getConnStringsFromConnsPair(c *ConnsPair) (conn1, conn2 string, err error) { + switch { + case c.firstConn != nil && c.secondConn != nil: + conn1 = connlist.GetConnectionSetFromP2PConnection(c.firstConn).String() + conn2 = connlist.GetConnectionSetFromP2PConnection(c.secondConn).String() + case c.firstConn != nil: + conn1 = connlist.GetConnectionSetFromP2PConnection(c.firstConn).String() + case c.secondConn != nil: + conn2 = connlist.GetConnectionSetFromP2PConnection(c.secondConn).String() + default: + return conn1, conn2, errors.New("unexpected empty ConnsPair") + } + return conn1, conn2, nil +} + +// getDstOrSrcFromConnsPair returns the src or dst Peer from ConnsPair object +func getDstOrSrcFromConnsPair(c *ConnsPair, isDst bool) eval.Peer { + var p connlist.Peer2PeerConnection + if c.firstConn != nil { + p = c.firstConn + } else { + p = c.secondConn + } + if isDst { + return p.Dst() + } + return p.Src() +} + +func (m mapListConnPairs) mergeBySrcOrDstIPPeers(isDstAnIP bool, d diffMap) error { + for _, srcOrdstIPgroup := range m { + ipPeersList := make([]eval.Peer, len(srcOrdstIPgroup)) + for i, c := range srcOrdstIPgroup { + ipPeersList[i] = getDstOrSrcFromConnsPair(c, isDstAnIP) + } + + // get a merged set of eval.Peer + mergedIPblocks, err := eval.MergePeerIPList(ipPeersList) + if err != nil { + return err + } + + // add to res the merged entries + for _, srcOrdstIP := range mergedIPblocks { + var conns1, conns2 connlist.Peer2PeerConnection + if srcOrdstIPgroup[0].firstConn != nil { + if isDstAnIP { + conns1 = connlist.NewPeer2PeerConnection( + srcOrdstIPgroup[0].firstConn.Src(), + srcOrdstIP, + srcOrdstIPgroup[0].firstConn.AllProtocolsAndPorts(), + srcOrdstIPgroup[0].firstConn.ProtocolsAndPorts()) + } else { + conns1 = connlist.NewPeer2PeerConnection( + srcOrdstIP, + srcOrdstIPgroup[0].firstConn.Dst(), + srcOrdstIPgroup[0].firstConn.AllProtocolsAndPorts(), + srcOrdstIPgroup[0].firstConn.ProtocolsAndPorts()) + } + d.update(getKeyFromP2PConn(conns1), true, conns1) + } + if srcOrdstIPgroup[0].secondConn != nil { + if isDstAnIP { + conns2 = connlist.NewPeer2PeerConnection( + srcOrdstIPgroup[0].secondConn.Src(), + srcOrdstIP, + srcOrdstIPgroup[0].secondConn.AllProtocolsAndPorts(), + srcOrdstIPgroup[0].secondConn.ProtocolsAndPorts()) + } else { + conns2 = connlist.NewPeer2PeerConnection( + srcOrdstIP, + srcOrdstIPgroup[0].secondConn.Dst(), + srcOrdstIPgroup[0].secondConn.AllProtocolsAndPorts(), + srcOrdstIPgroup[0].secondConn.ProtocolsAndPorts()) + } + d.update(getKeyFromP2PConn(conns2), false, conns2) + } + } + } + return nil +} + +// mergeIPblocks updates d by merging touching disjoint ip-blocks where possible +func (d diffMap) mergeIPblocks() (diffMap, error) { + dstIP := mapListConnPairs{} // map from key src+conns1+conns2 to []ConnsPair (where dst is ip-block) + srcIP := mapListConnPairs{} // map from ket dst+conns1+conns2 to []ConnsPair (where src is ip-block) + res := diffMap{} + for k, connsPair := range d { + switch { + // neither src nor dst is ip-block => keep connsPair as is + case !connsPair.isSrcOrDstPeerIPType(false) && !connsPair.isSrcOrDstPeerIPType(true): + res.update(k, true, connsPair.firstConn) + res.update(k, false, connsPair.secondConn) + continue + case connsPair.isSrcOrDstPeerIPType(false): // dst is ip-block + if err := dstIP.addConnsPair(connsPair, false); err != nil { + return nil, err + } + case connsPair.isSrcOrDstPeerIPType(true): + if err := srcIP.addConnsPair(connsPair, true); err != nil { + return nil, err + } + default: + continue // not expecting to get here + } + } + + // next, merge lines from dstIP / srcIP where possible, and add to res + if err := dstIP.mergeBySrcOrDstIPPeers(true, res); err != nil { + return nil, err + } + if err := srcIP.mergeBySrcOrDstIPPeers(false, res); err != nil { + return nil, err + } + + return res, nil +} + +// diffConnectionsLists returns ConnectivityDiff given two Peer2PeerConnection slices and two peers names sets +// it assumes that the input has been refined with disjoint ip-blocks, and merges +// touching ip-blocks in the output where possible +// currently not including diff of workloads with no connections +func diffConnectionsLists(conns1, conns2 []connlist.Peer2PeerConnection, + peers1, peers2 map[string]bool) (ConnectivityDiff, error) { + // convert to a map from src-dst full name, to its connections pair (conns1, conns2) + diffsMap := diffMap{} + var err error + for _, c := range conns1 { + diffsMap.update(getKeyFromP2PConn(c), true, c) + } + for _, c := range conns2 { + diffsMap.update(getKeyFromP2PConn(c), false, c) + } + + // merge ip-blocks + diffsMap, err = diffsMap.mergeIPblocks() + if err != nil { + return nil, err + } + + res := &connectivityDiff{ + removedConns: []*ConnsPair{}, + addedConns: []*ConnsPair{}, + changedConns: []*ConnsPair{}, + } + for _, d := range diffsMap { + switch { + case d.firstConn != nil && d.secondConn != nil: + if !equalConns(d.firstConn, d.secondConn) { + d.diffType = changedType + d.newOrLostSrc, d.newOrLostDst = false, false + res.changedConns = append(res.changedConns, d) + } + case d.firstConn != nil: + // removed conn means both Src and Dst exist in peers1, just check if they are not in peers2 too + d.diffType = removedType + d.updateNewOrLostFields(true, peers2) + res.removedConns = append(res.removedConns, d) + case d.secondConn != nil: + // added conns means Src and Dst are in peers2, check if they didn't exist in peers1 too + d.diffType = addedType + d.updateNewOrLostFields(false, peers1) + res.addedConns = append(res.addedConns, d) + default: + continue + } + } + + return res, nil +} + +// checks whether two connlist.Peer2PeerConnection objects are equal +func equalConns(firstConn, secondConn connlist.Peer2PeerConnection) bool { + // first convert the Peer2PeerConnections to ConnectionSet objects, then compare + conn1 := connlist.GetConnectionSetFromP2PConnection(firstConn) + conn2 := connlist.GetConnectionSetFromP2PConnection(secondConn) + + return conn1.Equal(conn2) +} + +// ValidateDiffOutputFormat validate the value of the diff output format +func ValidateDiffOutputFormat(format string) error { + for _, formatName := range ValidDiffFormats { + if format == formatName { + return nil + } + } + return errors.New(format + " output format is not supported.") +} + +// ConnectivityDiffToString returns a string of connections diff from connectivityDiff object in the required output format +func (da *DiffAnalyzer) ConnectivityDiffToString(connectivityDiff ConnectivityDiff) (string, error) { + if connectivityDiff.isEmpty() { + da.logger.Infof("No connections diff") + return "", nil + } + da.logger.Infof("Found connections diffs") + diffFormatter, err := getFormatter(da.outputFormat) + if err != nil { + da.errors = append(da.errors, newResultFormattingError(err)) + return "", err + } + output, err := diffFormatter.writeDiffOutput(connectivityDiff) + if err != nil { + da.errors = append(da.errors, newResultFormattingError(err)) + return "", err + } + return output, nil +} + +// returns the relevant formatter for the analyzer's outputFormat +func getFormatter(format string) (diffFormatter, error) { + if err := ValidateDiffOutputFormat(format); err != nil { + return nil, err + } + switch format { + case common.TextFormat: + return &diffFormatText{}, nil + case common.CSVFormat: + return &diffFormatCSV{}, nil + case common.MDFormat: + return &diffFormatMD{}, nil + default: + return &diffFormatText{}, nil + } +} + +// connectivityDiff implements the ConnectivityDiff interface +type connectivityDiff struct { + removedConns []*ConnsPair + addedConns []*ConnsPair + changedConns []*ConnsPair +} + +func (c *connectivityDiff) RemovedConnections() []*ConnsPair { + return c.removedConns +} + +func (c *connectivityDiff) AddedConnections() []*ConnsPair { + return c.addedConns +} + +func (c *connectivityDiff) ChangedConnections() []*ConnsPair { + return c.changedConns +} + +func (c *connectivityDiff) isEmpty() bool { + return len(c.removedConns) == 0 && len(c.addedConns) == 0 && len(c.changedConns) == 0 +} + +// ConnectivityDiff captures differences in terms of connectivity between two input resource sets +type ConnectivityDiff interface { + RemovedConnections() []*ConnsPair // only first conn exists between peers, plus indications if any of the peers removed + AddedConnections() []*ConnsPair // only second conn exists between peers, plus indications if any of the peers is new + ChangedConnections() []*ConnsPair // both first & second conn exists between peers + isEmpty() bool +} diff --git a/pkg/netpol/diff/diff_errors.go b/pkg/netpol/diff/diff_errors.go new file mode 100644 index 00000000..6c2d4736 --- /dev/null +++ b/pkg/netpol/diff/diff_errors.go @@ -0,0 +1,78 @@ +package diff + +// DiffError holds information about a single error/warning that occurred during +// the generating connectivity diff report +type DiffError interface { + IsFatal() bool + IsSevere() bool + Error() error + Location() string +} + +// diffGeneratingError - DiffError that may arise while producing the connectivity diff report +type diffGeneratingError struct { + err error + fatal bool + severe bool +} + +type connectionsAnalyzingError struct { + origErr error +} + +type resultFormattingError struct { + origErr error +} + +type handlingIPpeersError struct { + origErr error +} + +/////////////////////////// +// diffGeneratingError implements DiffError interface + +// IsFatal returns whether the error is considered fatal (no further processing is possible) +// diffGeneratingError errors are always fatal +func (e *diffGeneratingError) IsFatal() bool { + return e.fatal +} + +// IsSevere returns whether the error is considered severe +func (e *diffGeneratingError) IsSevere() bool { + return e.severe +} + +func (e *diffGeneratingError) Location() string { + return "" +} + +func (e *diffGeneratingError) Error() error { + return e.err +} + +/////////////// + +func (e *resultFormattingError) Error() string { + return e.origErr.Error() +} + +func (e *connectionsAnalyzingError) Error() string { + return e.origErr.Error() +} + +func (e *handlingIPpeersError) Error() string { + return e.origErr.Error() +} + +// constructors +func newResultFormattingError(err error) *diffGeneratingError { + return &diffGeneratingError{err: &resultFormattingError{err}, fatal: true, severe: false} +} + +func newConnectionsAnalyzingError(err error, fatal, severe bool) *diffGeneratingError { + return &diffGeneratingError{err: &connectionsAnalyzingError{err}, fatal: fatal, severe: severe} +} + +func newHandlingIPpeersError(err error) *diffGeneratingError { + return &diffGeneratingError{err: &handlingIPpeersError{err}, fatal: true, severe: false} +} diff --git a/pkg/netpol/diff/diff_formatter.go b/pkg/netpol/diff/diff_formatter.go new file mode 100644 index 00000000..a2e7b90e --- /dev/null +++ b/pkg/netpol/diff/diff_formatter.go @@ -0,0 +1,214 @@ +package diff + +import ( + "bytes" + "encoding/csv" + "fmt" + "sort" + "strings" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/connlist" +) + +// diffFormatter implements diff output formatting in the required output format +type diffFormatter interface { + writeDiffOutput(connsDiff ConnectivityDiff) (string, error) + singleDiffLine(d *singleDiffFields) string +} + +const ( + noConns = "No Connections" + infoPrefix = " (workload " + infoSuffix = ")" + space = " " + and = " and " +) + +var newLine = fmt.Sprintln("") + +type singleDiffFields struct { + src string + dst string + dir1Conn string + dir2Conn string + diffType string +} + +func formDiffFieldsDataOfDiffConns(diffConns []*ConnsPair) (netpolsDiff, ingressDiff []*singleDiffFields) { + netpolsRes := make([]*singleDiffFields, 0) // diff in connections from netpols + ingressRes := make([]*singleDiffFields, 0) // diff in connections from ingress-controller + for _, d := range diffConns { + firstDirConn, secondDirConn := getDirsConnsStrings(d) + srcStr, dstStr, isSrcIngress := getConnPeersStrings(d) + diffData := &singleDiffFields{ + src: srcStr, + dst: dstStr, + dir1Conn: firstDirConn, + dir2Conn: secondDirConn, + diffType: getDiffInfo(d), + } + if isSrcIngress { + ingressRes = append(ingressRes, diffData) + } else { + netpolsRes = append(netpolsRes, diffData) + } + } + return netpolsRes, ingressRes +} + +func getConnPeersStrings(c *ConnsPair) (srcStr, dstStr string, isSrcIngress bool) { + switch c.diffType { + case changedType, removedType: + return c.firstConn.Src().String(), c.firstConn.Dst().String(), isIngressControllerPeer(c.firstConn.Src()) + case addedType: + return c.secondConn.Src().String(), c.secondConn.Dst().String(), isIngressControllerPeer(c.secondConn.Src()) + default: + return "", "", false // should not get here + } +} +func getDirsConnsStrings(c *ConnsPair) (dir1Str, dir2Str string) { + switch c.diffType { + case changedType: + return connlist.GetProtocolsAndPortsStr(c.firstConn), connlist.GetProtocolsAndPortsStr(c.secondConn) + case addedType: + return noConns, connlist.GetProtocolsAndPortsStr(c.secondConn) + case removedType: + return connlist.GetProtocolsAndPortsStr(c.firstConn), noConns + default: + return "", "" // should not get here ever + } +} + +// computes the diff string (if to include added/removed workloads) +func getDiffInfo(c *ConnsPair) string { + if c.diffType == changedType { + return changedType + } + srcStr, dstStr, _ := getConnPeersStrings(c) + // handling added or removed diff data + diffInfo := c.diffType + includedSrcFlag := false + if c.newOrLostSrc || c.newOrLostDst { + diffInfo += infoPrefix + if c.newOrLostSrc { + diffInfo += srcStr + includedSrcFlag = true + } + if c.newOrLostDst { + if includedSrcFlag { + diffInfo += and + } + diffInfo += dstStr + } + diffInfo += space + c.diffType + infoSuffix + } + return diffInfo +} + +func writeDiffLinesOrderedByCategory(connsDiff ConnectivityDiff, df diffFormatter) []string { + res := make([]string, 0) + // changed lines + netpolsChanged, ingressChanged := formDiffFieldsDataOfDiffConns(connsDiff.ChangedConnections()) + changedNetpolsLines := writeDiffLines(netpolsChanged, df) + changedIngressLines := writeDiffLines(ingressChanged, df) + // added lines + netpolsAdded, ingressAdded := formDiffFieldsDataOfDiffConns(connsDiff.AddedConnections()) + addedNetpolsLines := writeDiffLines(netpolsAdded, df) + addedIngressLines := writeDiffLines(ingressAdded, df) + // removed lines + netpolsRemoved, ingressRemoved := formDiffFieldsDataOfDiffConns(connsDiff.RemovedConnections()) + removedNetpolsLines := writeDiffLines(netpolsRemoved, df) + removedIngressLines := writeDiffLines(ingressRemoved, df) + + // first write lines of netpols connectivity diff + res = append(res, changedNetpolsLines...) + res = append(res, addedNetpolsLines...) + res = append(res, removedNetpolsLines...) + // then append lines of ingress diff + res = append(res, changedIngressLines...) + res = append(res, addedIngressLines...) + res = append(res, removedIngressLines...) + + return res +} + +func writeDiffLines(diffData []*singleDiffFields, df diffFormatter) []string { + res := make([]string, len(diffData)) + for i, singleDiffData := range diffData { + res[i] = df.singleDiffLine(singleDiffData) + } + sort.Strings(res) + return res +} + +// ///////////////////////// +// diffFormatText: implements the diffFormatter interface for txt output format +type diffFormatText struct { +} + +const ( + // txt output header + connectivityDiffHeader = "Connectivity diff:" +) + +// returns a textual string format of connections diff from connectivityDiff object +func (t *diffFormatText) writeDiffOutput(connsDiff ConnectivityDiff) (string, error) { + res := make([]string, 0) + res = append(res, connectivityDiffHeader) + res = append(res, writeDiffLinesOrderedByCategory(connsDiff, t)...) + return strings.Join(res, newLine), nil +} + +func (t *diffFormatText) singleDiffLine(d *singleDiffFields) string { + return fmt.Sprintf("source: %s, destination: %s, dir1: %s, dir2: %s, diff-type: %s", + d.src, d.dst, d.dir1Conn, d.dir2Conn, d.diffType) +} + +// ///////////////////////// +// diffFormatMD: implements the diffFormatter interface for md output format +type diffFormatMD struct { +} + +var mdHeader = "| source | destination | dir1 | dir2 | diff-type |\n|--------|-------------|------|------|-----------|" + +// returns md string format of connections diff from connectivityDiff object +func (md *diffFormatMD) writeDiffOutput(connsDiff ConnectivityDiff) (string, error) { + res := make([]string, 0) + res = append(res, mdHeader) + res = append(res, writeDiffLinesOrderedByCategory(connsDiff, md)...) + return strings.Join(res, newLine), nil +} + +func (md *diffFormatMD) singleDiffLine(d *singleDiffFields) string { + return fmt.Sprintf("| %s | %s | %s | %s | %s |", + d.src, d.dst, d.dir1Conn, d.dir2Conn, d.diffType) +} + +// ///////////////////////// +// diffFormatCSV: implements the diffFormatter interface for csv output format +type diffFormatCSV struct { +} + +var csvHeader = []string{"source", "destination", "dir1", "dir2", "diff-type"} + +func (cs *diffFormatCSV) writeDiffOutput(connsDiff ConnectivityDiff) (string, error) { + changesSortedByCategory := writeDiffLinesOrderedByCategory(connsDiff, cs) + // writing csv rows into a buffer + buf := new(bytes.Buffer) + writer := csv.NewWriter(buf) + if err := writer.Write(csvHeader); err != nil { + return "", err + } + for _, diffData := range changesSortedByCategory { + row := strings.Split(diffData, ";") + if err := writer.Write(row); err != nil { + return "", err + } + } + writer.Flush() + return buf.String(), nil +} + +func (cs *diffFormatCSV) singleDiffLine(d *singleDiffFields) string { + return fmt.Sprintf("%s;%s;%s;%s;%s", d.src, d.dst, d.dir1Conn, d.dir2Conn, d.diffType) +} diff --git a/pkg/netpol/diff/diff_test.go b/pkg/netpol/diff/diff_test.go new file mode 100644 index 00000000..db470c08 --- /dev/null +++ b/pkg/netpol/diff/diff_test.go @@ -0,0 +1,304 @@ +package diff + +import ( + "errors" + "os" + "path/filepath" + "testing" + + "github.com/stretchr/testify/require" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" + "github.com/np-guard/netpol-analyzer/pkg/netpol/internal/testutils" +) + +type testEntry struct { + firstDirName string + secondDirName string + formats []string +} + +const expectedOutputFilePrefix = "diff_output_from_" + +var allFormats = []string{common.TextFormat, common.MDFormat, common.CSVFormat} + +func TestDiff(t *testing.T) { + testingEntries := []testEntry{ + { + // description: + // **changed netpols: default/frontend-netpol, default/adservice-netpol, default/checkoutservice-netpol, + // default/cartservice-netpol, default/currencyservice-netpol, default/emailservice-netpol + // **added netpols : default/redis-cart-netpol + firstDirName: "onlineboutique_workloads", + secondDirName: "onlineboutique_workloads_changed_netpols", + formats: allFormats, + }, + { + // description: + // **changed netpols: default/frontend-netpol, default/adservice-netpol, default/checkoutservice-netpol, + // default/cartservice-netpol, default/currencyservice-netpol, default/emailservice-netpol + // **added netpols : default/redis-cart-netpol + // **added workloads: default/unicorn + firstDirName: "onlineboutique_workloads", + secondDirName: "onlineboutique_workloads_changed_netpols_and_workloads", + formats: allFormats, + }, + { + // description: + // **added workloads: default/unicorn + firstDirName: "onlineboutique_workloads", + secondDirName: "onlineboutique_workloads_changed_workloads", + formats: allFormats, + }, + + { + // description: + // **changed netpols: default/frontend-netpol + // **added Ingress: default/onlineboutique-ingress + firstDirName: "onlineboutique_workloads", + secondDirName: "onlineboutique_workloads_with_ingress", + formats: []string{common.CSVFormat}, + }, + { + // description: + // ** changed Ingress: default/ingress-policy + // ** added netpols: default/productpage-netpol, default/details-netpol, default/reviews-netpol, + // default/ratings-netpol + // **added workloads: default/unicorn + firstDirName: "k8s_ingress_test", + secondDirName: "k8s_ingress_test_new", + formats: allFormats, + }, + { + // description: + // **changed workloads : backend/catalog (removed port) + // **added workloads: external/unicorn + // **removed workloads: payments/mastercard-processor + // **changed netpols: frontend/asset-cache-netpol (blocked ingress), backend/catalog-netpol, backend/reports-netpol, + // backend/shipping-netpol, frontend/webapp-netpol, + firstDirName: "acs-security-demos", + secondDirName: "acs-security-demos-new", + formats: allFormats, + }, + { + // description: + // **removed Routes: frontend/asset-cache, frontend/webapp + firstDirName: "acs-security-demos", + secondDirName: "acs-security-demos-no-routes", + formats: []string{common.DefaultFormat}, + }, + { + // description: + // **removed Ingress: ingressworld/ingress-2 + // **added Route: ingressworld/route-1 + firstDirName: "multiple_ingress_objects_with_different_ports", + secondDirName: "multiple_ingress_objects_with_different_ports_new", + formats: allFormats, + }, + { + // description: + // changed netpols : default/limit-app1-traffic + // in first dir connlist, default/deployment1 does not appear even it exists, since the netpol denies all traffic from/to it + // in second dir , the netpol limits the ingress of it , so it appears in the diff + firstDirName: "deny_all_to_from_a_deployment", + secondDirName: "deny_all_to_from_a_deployment_changed_netpol", + formats: []string{common.DefaultFormat}, + }, + } + + for _, entry := range testingEntries { + firstDirPath := filepath.Join(testutils.GetTestsDir(), entry.firstDirName) + secondDirPath := filepath.Join(testutils.GetTestsDir(), entry.secondDirName) + for _, format := range entry.formats { + expectedOutputFileName := expectedOutputFilePrefix + entry.firstDirName + "." + format + expectedOutputFilePath := filepath.Join(secondDirPath, expectedOutputFileName) + + diffAnalyzer := NewDiffAnalyzer(WithOutputFormat(format)) + connsDiff, err := diffAnalyzer.ConnDiffFromDirPaths(firstDirPath, secondDirPath) + require.Empty(t, err) + actualOutput, err := diffAnalyzer.ConnectivityDiffToString(connsDiff) + require.Empty(t, err) + expectedOutputStr, err := os.ReadFile(expectedOutputFilePath) + require.Empty(t, err) + require.Equal(t, string(expectedOutputStr), actualOutput) + } + } +} + +type testErrEntry struct { + name string + dir1 string + dir2 string + errStr string + isCaFatalErr bool + isCaSevereErr bool + isCaWarning bool + isFormattingErr bool + format string +} + +var caErrType = &connectionsAnalyzingError{} // error returned from a func on the ConnlistAnalyzer object +var formattingErrType = &resultFormattingError{} // error returned from getting/writing output format + +func TestDiffErrors(t *testing.T) { + // following tests will be run with stopOnError, testing err string and diff err type + testingErrEntries := []testErrEntry{ + { + name: "unsupported format", + dir1: "onlineboutique_workloads", + dir2: "onlineboutique_workloads_changed_netpols", + format: "png", + errStr: "png output format is not supported.", + isFormattingErr: true, + }, + { + name: "dir 1 with bad netpol - CIDR error", + dir1: filepath.Join("bad_netpols", "subdir1"), + dir2: "ipblockstest", + errStr: "network policy default/shippingservice-netpol CIDR error: invalid CIDR address: A", + isCaFatalErr: true, + }, + { + name: "dir 2 with bad netpol - label key error", + dir1: "ipblockstest", + dir2: filepath.Join("bad_netpols", "subdir2"), + errStr: "network policy default/shippingservice-netpol selector error: key: Invalid value: \"app@b\": " + + "name part must consist of alphanumeric characters, '-', '_' or '.', and must start and end with an alphanumeric" + + " character (e.g. 'MyName', or 'my.name', or '123-abc', regex used for validation is '([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9]')", + isCaFatalErr: true, + }, + { + name: "dir 1 with bad netpol - bad rule", + dir1: filepath.Join("bad_netpols", "subdir3"), + dir2: "ipblockstest", + errStr: "network policy default/shippingservice-netpol rule NetworkPolicyPeer error: " + + "cannot have both IPBlock and PodSelector/NamespaceSelector set", + isCaFatalErr: true, + }, + { + name: "dir 2 with bad netpol - empty rule", + dir1: "ipblockstest", + dir2: filepath.Join("bad_netpols", "subdir4"), + errStr: "network policy default/shippingservice-netpol rule NetworkPolicyPeer error: cannot have empty rule peer", + isCaFatalErr: true, + }, + { + name: "dir 1 with bad netpol - named port error", + dir1: filepath.Join("bad_netpols", "subdir5"), + dir2: "ipblockstest", + errStr: "network policy default/shippingservice-netpol named port error: " + + "named port is not defined in a selected workload shippingservice", + isCaFatalErr: true, + }, + { + name: "dir 2 with bad netpol - named port on ipblock error", + dir1: "ipblockstest", + dir2: filepath.Join("bad_netpols", "subdir6"), + errStr: "network policy default/shippingservice-netpol named port error: cannot convert named port for an IP destination", + isCaFatalErr: true, + }, + { + name: "dir 1 warning, has no yamls", + dir1: filepath.Join("bad_yamls", "subdir2"), + dir2: "ipblockstest", + errStr: "no yaml files found", + isCaWarning: true, + }, + { + name: "dir 1 does not exists", + dir1: filepath.Join("bad_yamls", "subdir3"), + dir2: "ipblockstest", + errStr: "error accessing directory:", + isCaFatalErr: true, + }, + { + name: "dir 1 has no k8s resources", + dir1: filepath.Join("bad_yamls", "not_a_k8s_resource.yaml"), + dir2: "ipblockstest", + errStr: "Yaml document is not a K8s resource", + isCaSevereErr: true, // severe error, stops only if stopOnError = true + }, + { + name: "dir 1 has malformed yaml", + dir1: filepath.Join("bad_yamls", "document_with_syntax_error.yaml"), + dir2: "ipblockstest", + errStr: "YAML document is malformed", + isCaSevereErr: true, // severe error, stops only if stopOnError = true + }, + { + name: "dir 1 warning, has no netpols", + dir1: "k8s_ingress_test", + dir2: "k8s_ingress_test_new", + errStr: "no relevant Kubernetes network policy resources found", + isCaWarning: true, + }, + { + name: "dir 2 warning, ingress conns are blocked by netpols", + dir1: "acs-security-demos", + dir2: "acs-security-demos-new", + errStr: "Route resource frontend/asset-cache specified workload frontend/asset-cache[Deployment] as a backend," + + " but network policies are blocking ingress connections from an arbitrary in-cluster source to this workload.", + isCaWarning: true, + }, + } + + for _, entry := range testingErrEntries { + var diffAnalyzer, diffAnalyzerStopsOnError *DiffAnalyzer + if entry.format != "" { + diffAnalyzer = NewDiffAnalyzer(WithOutputFormat(entry.format)) + diffAnalyzerStopsOnError = NewDiffAnalyzer(WithStopOnError(), WithOutputFormat(entry.format)) + } else { + diffAnalyzer = NewDiffAnalyzer() + diffAnalyzerStopsOnError = NewDiffAnalyzer(WithStopOnError()) + } + + firstDirPath := filepath.Join(testutils.GetTestsDir(), entry.dir1) + secondDirPath := filepath.Join(testutils.GetTestsDir(), entry.dir2) + connsDiff1, err1 := diffAnalyzer.ConnDiffFromDirPaths(firstDirPath, secondDirPath) + connsDiff2, err2 := diffAnalyzerStopsOnError.ConnDiffFromDirPaths(firstDirPath, secondDirPath) + diffErrors1 := diffAnalyzer.Errors() + diffErrors2 := diffAnalyzerStopsOnError.Errors() + if entry.isCaFatalErr { // fatal err , both analyzers behave the same, nil res, not nil err + require.Nil(t, connsDiff1) + require.Nil(t, connsDiff2) + require.Contains(t, err1.Error(), entry.errStr) + require.Contains(t, err2.Error(), entry.errStr) + require.Contains(t, diffErrors1[0].Error().Error(), entry.errStr) + require.Contains(t, diffErrors2[0].Error().Error(), entry.errStr) + // check err type + require.True(t, errors.As(diffErrors1[0].Error(), &caErrType)) + require.True(t, errors.As(diffErrors2[0].Error(), &caErrType)) + continue + } + if entry.isCaSevereErr { // severe error not returned in err, but with stopOnError, empty res with it in the errors + require.Nil(t, err1) + require.Nil(t, err2) + require.False(t, connsDiff1.isEmpty()) // diffAnalyzer did not stop, result not empty + require.True(t, connsDiff2.isEmpty()) // diffAnalyzerStopsOnError stops running, returns empty res + // error appended to diffAnalyzerErrors in both + require.Contains(t, diffErrors2[0].Error().Error(), entry.errStr) + require.Contains(t, diffErrors1[0].Error().Error(), entry.errStr) + continue + } + if entry.isCaWarning { // both don't stop + require.Nil(t, err1) + require.NotNil(t, connsDiff1) + require.Nil(t, err2) + require.NotNil(t, connsDiff2) + // warning appended to diffAnalyzerErrors in both + require.Contains(t, diffErrors2[0].Error().Error(), entry.errStr) + require.Contains(t, diffErrors1[0].Error().Error(), entry.errStr) + } + _, err1 = diffAnalyzer.ConnectivityDiffToString(connsDiff1) + _, err2 = diffAnalyzerStopsOnError.ConnectivityDiffToString(connsDiff2) + diffErrors1 = diffAnalyzer.Errors() + if entry.isFormattingErr { // formating error is fatal , stops both analyzers + require.Equal(t, err1.Error(), entry.errStr) + require.Equal(t, err2.Error(), entry.errStr) + require.True(t, errors.As(diffErrors1[0].Error(), &formattingErrType)) + continue + } + require.Nil(t, err1) + require.Nil(t, err2) + } +} diff --git a/pkg/netpol/eval/check.go b/pkg/netpol/eval/check.go index 370ce29d..dd2f0583 100644 --- a/pkg/netpol/eval/check.go +++ b/pkg/netpol/eval/check.go @@ -131,13 +131,14 @@ func (pe *PolicyEngine) AllAllowedConnectionsBetweenWorkloadPeers(srcPeer, dstPe func (pe *PolicyEngine) allAllowedConnectionsBetweenPeers(srcPeer, dstPeer Peer) (*common.ConnectionSet, error) { srcK8sPeer := srcPeer.(k8s.Peer) dstK8sPeer := dstPeer.(k8s.Peer) - res := &common.ConnectionSet{} + var res *common.ConnectionSet + var err error // cases where any connection is always allowed if isPodToItself(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(srcK8sPeer, dstK8sPeer) || isPeerNodeIP(dstK8sPeer, srcK8sPeer) { return common.MakeConnectionSet(true), nil } // egress - res, err := pe.allallowedXgressConnections(srcK8sPeer, dstK8sPeer, false) + res, err = pe.allallowedXgressConnections(srcK8sPeer, dstK8sPeer, false) if err != nil { return nil, err } @@ -290,7 +291,7 @@ func isPodToItself(peer1, peer2 k8s.Peer) bool { func (pe *PolicyEngine) getPeer(p string) (k8s.Peer, error) { // check if input peer is cidr if _, _, err := net.ParseCIDR(p); err == nil { - peerIPBlock, err := k8s.NewIPBlock(p, []string{}) + peerIPBlock, err := common.NewIPBlock(p, []string{}) if err != nil { return nil, err } @@ -298,7 +299,7 @@ func (pe *PolicyEngine) getPeer(p string) (k8s.Peer, error) { } // check if input peer is an ip address if net.ParseIP(p) != nil { - peerIPBlock, err := k8s.NewIPBlockFromIPAddress(p) + peerIPBlock, err := common.NewIPBlockFromIPAddress(p) if err != nil { return nil, err } diff --git a/pkg/netpol/eval/internal/k8s/netpol.go b/pkg/netpol/eval/internal/k8s/netpol.go index adfba628..502114cb 100644 --- a/pkg/netpol/eval/internal/k8s/netpol.go +++ b/pkg/netpol/eval/internal/k8s/netpol.go @@ -197,7 +197,7 @@ func (np *NetworkPolicy) ruleSelectsPeer(rulePeers []netv1.NetworkPolicyPeer, pe } peerIPBlock := peer.GetPeerIPBlock() - res := peerIPBlock.ipRange.ContainedIn(ruleIPBlock.ipRange) + res := peerIPBlock.ContainedIn(ruleIPBlock) if res { return true, nil } @@ -310,8 +310,8 @@ func (np *NetworkPolicy) netpolErr(title, description string) error { return fmt.Errorf("network policy %s %s: %s", np.fullName(), title, description) } -func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*IPBlock, error) { - ipb, err := NewIPBlock(cidr, except) +func (np *NetworkPolicy) parseNetpolCIDR(cidr string, except []string) (*common.IPBlock, error) { + ipb, err := common.NewIPBlock(cidr, except) if err != nil { return nil, np.netpolErr(cidrErrTitle, err.Error()) } @@ -326,23 +326,23 @@ func (np *NetworkPolicy) parseNetpolLabelSelector(selector *metav1.LabelSelector return selectorRes, nil } -func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPolicyPeer) ([]*IPBlock, error) { - res := []*IPBlock{} +func (np *NetworkPolicy) rulePeersReferencedIPBlocks(rulePeers []netv1.NetworkPolicyPeer) ([]*common.IPBlock, error) { + res := []*common.IPBlock{} for _, peerObj := range rulePeers { if peerObj.IPBlock != nil { ipb, err := np.parseNetpolCIDR(peerObj.IPBlock.CIDR, peerObj.IPBlock.Except) if err != nil { return nil, err } - res = append(res, ipb.split()...) + res = append(res, ipb.Split()...) } } return res, nil } // GetReferencedIPBlocks: return list of IPBlock objects referenced in the current network policy -func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*IPBlock, error) { - res := []*IPBlock{} +func (np *NetworkPolicy) GetReferencedIPBlocks() ([]*common.IPBlock, error) { + res := []*common.IPBlock{} for _, rule := range np.Spec.Ingress { ruleRes, err := np.rulePeersReferencedIPBlocks(rule.From) if err != nil { diff --git a/pkg/netpol/eval/internal/k8s/peer.go b/pkg/netpol/eval/internal/k8s/peer.go index 56bd4234..4dc6fb67 100644 --- a/pkg/netpol/eval/internal/k8s/peer.go +++ b/pkg/netpol/eval/internal/k8s/peer.go @@ -13,7 +13,11 @@ // limitations under the License. package k8s -import "k8s.io/apimachinery/pkg/types" +import ( + "k8s.io/apimachinery/pkg/types" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" +) // PeerType is a type to indicate the type of a Peer object (Pod or IP address) type PeerType int @@ -35,7 +39,7 @@ type Peer interface { // else returns nil GetPeerNamespace() *Namespace // GetPeerIPBlock returns a reference to IPBlock if the peer is IP address, else returns nil - GetPeerIPBlock() *IPBlock + GetPeerIPBlock() *common.IPBlock } // PodPeer implements k8s.Peer interface and eval.Peer interface @@ -46,7 +50,7 @@ type PodPeer struct { // IPBlockPeer implements k8s.Peer interface and eval.Peer interface type IPBlockPeer struct { - IPBlock *IPBlock + IPBlock *common.IPBlock } // WorkloadPeer implements eval.Peer interface @@ -110,7 +114,7 @@ func (p *PodPeer) GetPeerNamespace() *Namespace { return p.NamespaceObject } -func (p *PodPeer) GetPeerIPBlock() *IPBlock { +func (p *PodPeer) GetPeerIPBlock() *common.IPBlock { return nil } @@ -152,7 +156,7 @@ func (p *IPBlockPeer) GetPeerNamespace() *Namespace { return nil } -func (p *IPBlockPeer) GetPeerIPBlock() *IPBlock { +func (p *IPBlockPeer) GetPeerIPBlock() *common.IPBlock { return p.IPBlock } diff --git a/pkg/netpol/eval/peer.go b/pkg/netpol/eval/peer.go index 4f6c92d3..0ebb523c 100644 --- a/pkg/netpol/eval/peer.go +++ b/pkg/netpol/eval/peer.go @@ -1,5 +1,12 @@ package eval +import ( + "fmt" + + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" + "github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s" +) + // Peer can either represent a Pod or an IP address type Peer interface { // Name returns a peer's name in case the peer is a pod/workload, else it returns an empty string @@ -15,3 +22,83 @@ type Peer interface { // Kind returns a string of the peer kind in case the peer is a pod/workload, else it returns an empty string Kind() string } + +// DisjointPeerIPMap is given two sets of IP type peers, and returns a map from peer-str to its disjoint peers, considering both sets +// for example, if ip-range A from set1 is split to ranges (A1, S2) in the disjoint-blocks computation, +// then in the result map there would be entries for (str(A), str(A1), A1) and for (str(A), str(A2), A2) +func DisjointPeerIPMap(set1, set2 []Peer) (map[string]map[string]Peer, error) { + res := map[string]map[string]Peer{} + var ipSet1, ipSet2 []*common.IPBlock + var err error + if ipSet1, err = peerIPSetToIPBlockSet(set1); err != nil { + return nil, err + } + if ipSet2, err = peerIPSetToIPBlockSet(set2); err != nil { + return nil, err + } + disjointIPset := common.DisjointIPBlocks(ipSet1, ipSet2) + + for _, ipb := range disjointIPset { + addDisjointIPBlockToMap(ipSet1, ipb, res) + addDisjointIPBlockToMap(ipSet2, ipb, res) + } + + return res, nil +} + +// addDisjointIPBlockToMap updates input map (from peer-str to its disjoint peers) by adding a new disjoint ip +func addDisjointIPBlockToMap(ipSet []*common.IPBlock, disjointIP *common.IPBlock, m map[string]map[string]Peer) { + for _, ipb1 := range ipSet { + if disjointIP.ContainedIn(ipb1) { + updatePeerIPMap(m, ipb1, disjointIP) + break + } + } +} + +// updatePeerIPMap updates input map (from peer-str to its disjoint peers), given a new disjoint ip (ipb), and its +// associated original ip-range key from the map (ipb1) +func updatePeerIPMap(m map[string]map[string]Peer, ipb1, ipb *common.IPBlock) { + ipb1Str := ipb1.ToIPRanges() + if _, ok := m[ipb1Str]; !ok { + m[ipb1Str] = map[string]Peer{} + } + m[ipb1Str][ipb.ToIPRanges()] = &k8s.IPBlockPeer{IPBlock: ipb} +} + +// peerIPSetToIPBlockSet is given as input a list of peers of type ip-block, and returns a list matching IPBlock objects +func peerIPSetToIPBlockSet(peerSet []Peer) ([]*common.IPBlock, error) { + res := make([]*common.IPBlock, len(peerSet)) + for i, p := range peerSet { + ipBlock, err := peerIPToIPBlock(p) + if err != nil { + return nil, err + } + res[i] = ipBlock + } + return res, nil +} + +// peerIPToIPBlock returns an IPBlock object from a Peer object of IP type +func peerIPToIPBlock(p Peer) (*common.IPBlock, error) { + peerIP, ok := p.(*k8s.IPBlockPeer) + if !ok { + return nil, fmt.Errorf("input peer not IP block: %s", p.String()) + } + return peerIP.IPBlock, nil +} + +// MergePeerIPList is given as input a list of peers of type ip-blocks, and returns a new list of peers +// after merging overlapping/touching ip-blocks +func MergePeerIPList(ipPeers []Peer) ([]Peer, error) { + ipbList, err := peerIPSetToIPBlockSet(ipPeers) + if err != nil { + return nil, err + } + mergedList := common.MergeIPBlocksList(ipbList) + res := make([]Peer, len(mergedList)) + for i := range mergedList { + res[i] = &k8s.IPBlockPeer{IPBlock: mergedList[i]} + } + return res, nil +} diff --git a/pkg/netpol/eval/resources.go b/pkg/netpol/eval/resources.go index 2ddbb4cb..96d044ff 100644 --- a/pkg/netpol/eval/resources.go +++ b/pkg/netpol/eval/resources.go @@ -13,6 +13,7 @@ import ( "k8s.io/apimachinery/pkg/runtime" "k8s.io/apimachinery/pkg/types" + "github.com/np-guard/netpol-analyzer/pkg/netpol/common" "github.com/np-guard/netpol-analyzer/pkg/netpol/eval/internal/k8s" "github.com/np-guard/netpol-analyzer/pkg/netpol/scan" ) @@ -318,8 +319,8 @@ func (pe *PolicyEngine) GetPeersList() ([]Peer, error) { } // getDisjointIPBlocks returns a slice of disjoint ip-blocks from all netpols resources -func (pe *PolicyEngine) getDisjointIPBlocks() ([]*k8s.IPBlock, error) { - var ipbList []*k8s.IPBlock +func (pe *PolicyEngine) getDisjointIPBlocks() ([]*common.IPBlock, error) { + var ipbList []*common.IPBlock for _, nsMap := range pe.netpolsMap { for _, policy := range nsMap { policyIPBlocksList, err := policy.GetReferencedIPBlocks() @@ -329,8 +330,8 @@ func (pe *PolicyEngine) getDisjointIPBlocks() ([]*k8s.IPBlock, error) { ipbList = append(ipbList, policyIPBlocksList...) } } - newAll, _ := k8s.NewIPBlock("0.0.0.0/0", []string{}) - disjointRes := k8s.DisjointIPBlocks(ipbList, []*k8s.IPBlock{newAll}) + newAll, _ := common.NewIPBlock("0.0.0.0/0", []string{}) + disjointRes := common.DisjointIPBlocks(ipbList, []*common.IPBlock{newAll}) return disjointRes, nil } @@ -360,7 +361,7 @@ func (pe *PolicyEngine) ConvertPeerNamedPort(namedPort string, peer Peer) (int32 } } -// AddPodByNameAndNamespace adds a new fake pod to the pe.podsMap +// AddPodByNameAndNamespace adds a new fake pod to the pe.podsMap, used for adding ingress-controller pod func (pe *PolicyEngine) AddPodByNameAndNamespace(name, ns string) (Peer, error) { podStr := types.NamespacedName{Namespace: ns, Name: name}.String() newPod := &k8s.Pod{ diff --git a/tests/acs-security-demos-new/acs_netpols.yaml b/tests/acs-security-demos-new/acs_netpols.yaml new file mode 100644 index 00000000..080a6cb3 --- /dev/null +++ b/tests/acs-security-demos-new/acs_netpols.yaml @@ -0,0 +1,456 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: asset-cache-netpol + namespace: frontend +spec: + ingress: [] # blocking any ingress + podSelector: + matchLabels: + app: asset-cache + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: catalog-netpol + namespace: backend +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: recommendation + ports: + - port: 8080 + protocol: TCP + - from: + - podSelector: + matchLabels: + app: reports + ports: + - port: 9080 # changed to the new port + protocol: TCP + podSelector: + matchLabels: + app: catalog + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: checkout-netpol + namespace: backend +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: notification + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: recommendation + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: payments + podSelector: + matchLabels: + app: gateway + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: frontend + podSelector: + matchLabels: + app: webapp + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: checkout + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: gateway-netpol + namespace: payments +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: mastercard-processor # removed its deployment - the rules will not be considered + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: visa-processor + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: checkout + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: gateway + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: mastercard-processor-netpol + namespace: payments +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: gateway + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: mastercard-processor + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: notification-netpol + namespace: backend +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: checkout + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: notification + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: recommendation-netpol + namespace: backend +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: catalog + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - podSelector: + matchLabels: + app: checkout + ports: + - port: 8080 + protocol: TCP + - from: + - podSelector: + matchLabels: + app: reports + ports: + - port: 8080 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: frontend + podSelector: + matchLabels: + app: webapp + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: recommendation + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: reports-netpol + namespace: backend +spec: + egress: + - ports: + - port: 9080 # changed + protocol: TCP + to: + - podSelector: + matchLabels: + app: catalog + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: recommendation + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: frontend + podSelector: + matchLabels: + app: webapp + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: reports + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: shipping-netpol + namespace: backend +spec: + ingress: [] # removed + podSelector: + matchLabels: + app: shipping + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: visa-processor-netpol + namespace: payments +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: gateway + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: visa-processor + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: webapp-netpol + namespace: frontend +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: checkout + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: recommendation + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: reports + # removed conn + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: webapp + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: default-deny-in-namespace-backend + namespace: backend +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: default-deny-in-namespace-frontend + namespace: frontend +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: default-deny-in-namespace-payments + namespace: payments +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + diff --git a/tests/acs-security-demos-new/backend/catalog/deployment.yaml b/tests/acs-security-demos-new/backend/catalog/deployment.yaml new file mode 100644 index 00000000..463ddaa7 --- /dev/null +++ b/tests/acs-security-demos-new/backend/catalog/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: catalog + namespace: backend + labels: + app: catalog + app.kubernetes.io/part-of: backend +spec: + replicas: 1 + selector: + matchLabels: + app: catalog + template: + metadata: + labels: + app: catalog + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + ] + imagePullPolicy: Always + name: catalog + ports: + - containerPort: 8080 + protocol: TCP + - image: quay.io/vuln/rce-webapp-2:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":9080", + ] + imagePullPolicy: Always + name: catalog-2 + ports: + - containerPort: 9080 + protocol: TCP +--- +# Service named "catalog-service" +# Listens on :8080 / 9080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: catalog + name: catalog-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + - port: 9080 + protocol: TCP + targetPort: 9080 + name: http2 + selector: + app: catalog + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-new/backend/checkout/configmap.yaml b/tests/acs-security-demos-new/backend/checkout/configmap.yaml new file mode 100644 index 00000000..9d8e1c51 --- /dev/null +++ b/tests/acs-security-demos-new/backend/checkout/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +data: + RECOMMENDATION_ADDR: recommendation-service + RECOMMENDATION_PORT: "8080" + NOTIFICATION_ADDR: notification-service + NOTIFICATION_PORT: "8080" + GATEWAY_ADDR: gateway-service.payments + GATEWAY_PORT: "8080" +kind: ConfigMap +metadata: + name: checkout-endpoint-config + namespace: backend \ No newline at end of file diff --git a/tests/acs-security-demos-new/backend/checkout/deployment.yaml b/tests/acs-security-demos-new/backend/checkout/deployment.yaml new file mode 100644 index 00000000..5f2ea6c1 --- /dev/null +++ b/tests/acs-security-demos-new/backend/checkout/deployment.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkout + namespace: backend + labels: + app: checkout + app.kubernetes.io/part-of: backend + annotations: + app.openshift.io/connects-to: "recommendation,notification" +spec: + replicas: 1 + selector: + matchLabels: + app: checkout + template: + metadata: + labels: + app: checkout + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(RECOMMENDATION_ADDR):$(RECOMMENDATION_PORT),$(NOTIFICATION_ADDR):$(NOTIFICATION_PORT),$(GATEWAY_ADDR):$(GATEWAY_PORT)", + ] + imagePullPolicy: Always + name: checkout + envFrom: + - configMapRef: + name: checkout-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "checkout-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: checkout + name: checkout-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: checkout + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-new/backend/notification/deployment.yaml b/tests/acs-security-demos-new/backend/notification/deployment.yaml new file mode 100644 index 00000000..2cf62d15 --- /dev/null +++ b/tests/acs-security-demos-new/backend/notification/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: notification + namespace: backend + labels: + app: notification + app.kubernetes.io/part-of: backend +spec: + replicas: 1 + selector: + matchLabels: + app: notification + template: + metadata: + labels: + app: notification + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + ] + imagePullPolicy: Always + name: notification + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "notification-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: notification + name: notification-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: notification + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-new/backend/recommendation/configmap.yaml b/tests/acs-security-demos-new/backend/recommendation/configmap.yaml new file mode 100644 index 00000000..69378ac9 --- /dev/null +++ b/tests/acs-security-demos-new/backend/recommendation/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + CATALOG_ADDR: catalog-service + CATALOG_PORT: "8080" +kind: ConfigMap +metadata: + name: recommendation-endpoint-config + namespace: backend diff --git a/tests/acs-security-demos-new/backend/recommendation/deployment.yaml b/tests/acs-security-demos-new/backend/recommendation/deployment.yaml new file mode 100644 index 00000000..d195f98e --- /dev/null +++ b/tests/acs-security-demos-new/backend/recommendation/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendation + namespace: backend + labels: + app: recommendation + app.kubernetes.io/part-of: backend + annotations: + app.openshift.io/connects-to: "catalog" +spec: + replicas: 1 + selector: + matchLabels: + app: recommendation + template: + metadata: + labels: + app: recommendation + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(CATALOG_ADDR):$(CATALOG_PORT)", + ] + imagePullPolicy: Always + name: recommendation + envFrom: + - configMapRef: + name: recommendation-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "recommendation-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: recommendation + name: recommendation-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: recommendation + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-new/backend/reports/configmap.yaml b/tests/acs-security-demos-new/backend/reports/configmap.yaml new file mode 100644 index 00000000..7b5536b7 --- /dev/null +++ b/tests/acs-security-demos-new/backend/reports/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + RECOMMENDATION_ADDR: recommendation-service + RECOMMENDATION_PORT: "8080" + CATALOG_ADDR: catalog-service + CATALOG_PORT: "8080" +kind: ConfigMap +metadata: + name: reports-endpoint-config + namespace: backend diff --git a/tests/acs-security-demos-new/backend/reports/deployment.yaml b/tests/acs-security-demos-new/backend/reports/deployment.yaml new file mode 100644 index 00000000..6de8d5e3 --- /dev/null +++ b/tests/acs-security-demos-new/backend/reports/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reports + namespace: backend + labels: + app: reports + app.kubernetes.io/part-of: backend + annotations: + app.openshift.io/connects-to: "recommendation,catalog" +spec: + replicas: 1 + selector: + matchLabels: + app: reports + template: + metadata: + labels: + app: reports + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(RECOMMENDATION_ADDR):$(RECOMMENDATION_PORT),$(CATALOG_ADDR):$(CATALOG_PORT)", + ] + imagePullPolicy: Always + name: reports + envFrom: + - configMapRef: + name: reports-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "reports-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: reports + name: reports-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: reports + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-new/backend/shipping/deployment.yaml b/tests/acs-security-demos-new/backend/shipping/deployment.yaml new file mode 100644 index 00000000..9c95ef59 --- /dev/null +++ b/tests/acs-security-demos-new/backend/shipping/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shipping + namespace: backend + labels: + app: shipping + app.kubernetes.io/part-of: backend +spec: + replicas: 1 + selector: + matchLabels: + app: shipping + template: + metadata: + labels: + app: shipping + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + ] + imagePullPolicy: Always + name: shipping + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "shipping-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: shipping + name: shipping-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: shipping + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-new/diff_output_from_acs-security-demos.csv b/tests/acs-security-demos-new/diff_output_from_acs-security-demos.csv new file mode 100644 index 00000000..70993e8f --- /dev/null +++ b/tests/acs-security-demos-new/diff_output_from_acs-security-demos.csv @@ -0,0 +1,13 @@ +source,destination,dir1,dir2,diff-type +backend/reports[Deployment],backend/catalog[Deployment],TCP 8080,TCP 9080,changed +0.0.0.0-255.255.255.255,external/unicorn[Deployment],No Connections,All Connections,added (workload external/unicorn[Deployment] added) +backend/checkout[Deployment],external/unicorn[Deployment],No Connections,UDP 5353,added (workload external/unicorn[Deployment] added) +backend/recommendation[Deployment],external/unicorn[Deployment],No Connections,UDP 5353,added (workload external/unicorn[Deployment] added) +backend/reports[Deployment],external/unicorn[Deployment],No Connections,UDP 5353,added (workload external/unicorn[Deployment] added) +external/unicorn[Deployment],0.0.0.0-255.255.255.255,No Connections,All Connections,added (workload external/unicorn[Deployment] added) +external/unicorn[Deployment],frontend/webapp[Deployment],No Connections,TCP 8080,added (workload external/unicorn[Deployment] added) +frontend/webapp[Deployment],external/unicorn[Deployment],No Connections,UDP 5353,added (workload external/unicorn[Deployment] added) +payments/gateway[Deployment],external/unicorn[Deployment],No Connections,UDP 5353,added (workload external/unicorn[Deployment] added) +frontend/webapp[Deployment],backend/shipping[Deployment],TCP 8080,No Connections,removed +payments/gateway[Deployment],payments/mastercard-processor[Deployment],TCP 8080,No Connections,removed (workload payments/mastercard-processor[Deployment] removed) +{ingress-controller},frontend/asset-cache[Deployment],TCP 8080,No Connections,removed diff --git a/tests/acs-security-demos-new/diff_output_from_acs-security-demos.md b/tests/acs-security-demos-new/diff_output_from_acs-security-demos.md new file mode 100644 index 00000000..1452cf60 --- /dev/null +++ b/tests/acs-security-demos-new/diff_output_from_acs-security-demos.md @@ -0,0 +1,14 @@ +| source | destination | dir1 | dir2 | diff-type | +|--------|-------------|------|------|-----------| +| backend/reports[Deployment] | backend/catalog[Deployment] | TCP 8080 | TCP 9080 | changed | +| 0.0.0.0-255.255.255.255 | external/unicorn[Deployment] | No Connections | All Connections | added (workload external/unicorn[Deployment] added) | +| backend/checkout[Deployment] | external/unicorn[Deployment] | No Connections | UDP 5353 | added (workload external/unicorn[Deployment] added) | +| backend/recommendation[Deployment] | external/unicorn[Deployment] | No Connections | UDP 5353 | added (workload external/unicorn[Deployment] added) | +| backend/reports[Deployment] | external/unicorn[Deployment] | No Connections | UDP 5353 | added (workload external/unicorn[Deployment] added) | +| external/unicorn[Deployment] | 0.0.0.0-255.255.255.255 | No Connections | All Connections | added (workload external/unicorn[Deployment] added) | +| external/unicorn[Deployment] | frontend/webapp[Deployment] | No Connections | TCP 8080 | added (workload external/unicorn[Deployment] added) | +| frontend/webapp[Deployment] | external/unicorn[Deployment] | No Connections | UDP 5353 | added (workload external/unicorn[Deployment] added) | +| payments/gateway[Deployment] | external/unicorn[Deployment] | No Connections | UDP 5353 | added (workload external/unicorn[Deployment] added) | +| frontend/webapp[Deployment] | backend/shipping[Deployment] | TCP 8080 | No Connections | removed | +| payments/gateway[Deployment] | payments/mastercard-processor[Deployment] | TCP 8080 | No Connections | removed (workload payments/mastercard-processor[Deployment] removed) | +| {ingress-controller} | frontend/asset-cache[Deployment] | TCP 8080 | No Connections | removed | \ No newline at end of file diff --git a/tests/acs-security-demos-new/diff_output_from_acs-security-demos.txt b/tests/acs-security-demos-new/diff_output_from_acs-security-demos.txt new file mode 100644 index 00000000..cf81761c --- /dev/null +++ b/tests/acs-security-demos-new/diff_output_from_acs-security-demos.txt @@ -0,0 +1,13 @@ +Connectivity diff: +source: backend/reports[Deployment], destination: backend/catalog[Deployment], dir1: TCP 8080, dir2: TCP 9080, diff-type: changed +source: 0.0.0.0-255.255.255.255, destination: external/unicorn[Deployment], dir1: No Connections, dir2: All Connections, diff-type: added (workload external/unicorn[Deployment] added) +source: backend/checkout[Deployment], destination: external/unicorn[Deployment], dir1: No Connections, dir2: UDP 5353, diff-type: added (workload external/unicorn[Deployment] added) +source: backend/recommendation[Deployment], destination: external/unicorn[Deployment], dir1: No Connections, dir2: UDP 5353, diff-type: added (workload external/unicorn[Deployment] added) +source: backend/reports[Deployment], destination: external/unicorn[Deployment], dir1: No Connections, dir2: UDP 5353, diff-type: added (workload external/unicorn[Deployment] added) +source: external/unicorn[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: No Connections, dir2: All Connections, diff-type: added (workload external/unicorn[Deployment] added) +source: external/unicorn[Deployment], destination: frontend/webapp[Deployment], dir1: No Connections, dir2: TCP 8080, diff-type: added (workload external/unicorn[Deployment] added) +source: frontend/webapp[Deployment], destination: external/unicorn[Deployment], dir1: No Connections, dir2: UDP 5353, diff-type: added (workload external/unicorn[Deployment] added) +source: payments/gateway[Deployment], destination: external/unicorn[Deployment], dir1: No Connections, dir2: UDP 5353, diff-type: added (workload external/unicorn[Deployment] added) +source: frontend/webapp[Deployment], destination: backend/shipping[Deployment], dir1: TCP 8080, dir2: No Connections, diff-type: removed +source: payments/gateway[Deployment], destination: payments/mastercard-processor[Deployment], dir1: TCP 8080, dir2: No Connections, diff-type: removed (workload payments/mastercard-processor[Deployment] removed) +source: {ingress-controller}, destination: frontend/asset-cache[Deployment], dir1: TCP 8080, dir2: No Connections, diff-type: removed \ No newline at end of file diff --git a/tests/acs-security-demos-new/external/new_deployment.yaml b/tests/acs-security-demos-new/external/new_deployment.yaml new file mode 100644 index 00000000..8646bb85 --- /dev/null +++ b/tests/acs-security-demos-new/external/new_deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: unicorn + namespace: external +spec: + selector: + matchLabels: + app: unicorn + template: + metadata: + labels: + app: unicorn + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/unicorn:v0.1.3 + ports: + - containerPort: 5353 +--- +apiVersion: v1 +kind: Service +metadata: + name: unicorn + namespace: external +spec: + type: ClusterIP + selector: + app: unicorn + ports: + - name: udp + port: 5000 + targetPort: 5353 +--- diff --git a/tests/acs-security-demos-new/frontend/asset-cache/deployment.yaml b/tests/acs-security-demos-new/frontend/asset-cache/deployment.yaml new file mode 100644 index 00000000..779d48e2 --- /dev/null +++ b/tests/acs-security-demos-new/frontend/asset-cache/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: asset-cache + namespace: frontend + labels: + app: asset-cache +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: asset-cache + namespace: frontend + labels: + app: asset-cache + exposed: "true" + app.kubernetes.io/part-of: frontend +spec: + replicas: 1 + selector: + matchLabels: + app: asset-cache + template: + metadata: + labels: + app: asset-cache + spec: + serviceAccountName: asset-cache + automountServiceAccountToken: false + containers: + - image: quay.io/vuln/asset-cache:latest + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - all + imagePullPolicy: Always + name: asset-cache + ports: + - containerPort: 8080 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: asset-cache + name: asset-cache-service + namespace: frontend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: asset-cache + type: ClusterIP diff --git a/tests/acs-security-demos-new/frontend/asset-cache/route.yaml b/tests/acs-security-demos-new/frontend/asset-cache/route.yaml new file mode 100644 index 00000000..5ae45a4d --- /dev/null +++ b/tests/acs-security-demos-new/frontend/asset-cache/route.yaml @@ -0,0 +1,15 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: asset-cache + namespace: frontend + labels: + app: asset-cache +spec: + to: + kind: Service + name: asset-cache-service + weight: 100 + port: + targetPort: http + wildcardPolicy: None \ No newline at end of file diff --git a/tests/acs-security-demos-new/frontend/webapp/configmap.yaml b/tests/acs-security-demos-new/frontend/webapp/configmap.yaml new file mode 100644 index 00000000..ee834e11 --- /dev/null +++ b/tests/acs-security-demos-new/frontend/webapp/configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +data: + CHECKOUT_ADDR: checkout-service.backend + CHECKOUT_PORT: "8080" + REPORT_GENERATOR_SERVICE_ADDR: reports-service.backend + REPORT_GENERATOR_SERVICE_PORT: "8080" + RECOMMENDATION_ADDR: recommendation-service.backend + RECOMMENDATION_PORT: "8080" + SHIPPING_ADDR: shipping-service.backend + SHIPPING_PORT: "8080" +kind: ConfigMap +metadata: + name: webapp-endpoint-config + namespace: frontend \ No newline at end of file diff --git a/tests/acs-security-demos-new/frontend/webapp/deployment.yaml b/tests/acs-security-demos-new/frontend/webapp/deployment.yaml new file mode 100644 index 00000000..ad6f4311 --- /dev/null +++ b/tests/acs-security-demos-new/frontend/webapp/deployment.yaml @@ -0,0 +1,59 @@ +# Deployment named "webapp" +# Listens on :8080 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: webapp + namespace: frontend + labels: + app: webapp + exposed: "true" + app.kubernetes.io/part-of: frontend +spec: + replicas: 1 + selector: + matchLabels: + app: webapp + template: + metadata: + labels: + app: webapp + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(CHECKOUT_ADDR):$(CHECKOUT_PORT),$(REPORT_GENERATOR_SERVICE_ADDR):$(REPORT_GENERATOR_SERVICE_PORT),$(RECOMMENDATION_ADDR):$(RECOMMENDATION_PORT),$(SHIPPING_ADDR):$(SHIPPING_PORT)", + ] + imagePullPolicy: Always + name: webapp + envFrom: + - configMapRef: + name: webapp-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "webapp-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: webapp + name: webapp-service + namespace: frontend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: webapp + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-new/frontend/webapp/route.yaml b/tests/acs-security-demos-new/frontend/webapp/route.yaml new file mode 100644 index 00000000..77d14655 --- /dev/null +++ b/tests/acs-security-demos-new/frontend/webapp/route.yaml @@ -0,0 +1,15 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: webapp + namespace: frontend + labels: + app: webapp +spec: + to: + kind: Service + name: webapp-service + weight: 100 + port: + targetPort: http + wildcardPolicy: None \ No newline at end of file diff --git a/tests/acs-security-demos-new/payments/gateway/deployment.yaml b/tests/acs-security-demos-new/payments/gateway/deployment.yaml new file mode 100644 index 00000000..2a681c16 --- /dev/null +++ b/tests/acs-security-demos-new/payments/gateway/deployment.yaml @@ -0,0 +1,66 @@ +# Deployment named "gateway" +# Listens on :7777 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway + namespace: payments + labels: + app: gateway + app.kubernetes.io/part-of: payments + annotations: + app.openshift.io/connects-to: "visa-processor,mastercard-processor" +spec: + replicas: 1 + selector: + matchLabels: + app: gateway + template: + metadata: + labels: + app: gateway + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(VISA_SERVICE_ADDR):$(VISA_SERVICE_PORT),$(MASTER_SERVICE_ADDR):$(MASTER_SERVICE_PORT)", + ] + imagePullPolicy: Always + name: gateway + env: + - name: VISA_SERVICE_ADDR + value: "visa-processor-service" + - name: VISA_SERVICE_PORT + value: "8080" + - name: MASTER_SERVICE_ADDR + value: "mastercard-processor-service" + - name: MASTER_SERVICE_PORT + value: "8080" + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "gateway-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: gateway + name: gateway-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: gateway + type: ClusterIP diff --git a/tests/acs-security-demos-new/payments/visa-processor/deployment.yaml b/tests/acs-security-demos-new/payments/visa-processor/deployment.yaml new file mode 100644 index 00000000..037760b0 --- /dev/null +++ b/tests/acs-security-demos-new/payments/visa-processor/deployment.yaml @@ -0,0 +1,96 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: visa-processor + labels: + app: visa-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: visa-processor + namespace: payments + +--- +# Deployment named "visa-processor" +# Listens on :8080 +# Vulnerable to struts +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor + app.kubernetes.io/part-of: payments + annotations: + "admission.stackrox.io/break-glass": "jira-3423" +spec: + replicas: 1 + selector: + matchLabels: + app: visa-processor + template: + metadata: + labels: + app: visa-processor + spec: + serviceAccountName: visa-processor + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/vuln/visa-processor:latest + imagePullPolicy: Always + name: visa-processor + ports: + - containerPort: 22 + protocol: TCP + - containerPort: 8080 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + readOnly: false + securityContext: + capabilities: + add: ["SYS_ADMIN"] + privileged: true + env: + - name: DB_SERVICE_ADDR + value: "external-db" + - name: I_HAVE_A_SECRET + value: "true" + +--- +# Service named "visa-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: visa-processor + name: visa-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: visa-processor + type: ClusterIP diff --git a/tests/acs-security-demos-no-routes/acs_netpols.yaml b/tests/acs-security-demos-no-routes/acs_netpols.yaml new file mode 100644 index 00000000..f0b60af4 --- /dev/null +++ b/tests/acs-security-demos-no-routes/acs_netpols.yaml @@ -0,0 +1,480 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: asset-cache-netpol + namespace: frontend +spec: + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: asset-cache + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: catalog-netpol + namespace: backend +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: recommendation + ports: + - port: 8080 + protocol: TCP + - from: + - podSelector: + matchLabels: + app: reports + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: catalog + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: checkout-netpol + namespace: backend +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: notification + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: recommendation + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: payments + podSelector: + matchLabels: + app: gateway + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: frontend + podSelector: + matchLabels: + app: webapp + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: checkout + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: gateway-netpol + namespace: payments +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: mastercard-processor + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: visa-processor + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: checkout + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: gateway + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: mastercard-processor-netpol + namespace: payments +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: gateway + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: mastercard-processor + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: notification-netpol + namespace: backend +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: checkout + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: notification + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: recommendation-netpol + namespace: backend +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: catalog + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - podSelector: + matchLabels: + app: checkout + ports: + - port: 8080 + protocol: TCP + - from: + - podSelector: + matchLabels: + app: reports + ports: + - port: 8080 + protocol: TCP + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: frontend + podSelector: + matchLabels: + app: webapp + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: recommendation + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: reports-netpol + namespace: backend +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: catalog + - ports: + - port: 8080 + protocol: TCP + to: + - podSelector: + matchLabels: + app: recommendation + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: frontend + podSelector: + matchLabels: + app: webapp + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: reports + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: shipping-netpol + namespace: backend +spec: + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: frontend + podSelector: + matchLabels: + app: webapp + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: shipping + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: visa-processor-netpol + namespace: payments +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: gateway + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: visa-processor + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: webapp-netpol + namespace: frontend +spec: + egress: + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: checkout + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: recommendation + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: reports + - ports: + - port: 8080 + protocol: TCP + to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: backend + podSelector: + matchLabels: + app: shipping + - ports: + - port: 5353 + protocol: UDP + to: + - namespaceSelector: {} + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + protocol: TCP + podSelector: + matchLabels: + app: webapp + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: default-deny-in-namespace-backend + namespace: backend +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: default-deny-in-namespace-frontend + namespace: frontend +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + creationTimestamp: null + labels: + network-policy-buildtime-generator.stackrox.io/generated: "true" + name: default-deny-in-namespace-payments + namespace: payments +spec: + podSelector: {} + policyTypes: + - Ingress + - Egress + diff --git a/tests/acs-security-demos-no-routes/backend/catalog/deployment.yaml b/tests/acs-security-demos-no-routes/backend/catalog/deployment.yaml new file mode 100644 index 00000000..7a3cc04a --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/catalog/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: catalog + namespace: backend + labels: + app: catalog + app.kubernetes.io/part-of: backend +spec: + replicas: 1 + selector: + matchLabels: + app: catalog + template: + metadata: + labels: + app: catalog + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + ] + imagePullPolicy: Always + name: catalog + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "catalog-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: catalog + name: catalog-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: catalog + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/backend/checkout/configmap.yaml b/tests/acs-security-demos-no-routes/backend/checkout/configmap.yaml new file mode 100644 index 00000000..9d8e1c51 --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/checkout/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +data: + RECOMMENDATION_ADDR: recommendation-service + RECOMMENDATION_PORT: "8080" + NOTIFICATION_ADDR: notification-service + NOTIFICATION_PORT: "8080" + GATEWAY_ADDR: gateway-service.payments + GATEWAY_PORT: "8080" +kind: ConfigMap +metadata: + name: checkout-endpoint-config + namespace: backend \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/backend/checkout/deployment.yaml b/tests/acs-security-demos-no-routes/backend/checkout/deployment.yaml new file mode 100644 index 00000000..5f2ea6c1 --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/checkout/deployment.yaml @@ -0,0 +1,58 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkout + namespace: backend + labels: + app: checkout + app.kubernetes.io/part-of: backend + annotations: + app.openshift.io/connects-to: "recommendation,notification" +spec: + replicas: 1 + selector: + matchLabels: + app: checkout + template: + metadata: + labels: + app: checkout + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(RECOMMENDATION_ADDR):$(RECOMMENDATION_PORT),$(NOTIFICATION_ADDR):$(NOTIFICATION_PORT),$(GATEWAY_ADDR):$(GATEWAY_PORT)", + ] + imagePullPolicy: Always + name: checkout + envFrom: + - configMapRef: + name: checkout-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "checkout-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: checkout + name: checkout-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: checkout + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/backend/notification/deployment.yaml b/tests/acs-security-demos-no-routes/backend/notification/deployment.yaml new file mode 100644 index 00000000..2cf62d15 --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/notification/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: notification + namespace: backend + labels: + app: notification + app.kubernetes.io/part-of: backend +spec: + replicas: 1 + selector: + matchLabels: + app: notification + template: + metadata: + labels: + app: notification + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + ] + imagePullPolicy: Always + name: notification + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "notification-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: notification + name: notification-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: notification + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/backend/recommendation/configmap.yaml b/tests/acs-security-demos-no-routes/backend/recommendation/configmap.yaml new file mode 100644 index 00000000..69378ac9 --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/recommendation/configmap.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +data: + CATALOG_ADDR: catalog-service + CATALOG_PORT: "8080" +kind: ConfigMap +metadata: + name: recommendation-endpoint-config + namespace: backend diff --git a/tests/acs-security-demos-no-routes/backend/recommendation/deployment.yaml b/tests/acs-security-demos-no-routes/backend/recommendation/deployment.yaml new file mode 100644 index 00000000..d195f98e --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/recommendation/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendation + namespace: backend + labels: + app: recommendation + app.kubernetes.io/part-of: backend + annotations: + app.openshift.io/connects-to: "catalog" +spec: + replicas: 1 + selector: + matchLabels: + app: recommendation + template: + metadata: + labels: + app: recommendation + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(CATALOG_ADDR):$(CATALOG_PORT)", + ] + imagePullPolicy: Always + name: recommendation + envFrom: + - configMapRef: + name: recommendation-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "recommendation-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: recommendation + name: recommendation-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: recommendation + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/backend/reports/configmap.yaml b/tests/acs-security-demos-no-routes/backend/reports/configmap.yaml new file mode 100644 index 00000000..7b5536b7 --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/reports/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +data: + RECOMMENDATION_ADDR: recommendation-service + RECOMMENDATION_PORT: "8080" + CATALOG_ADDR: catalog-service + CATALOG_PORT: "8080" +kind: ConfigMap +metadata: + name: reports-endpoint-config + namespace: backend diff --git a/tests/acs-security-demos-no-routes/backend/reports/deployment.yaml b/tests/acs-security-demos-no-routes/backend/reports/deployment.yaml new file mode 100644 index 00000000..6de8d5e3 --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/reports/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: reports + namespace: backend + labels: + app: reports + app.kubernetes.io/part-of: backend + annotations: + app.openshift.io/connects-to: "recommendation,catalog" +spec: + replicas: 1 + selector: + matchLabels: + app: reports + template: + metadata: + labels: + app: reports + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(RECOMMENDATION_ADDR):$(RECOMMENDATION_PORT),$(CATALOG_ADDR):$(CATALOG_PORT)", + ] + imagePullPolicy: Always + name: reports + envFrom: + - configMapRef: + name: reports-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "reports-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: reports + name: reports-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: reports + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/backend/shipping/deployment.yaml b/tests/acs-security-demos-no-routes/backend/shipping/deployment.yaml new file mode 100644 index 00000000..9c95ef59 --- /dev/null +++ b/tests/acs-security-demos-no-routes/backend/shipping/deployment.yaml @@ -0,0 +1,50 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shipping + namespace: backend + labels: + app: shipping + app.kubernetes.io/part-of: backend +spec: + replicas: 1 + selector: + matchLabels: + app: shipping + template: + metadata: + labels: + app: shipping + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + ] + imagePullPolicy: Always + name: shipping + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "shipping-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: shipping + name: shipping-service + namespace: backend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: shipping + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/diff_output_from_acs-security-demos.txt b/tests/acs-security-demos-no-routes/diff_output_from_acs-security-demos.txt new file mode 100644 index 00000000..d141904e --- /dev/null +++ b/tests/acs-security-demos-no-routes/diff_output_from_acs-security-demos.txt @@ -0,0 +1,3 @@ +Connectivity diff: +source: {ingress-controller}, destination: frontend/asset-cache[Deployment], dir1: TCP 8080, dir2: No Connections, diff-type: removed +source: {ingress-controller}, destination: frontend/webapp[Deployment], dir1: TCP 8080, dir2: No Connections, diff-type: removed \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/frontend/asset-cache/deployment.yaml b/tests/acs-security-demos-no-routes/frontend/asset-cache/deployment.yaml new file mode 100644 index 00000000..779d48e2 --- /dev/null +++ b/tests/acs-security-demos-no-routes/frontend/asset-cache/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: v1 +kind: ServiceAccount +automountServiceAccountToken: false +metadata: + name: asset-cache + namespace: frontend + labels: + app: asset-cache +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: asset-cache + namespace: frontend + labels: + app: asset-cache + exposed: "true" + app.kubernetes.io/part-of: frontend +spec: + replicas: 1 + selector: + matchLabels: + app: asset-cache + template: + metadata: + labels: + app: asset-cache + spec: + serviceAccountName: asset-cache + automountServiceAccountToken: false + containers: + - image: quay.io/vuln/asset-cache:latest + resources: + requests: + memory: "64Mi" + cpu: "250m" + limits: + memory: "128Mi" + cpu: "500m" + securityContext: + readOnlyRootFilesystem: true + capabilities: + drop: + - all + imagePullPolicy: Always + name: asset-cache + ports: + - containerPort: 8080 + protocol: TCP +--- +apiVersion: v1 +kind: Service +metadata: + labels: + app: asset-cache + name: asset-cache-service + namespace: frontend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: asset-cache + type: ClusterIP diff --git a/tests/acs-security-demos-no-routes/frontend/webapp/configmap.yaml b/tests/acs-security-demos-no-routes/frontend/webapp/configmap.yaml new file mode 100644 index 00000000..ee834e11 --- /dev/null +++ b/tests/acs-security-demos-no-routes/frontend/webapp/configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +data: + CHECKOUT_ADDR: checkout-service.backend + CHECKOUT_PORT: "8080" + REPORT_GENERATOR_SERVICE_ADDR: reports-service.backend + REPORT_GENERATOR_SERVICE_PORT: "8080" + RECOMMENDATION_ADDR: recommendation-service.backend + RECOMMENDATION_PORT: "8080" + SHIPPING_ADDR: shipping-service.backend + SHIPPING_PORT: "8080" +kind: ConfigMap +metadata: + name: webapp-endpoint-config + namespace: frontend \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/frontend/webapp/deployment.yaml b/tests/acs-security-demos-no-routes/frontend/webapp/deployment.yaml new file mode 100644 index 00000000..ad6f4311 --- /dev/null +++ b/tests/acs-security-demos-no-routes/frontend/webapp/deployment.yaml @@ -0,0 +1,59 @@ +# Deployment named "webapp" +# Listens on :8080 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: webapp + namespace: frontend + labels: + app: webapp + exposed: "true" + app.kubernetes.io/part-of: frontend +spec: + replicas: 1 + selector: + matchLabels: + app: webapp + template: + metadata: + labels: + app: webapp + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(CHECKOUT_ADDR):$(CHECKOUT_PORT),$(REPORT_GENERATOR_SERVICE_ADDR):$(REPORT_GENERATOR_SERVICE_PORT),$(RECOMMENDATION_ADDR):$(RECOMMENDATION_PORT),$(SHIPPING_ADDR):$(SHIPPING_PORT)", + ] + imagePullPolicy: Always + name: webapp + envFrom: + - configMapRef: + name: webapp-endpoint-config + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "webapp-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: webapp + name: webapp-service + namespace: frontend +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: webapp + type: ClusterIP \ No newline at end of file diff --git a/tests/acs-security-demos-no-routes/payments/gateway/deployment.yaml b/tests/acs-security-demos-no-routes/payments/gateway/deployment.yaml new file mode 100644 index 00000000..2a681c16 --- /dev/null +++ b/tests/acs-security-demos-no-routes/payments/gateway/deployment.yaml @@ -0,0 +1,66 @@ +# Deployment named "gateway" +# Listens on :7777 +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gateway + namespace: payments + labels: + app: gateway + app.kubernetes.io/part-of: payments + annotations: + app.openshift.io/connects-to: "visa-processor,mastercard-processor" +spec: + replicas: 1 + selector: + matchLabels: + app: gateway + template: + metadata: + labels: + app: gateway + spec: + containers: + - image: quay.io/vuln/rce-webapp:latest + command: ["/bin/entrypoint"] + args: + [ + "-listen", + ":8080", + "-connect", + "$(VISA_SERVICE_ADDR):$(VISA_SERVICE_PORT),$(MASTER_SERVICE_ADDR):$(MASTER_SERVICE_PORT)", + ] + imagePullPolicy: Always + name: gateway + env: + - name: VISA_SERVICE_ADDR + value: "visa-processor-service" + - name: VISA_SERVICE_PORT + value: "8080" + - name: MASTER_SERVICE_ADDR + value: "mastercard-processor-service" + - name: MASTER_SERVICE_PORT + value: "8080" + ports: + - containerPort: 8080 + protocol: TCP +--- +# Service named "gateway-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: gateway + name: gateway-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: gateway + type: ClusterIP diff --git a/tests/acs-security-demos-no-routes/payments/mastercard-processor/deployment.yaml b/tests/acs-security-demos-no-routes/payments/mastercard-processor/deployment.yaml new file mode 100644 index 00000000..4a1ce64d --- /dev/null +++ b/tests/acs-security-demos-no-routes/payments/mastercard-processor/deployment.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cluster-admin +subjects: + - kind: ServiceAccount + name: mastercard-processor + namespace: payments + +--- +# Deployment named "mastercard-processor" +# Listens on :8080 +# Vulnerable to struts +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mastercard-processor + namespace: payments + labels: + app: mastercard-processor + app.kubernetes.io/part-of: payments +spec: + replicas: 1 + selector: + matchLabels: + app: mastercard-processor + template: + metadata: + labels: + app: mastercard-processor + spec: + serviceAccountName: mastercard-processor + containers: + - image: quay.io/vuln/mastercard-processor:latest + imagePullPolicy: Always + name: mastercard-processor + ports: + - containerPort: 8080 + protocol: TCP + +--- +# Service named "mastercard-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: mastercard-processor + name: mastercard-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: mastercard-processor + type: ClusterIP diff --git a/tests/acs-security-demos-no-routes/payments/visa-processor/deployment.yaml b/tests/acs-security-demos-no-routes/payments/visa-processor/deployment.yaml new file mode 100644 index 00000000..037760b0 --- /dev/null +++ b/tests/acs-security-demos-no-routes/payments/visa-processor/deployment.yaml @@ -0,0 +1,96 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor + +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: visa-processor + labels: + app: visa-processor +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cluster-admin +subjects: + - kind: ServiceAccount + name: visa-processor + namespace: payments + +--- +# Deployment named "visa-processor" +# Listens on :8080 +# Vulnerable to struts +# Has SSH keys mounted +apiVersion: apps/v1 +kind: Deployment +metadata: + name: visa-processor + namespace: payments + labels: + app: visa-processor + app.kubernetes.io/part-of: payments + annotations: + "admission.stackrox.io/break-glass": "jira-3423" +spec: + replicas: 1 + selector: + matchLabels: + app: visa-processor + template: + metadata: + labels: + app: visa-processor + spec: + serviceAccountName: visa-processor + volumes: + - name: ssh-keys + secret: + secretName: ssh-keys + containers: + - image: quay.io/vuln/visa-processor:latest + imagePullPolicy: Always + name: visa-processor + ports: + - containerPort: 22 + protocol: TCP + - containerPort: 8080 + protocol: TCP + volumeMounts: + - name: ssh-keys + mountPath: "/root/.ssh" + readOnly: false + securityContext: + capabilities: + add: ["SYS_ADMIN"] + privileged: true + env: + - name: DB_SERVICE_ADDR + value: "external-db" + - name: I_HAVE_A_SECRET + value: "true" + +--- +# Service named "visa-processor-service" +# Listens on :8080 +apiVersion: v1 +kind: Service +metadata: + labels: + app: visa-processor + name: visa-processor-service + namespace: payments +spec: + ports: + - port: 8080 + protocol: TCP + targetPort: 8080 + name: http + selector: + app: visa-processor + type: ClusterIP diff --git a/tests/deny_all_to_from_a_deployment/connlist_output.txt b/tests/deny_all_to_from_a_deployment/connlist_output.txt new file mode 100644 index 00000000..d27c2b31 --- /dev/null +++ b/tests/deny_all_to_from_a_deployment/connlist_output.txt @@ -0,0 +1,2 @@ +0.0.0.0-255.255.255.255 => default/deployment2[Deployment] : All Connections +default/deployment2[Deployment] => 0.0.0.0-255.255.255.255 : All Connections \ No newline at end of file diff --git a/tests/deny_all_to_from_a_deployment/deployments.yaml b/tests/deny_all_to_from_a_deployment/deployments.yaml new file mode 100644 index 00000000..76a1f898 --- /dev/null +++ b/tests/deny_all_to_from_a_deployment/deployments.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment1 + labels: + app: app1 +spec: + replicas: 1 + selector: + matchLabels: + app: app1 + template: + metadata: + labels: + app: app1 + spec: + containers: + - name: app1-container + image: gcr.io/shfa/app1-app:1.0 + ports: + - name: http + containerPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment2 + labels: + app: app2 +spec: + replicas: 1 + selector: + matchLabels: + app: app2 + template: + metadata: + labels: + app: app2 + spec: + containers: + - name: app2-container + image: gcr.io/shfa/app2-app:1.0 + ports: + - name: http + containerPort: 8080 \ No newline at end of file diff --git a/tests/deny_all_to_from_a_deployment/netpols.yaml b/tests/deny_all_to_from_a_deployment/netpols.yaml new file mode 100644 index 00000000..8f249c30 --- /dev/null +++ b/tests/deny_all_to_from_a_deployment/netpols.yaml @@ -0,0 +1,13 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: limit-app1-traffic # denies all egress and ingress from/to deployment1 +spec: + podSelector: + matchLabels: + app: app1 + policyTypes: + - Egress + - Ingress + ingress: [] + egress: [] \ No newline at end of file diff --git a/tests/deny_all_to_from_a_deployment_changed_netpol/connlist_output.txt b/tests/deny_all_to_from_a_deployment_changed_netpol/connlist_output.txt new file mode 100644 index 00000000..1e144112 --- /dev/null +++ b/tests/deny_all_to_from_a_deployment_changed_netpol/connlist_output.txt @@ -0,0 +1,3 @@ +0.0.0.0-255.255.255.255 => default/deployment2[Deployment] : All Connections +default/deployment2[Deployment] => 0.0.0.0-255.255.255.255 : All Connections +default/deployment2[Deployment] => default/deployment1[Deployment] : All Connections \ No newline at end of file diff --git a/tests/deny_all_to_from_a_deployment_changed_netpol/deployments.yaml b/tests/deny_all_to_from_a_deployment_changed_netpol/deployments.yaml new file mode 100644 index 00000000..76a1f898 --- /dev/null +++ b/tests/deny_all_to_from_a_deployment_changed_netpol/deployments.yaml @@ -0,0 +1,45 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment1 + labels: + app: app1 +spec: + replicas: 1 + selector: + matchLabels: + app: app1 + template: + metadata: + labels: + app: app1 + spec: + containers: + - name: app1-container + image: gcr.io/shfa/app1-app:1.0 + ports: + - name: http + containerPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: deployment2 + labels: + app: app2 +spec: + replicas: 1 + selector: + matchLabels: + app: app2 + template: + metadata: + labels: + app: app2 + spec: + containers: + - name: app2-container + image: gcr.io/shfa/app2-app:1.0 + ports: + - name: http + containerPort: 8080 \ No newline at end of file diff --git a/tests/deny_all_to_from_a_deployment_changed_netpol/diff_output_from_deny_all_to_from_a_deployment.txt b/tests/deny_all_to_from_a_deployment_changed_netpol/diff_output_from_deny_all_to_from_a_deployment.txt new file mode 100644 index 00000000..7e449528 --- /dev/null +++ b/tests/deny_all_to_from_a_deployment_changed_netpol/diff_output_from_deny_all_to_from_a_deployment.txt @@ -0,0 +1,2 @@ +Connectivity diff: +source: default/deployment2[Deployment], destination: default/deployment1[Deployment], dir1: No Connections, dir2: All Connections, diff-type: added \ No newline at end of file diff --git a/tests/deny_all_to_from_a_deployment_changed_netpol/netpols.yaml b/tests/deny_all_to_from_a_deployment_changed_netpol/netpols.yaml new file mode 100644 index 00000000..8923a499 --- /dev/null +++ b/tests/deny_all_to_from_a_deployment_changed_netpol/netpols.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: limit-app1-traffic # allows ingress only from app2 +spec: + podSelector: + matchLabels: + app: app1 + policyTypes: + - Egress + - Ingress + ingress: + - from: + - podSelector: + matchLabels: + app: app2 + egress: [] \ No newline at end of file diff --git a/tests/k8s_ingress_test/default_pods_list.yaml b/tests/k8s_ingress_test/default_pods_list.yaml index 79b7292a..0a0770e3 100644 --- a/tests/k8s_ingress_test/default_pods_list.yaml +++ b/tests/k8s_ingress_test/default_pods_list.yaml @@ -10,7 +10,6 @@ items: prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' - creationTimestamp: "2021-12-06T13:29:50Z" generateName: details-v1-79f774bdb9- labels: app: details @@ -19,94 +18,6 @@ items: service.istio.io/canonical-name: details service.istio.io/canonical-revision: v1 version: v1 - managedFields: - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:metadata: - f:generateName: {} - f:labels: - .: {} - f:app: {} - f:pod-template-hash: {} - f:version: {} - f:ownerReferences: - .: {} - k:{"uid":"b2fab911-9f04-4949-a106-b8f05985fb94"}: - .: {} - f:apiVersion: {} - f:blockOwnerDeletion: {} - f:controller: {} - f:kind: {} - f:name: {} - f:uid: {} - f:spec: - f:containers: - k:{"name":"details"}: - .: {} - f:image: {} - f:imagePullPolicy: {} - f:name: {} - f:ports: - .: {} - k:{"containerPort":9080,"protocol":"TCP"}: - .: {} - f:containerPort: {} - f:protocol: {} - f:resources: {} - f:securityContext: - .: {} - f:runAsUser: {} - f:terminationMessagePath: {} - f:terminationMessagePolicy: {} - f:dnsPolicy: {} - f:enableServiceLinks: {} - f:restartPolicy: {} - f:schedulerName: {} - f:securityContext: {} - f:serviceAccount: {} - f:serviceAccountName: {} - f:terminationGracePeriodSeconds: {} - manager: kube-controller-manager - operation: Update - time: "2021-12-06T13:29:50Z" - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:status: - f:conditions: - k:{"type":"ContainersReady"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Initialized"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Ready"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - f:containerStatuses: {} - f:hostIP: {} - f:initContainerStatuses: {} - f:phase: {} - f:podIP: {} - f:podIPs: - .: {} - k:{"ip":"10.244.0.9"}: - .: {} - f:ip: {} - f:startTime: {} - manager: kubelet - operation: Update - time: "2021-12-06T13:30:06Z" name: details-v1-79f774bdb9-tw7sj namespace: default ownerReferences: @@ -116,8 +27,6 @@ items: kind: ReplicaSet name: details-v1-79f774bdb9 uid: b2fab911-9f04-4949-a106-b8f05985fb94 - resourceVersion: "1262" - uid: 5ddce7c9-7b2a-4a91-a95f-236a8c73e985 spec: containers: - image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 @@ -135,299 +44,12 @@ items: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-jnx24 readOnly: true - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --concurrency - - "2" - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":9080,"protocol":"TCP"} - ] - - name: ISTIO_META_APP_CONTAINERS - value: details - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: details-v1 - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/details-v1 - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 3 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-jnx24 - readOnly: true - dnsPolicy: ClusterFirst - enableServiceLinks: true - initContainers: - - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-jnx24 - readOnly: true - nodeName: istio-testing-control-plane - preemptionPolicy: PreemptLowerPriority - priority: 0 - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: bookinfo-details - serviceAccountName: bookinfo-details - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 300 - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 300 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: {} - name: istio-data - - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.labels - path: labels - - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - name: istiod-ca-cert - - name: kube-api-access-jnx24 - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace status: - conditions: - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:53Z" - status: "True" - type: Initialized - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:06Z" - status: "True" - type: Ready - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:06Z" - status: "True" - type: ContainersReady - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:50Z" - status: "True" - type: PodScheduled - containerStatuses: - - containerID: containerd://e89f226307d672ff1a896eb110719321456e6215d03c60f3f3bf989e62935cbd - image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 - imageID: docker.io/istio/examples-bookinfo-details-v1@sha256:18e54f81689035019e1ac78f6d2e6483fcf1d94072d047315ab193cb2ab89ae5 - lastState: {} - name: details - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:02Z" - - containerID: containerd://39865d0d07a2f6671e85de9a2f9adde5f6b810ff12da61b07a24c9720147b4ec - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-proxy - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:03Z" hostIP: 172.18.0.4 - initContainerStatuses: - - containerID: containerd://b0036617d6aae5c0b50cb4dcdf4dc631110ce24f2a4e6ad67e33a7fb689d0828 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-init - ready: true - restartCount: 0 - state: - terminated: - containerID: containerd://b0036617d6aae5c0b50cb4dcdf4dc631110ce24f2a4e6ad67e33a7fb689d0828 - exitCode: 0 - finishedAt: "2021-12-06T13:29:53Z" - reason: Completed - startedAt: "2021-12-06T13:29:53Z" phase: Running podIP: 10.244.0.9 podIPs: - ip: 10.244.0.9 - qosClass: Burstable - startTime: "2021-12-06T13:29:50Z" - apiVersion: v1 kind: Pod metadata: @@ -438,7 +60,6 @@ items: prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' - creationTimestamp: "2021-12-06T13:29:50Z" generateName: productpage-v1-6b746f74dc- labels: app: productpage @@ -447,106 +68,6 @@ items: service.istio.io/canonical-name: productpage service.istio.io/canonical-revision: v1 version: v1 - managedFields: - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:metadata: - f:generateName: {} - f:labels: - .: {} - f:app: {} - f:pod-template-hash: {} - f:version: {} - f:ownerReferences: - .: {} - k:{"uid":"138e0f27-d290-49a8-b3a0-a9b8ceca1c43"}: - .: {} - f:apiVersion: {} - f:blockOwnerDeletion: {} - f:controller: {} - f:kind: {} - f:name: {} - f:uid: {} - f:spec: - f:containers: - k:{"name":"productpage"}: - .: {} - f:image: {} - f:imagePullPolicy: {} - f:name: {} - f:ports: - .: {} - k:{"containerPort":9080,"protocol":"TCP"}: - .: {} - f:containerPort: {} - f:protocol: {} - f:resources: {} - f:securityContext: - .: {} - f:runAsUser: {} - f:terminationMessagePath: {} - f:terminationMessagePolicy: {} - f:volumeMounts: - .: {} - k:{"mountPath":"/tmp"}: - .: {} - f:mountPath: {} - f:name: {} - f:dnsPolicy: {} - f:enableServiceLinks: {} - f:restartPolicy: {} - f:schedulerName: {} - f:securityContext: {} - f:serviceAccount: {} - f:serviceAccountName: {} - f:terminationGracePeriodSeconds: {} - f:volumes: - .: {} - k:{"name":"tmp"}: - .: {} - f:emptyDir: {} - f:name: {} - manager: kube-controller-manager - operation: Update - time: "2021-12-06T13:29:50Z" - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:status: - f:conditions: - k:{"type":"ContainersReady"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Initialized"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Ready"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - f:containerStatuses: {} - f:hostIP: {} - f:initContainerStatuses: {} - f:phase: {} - f:podIP: {} - f:podIPs: - .: {} - k:{"ip":"10.244.0.13"}: - .: {} - f:ip: {} - f:startTime: {} - manager: kubelet - operation: Update - time: "2021-12-06T13:30:56Z" name: productpage-v1-6b746f74dc-kkzzk namespace: default ownerReferences: @@ -556,8 +77,6 @@ items: kind: ReplicaSet name: productpage-v1-6b746f74dc uid: 138e0f27-d290-49a8-b3a0-a9b8ceca1c43 - resourceVersion: "1440" - uid: a20ab376-2cd3-4bac-ab63-3a91cb7641b1 spec: containers: - image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2 @@ -577,301 +96,12 @@ items: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-r5ld7 readOnly: true - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --concurrency - - "2" - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":9080,"protocol":"TCP"} - ] - - name: ISTIO_META_APP_CONTAINERS - value: productpage - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: productpage-v1 - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/productpage-v1 - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 3 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-r5ld7 - readOnly: true - dnsPolicy: ClusterFirst - enableServiceLinks: true - initContainers: - - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-r5ld7 - readOnly: true - nodeName: istio-testing-control-plane - preemptionPolicy: PreemptLowerPriority - priority: 0 - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: bookinfo-productpage - serviceAccountName: bookinfo-productpage - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 300 - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 300 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: {} - name: istio-data - - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.labels - path: labels - - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - name: istiod-ca-cert - - emptyDir: {} - name: tmp - - name: kube-api-access-r5ld7 - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace status: - conditions: - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:57Z" - status: "True" - type: Initialized - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:56Z" - status: "True" - type: Ready - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:56Z" - status: "True" - type: ContainersReady - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:50Z" - status: "True" - type: PodScheduled - containerStatuses: - - containerID: containerd://c9ef28a074d97394fc08014309e5ba0930875d49400f1b40f345f116c5c05395 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-proxy - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:54Z" - - containerID: containerd://3ef0e52387280b1d02f84b082083b92e2c32907afb823b164f64009bb433171d - image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2 - imageID: docker.io/istio/examples-bookinfo-productpage-v1@sha256:63ac3b4fb6c3ba395f5d044b0e10bae513afb34b9b7d862b3a7c3de7e0686667 - lastState: {} - name: productpage - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:53Z" hostIP: 172.18.0.4 - initContainerStatuses: - - containerID: containerd://615b2651ce05883a05f345eb56217ab0ff60d1faaa9760355768a451e437f4d7 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-init - ready: true - restartCount: 0 - state: - terminated: - containerID: containerd://615b2651ce05883a05f345eb56217ab0ff60d1faaa9760355768a451e437f4d7 - exitCode: 0 - finishedAt: "2021-12-06T13:29:56Z" - reason: Completed - startedAt: "2021-12-06T13:29:55Z" phase: Running podIP: 10.244.0.13 podIPs: - ip: 10.244.0.13 - qosClass: Burstable - startTime: "2021-12-06T13:29:50Z" - apiVersion: v1 kind: Pod metadata: @@ -882,7 +112,6 @@ items: prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' - creationTimestamp: "2021-12-06T13:29:50Z" generateName: ratings-v1-b6994bb9- labels: app: ratings @@ -891,94 +120,6 @@ items: service.istio.io/canonical-name: ratings service.istio.io/canonical-revision: v1 version: v1 - managedFields: - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:metadata: - f:generateName: {} - f:labels: - .: {} - f:app: {} - f:pod-template-hash: {} - f:version: {} - f:ownerReferences: - .: {} - k:{"uid":"a7192b2c-1c84-44f2-b178-85e24beb87a5"}: - .: {} - f:apiVersion: {} - f:blockOwnerDeletion: {} - f:controller: {} - f:kind: {} - f:name: {} - f:uid: {} - f:spec: - f:containers: - k:{"name":"ratings"}: - .: {} - f:image: {} - f:imagePullPolicy: {} - f:name: {} - f:ports: - .: {} - k:{"containerPort":9080,"protocol":"TCP"}: - .: {} - f:containerPort: {} - f:protocol: {} - f:resources: {} - f:securityContext: - .: {} - f:runAsUser: {} - f:terminationMessagePath: {} - f:terminationMessagePolicy: {} - f:dnsPolicy: {} - f:enableServiceLinks: {} - f:restartPolicy: {} - f:schedulerName: {} - f:securityContext: {} - f:serviceAccount: {} - f:serviceAccountName: {} - f:terminationGracePeriodSeconds: {} - manager: kube-controller-manager - operation: Update - time: "2021-12-06T13:29:50Z" - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:status: - f:conditions: - k:{"type":"ContainersReady"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Initialized"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Ready"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - f:containerStatuses: {} - f:hostIP: {} - f:initContainerStatuses: {} - f:phase: {} - f:podIP: {} - f:podIPs: - .: {} - k:{"ip":"10.244.0.8"}: - .: {} - f:ip: {} - f:startTime: {} - manager: kubelet - operation: Update - time: "2021-12-06T13:30:16Z" name: ratings-v1-b6994bb9-gl27w namespace: default ownerReferences: @@ -988,8 +129,6 @@ items: kind: ReplicaSet name: ratings-v1-b6994bb9 uid: a7192b2c-1c84-44f2-b178-85e24beb87a5 - resourceVersion: "1297" - uid: eedc816c-6c41-45a0-b18e-8eb6468f2bda spec: containers: - image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 @@ -1007,299 +146,11 @@ items: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-glrct readOnly: true - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --concurrency - - "2" - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":9080,"protocol":"TCP"} - ] - - name: ISTIO_META_APP_CONTAINERS - value: ratings - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: ratings-v1 - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/ratings-v1 - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 3 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-glrct - readOnly: true - dnsPolicy: ClusterFirst - enableServiceLinks: true - initContainers: - - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-glrct - readOnly: true - nodeName: istio-testing-control-plane - preemptionPolicy: PreemptLowerPriority - priority: 0 - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: bookinfo-ratings - serviceAccountName: bookinfo-ratings - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 300 - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 300 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: {} - name: istio-data - - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.labels - path: labels - - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - name: istiod-ca-cert - - name: kube-api-access-glrct - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace status: - conditions: - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:53Z" - status: "True" - type: Initialized - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:16Z" - status: "True" - type: Ready - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:16Z" - status: "True" - type: ContainersReady - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:50Z" - status: "True" - type: PodScheduled - containerStatuses: - - containerID: containerd://b35a108653b1d8ff21ac83536c7f4310c016c808aee2a0eeccc4b587c248237d - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-proxy - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:13Z" - - containerID: containerd://17fe13be82453f3b758d4bf40ca5fe8abd4a5c041019b76bf7c7983c73aeb73c - image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 - imageID: docker.io/istio/examples-bookinfo-ratings-v1@sha256:5fbfd3a14fff229f15e689d07e5214bc5eb1e929766e45eda761cbc9ef7a5589 - lastState: {} - name: ratings - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:12Z" hostIP: 172.18.0.4 - initContainerStatuses: - - containerID: containerd://dc0cc34c0dd0911fc6a2aa21702b8dd1914492f6df4fd5a7320dc605bcf83265 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-init - ready: true - restartCount: 0 - state: - terminated: - containerID: containerd://dc0cc34c0dd0911fc6a2aa21702b8dd1914492f6df4fd5a7320dc605bcf83265 - exitCode: 0 - finishedAt: "2021-12-06T13:29:53Z" - reason: Completed - startedAt: "2021-12-06T13:29:52Z" - phase: Running podIP: 10.244.0.8 podIPs: - ip: 10.244.0.8 - qosClass: Burstable - startTime: "2021-12-06T13:29:50Z" - apiVersion: v1 kind: Pod metadata: @@ -1310,7 +161,6 @@ items: prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' - creationTimestamp: "2021-12-06T13:29:50Z" generateName: reviews-v1-545db77b95- labels: app: reviews @@ -1319,120 +169,6 @@ items: service.istio.io/canonical-name: reviews service.istio.io/canonical-revision: v1 version: v1 - managedFields: - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:metadata: - f:generateName: {} - f:labels: - .: {} - f:app: {} - f:pod-template-hash: {} - f:version: {} - f:ownerReferences: - .: {} - k:{"uid":"4002d13e-0feb-4bc1-8ed8-1fd7c0662035"}: - .: {} - f:apiVersion: {} - f:blockOwnerDeletion: {} - f:controller: {} - f:kind: {} - f:name: {} - f:uid: {} - f:spec: - f:containers: - k:{"name":"reviews"}: - .: {} - f:env: - .: {} - k:{"name":"LOG_DIR"}: - .: {} - f:name: {} - f:value: {} - f:image: {} - f:imagePullPolicy: {} - f:name: {} - f:ports: - .: {} - k:{"containerPort":9080,"protocol":"TCP"}: - .: {} - f:containerPort: {} - f:protocol: {} - f:resources: {} - f:securityContext: - .: {} - f:runAsUser: {} - f:terminationMessagePath: {} - f:terminationMessagePolicy: {} - f:volumeMounts: - .: {} - k:{"mountPath":"/opt/ibm/wlp/output"}: - .: {} - f:mountPath: {} - f:name: {} - k:{"mountPath":"/tmp"}: - .: {} - f:mountPath: {} - f:name: {} - f:dnsPolicy: {} - f:enableServiceLinks: {} - f:restartPolicy: {} - f:schedulerName: {} - f:securityContext: {} - f:serviceAccount: {} - f:serviceAccountName: {} - f:terminationGracePeriodSeconds: {} - f:volumes: - .: {} - k:{"name":"tmp"}: - .: {} - f:emptyDir: {} - f:name: {} - k:{"name":"wlp-output"}: - .: {} - f:emptyDir: {} - f:name: {} - manager: kube-controller-manager - operation: Update - time: "2021-12-06T13:29:50Z" - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:status: - f:conditions: - k:{"type":"ContainersReady"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Initialized"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Ready"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - f:containerStatuses: {} - f:hostIP: {} - f:initContainerStatuses: {} - f:phase: {} - f:podIP: {} - f:podIPs: - .: {} - k:{"ip":"10.244.0.10"}: - .: {} - f:ip: {} - f:startTime: {} - manager: kubelet - operation: Update - time: "2021-12-06T13:30:44Z" name: reviews-v1-545db77b95-2ps7q namespace: default ownerReferences: @@ -1442,8 +178,6 @@ items: kind: ReplicaSet name: reviews-v1-545db77b95 uid: 4002d13e-0feb-4bc1-8ed8-1fd7c0662035 - resourceVersion: "1384" - uid: 8dfc6013-d475-4c0d-a9b5-a3c1950617c5 spec: containers: - env: @@ -1468,303 +202,11 @@ items: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-vkb56 readOnly: true - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --concurrency - - "2" - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":9080,"protocol":"TCP"} - ] - - name: ISTIO_META_APP_CONTAINERS - value: reviews - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: reviews-v1 - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/reviews-v1 - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 3 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-vkb56 - readOnly: true - dnsPolicy: ClusterFirst - enableServiceLinks: true - initContainers: - - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-vkb56 - readOnly: true - nodeName: istio-testing-control-plane - preemptionPolicy: PreemptLowerPriority - priority: 0 - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: bookinfo-reviews - serviceAccountName: bookinfo-reviews - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 300 - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 300 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: {} - name: istio-data - - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.labels - path: labels - - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - name: istiod-ca-cert - - emptyDir: {} - name: wlp-output - - emptyDir: {} - name: tmp - - name: kube-api-access-vkb56 - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace status: - conditions: - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:53Z" - status: "True" - type: Initialized - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:44Z" - status: "True" - type: Ready - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:44Z" - status: "True" - type: ContainersReady - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:50Z" - status: "True" - type: PodScheduled - containerStatuses: - - containerID: containerd://f22e4b0ea58d6f097c12790a2fa087c32aaf4b11a1936b24f79f4078b2e3615f - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-proxy - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:40Z" - - containerID: containerd://78b29de47a75a2dab18f3273130b16e0b81a2777ad454ed6825771bccee10ce5 - image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2 - imageID: docker.io/istio/examples-bookinfo-reviews-v1@sha256:d1b8447be70549f1f7303f266d88c16112e2695cc110603fdb1c8ee432a627bf - lastState: {} - name: reviews - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:40Z" hostIP: 172.18.0.4 - initContainerStatuses: - - containerID: containerd://61dfa413760653843722369c32ddd97f67dfe216cd9e133169581a5876863b00 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-init - ready: true - restartCount: 0 - state: - terminated: - containerID: containerd://61dfa413760653843722369c32ddd97f67dfe216cd9e133169581a5876863b00 - exitCode: 0 - finishedAt: "2021-12-06T13:29:53Z" - reason: Completed - startedAt: "2021-12-06T13:29:53Z" - phase: Running podIP: 10.244.0.10 podIPs: - ip: 10.244.0.10 - qosClass: Burstable - startTime: "2021-12-06T13:29:50Z" - apiVersion: v1 kind: Pod metadata: @@ -1775,7 +217,6 @@ items: prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' - creationTimestamp: "2021-12-06T13:29:50Z" generateName: reviews-v2-7bf8c9648f- labels: app: reviews @@ -1784,120 +225,6 @@ items: service.istio.io/canonical-name: reviews service.istio.io/canonical-revision: v2 version: v2 - managedFields: - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:metadata: - f:generateName: {} - f:labels: - .: {} - f:app: {} - f:pod-template-hash: {} - f:version: {} - f:ownerReferences: - .: {} - k:{"uid":"b7bce5e2-36f3-4835-a13e-de243713825c"}: - .: {} - f:apiVersion: {} - f:blockOwnerDeletion: {} - f:controller: {} - f:kind: {} - f:name: {} - f:uid: {} - f:spec: - f:containers: - k:{"name":"reviews"}: - .: {} - f:env: - .: {} - k:{"name":"LOG_DIR"}: - .: {} - f:name: {} - f:value: {} - f:image: {} - f:imagePullPolicy: {} - f:name: {} - f:ports: - .: {} - k:{"containerPort":9080,"protocol":"TCP"}: - .: {} - f:containerPort: {} - f:protocol: {} - f:resources: {} - f:securityContext: - .: {} - f:runAsUser: {} - f:terminationMessagePath: {} - f:terminationMessagePolicy: {} - f:volumeMounts: - .: {} - k:{"mountPath":"/opt/ibm/wlp/output"}: - .: {} - f:mountPath: {} - f:name: {} - k:{"mountPath":"/tmp"}: - .: {} - f:mountPath: {} - f:name: {} - f:dnsPolicy: {} - f:enableServiceLinks: {} - f:restartPolicy: {} - f:schedulerName: {} - f:securityContext: {} - f:serviceAccount: {} - f:serviceAccountName: {} - f:terminationGracePeriodSeconds: {} - f:volumes: - .: {} - k:{"name":"tmp"}: - .: {} - f:emptyDir: {} - f:name: {} - k:{"name":"wlp-output"}: - .: {} - f:emptyDir: {} - f:name: {} - manager: kube-controller-manager - operation: Update - time: "2021-12-06T13:29:50Z" - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:status: - f:conditions: - k:{"type":"ContainersReady"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Initialized"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Ready"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - f:containerStatuses: {} - f:hostIP: {} - f:initContainerStatuses: {} - f:phase: {} - f:podIP: {} - f:podIPs: - .: {} - k:{"ip":"10.244.0.11"}: - .: {} - f:ip: {} - f:startTime: {} - manager: kubelet - operation: Update - time: "2021-12-06T13:30:44Z" name: reviews-v2-7bf8c9648f-7v7ps namespace: default ownerReferences: @@ -1907,8 +234,6 @@ items: kind: ReplicaSet name: reviews-v2-7bf8c9648f uid: b7bce5e2-36f3-4835-a13e-de243713825c - resourceVersion: "1389" - uid: 660e37ef-a1c1-45d2-8e7d-8658c3db97b3 spec: containers: - env: @@ -1933,303 +258,12 @@ items: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-qvb77 readOnly: true - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --concurrency - - "2" - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":9080,"protocol":"TCP"} - ] - - name: ISTIO_META_APP_CONTAINERS - value: reviews - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: reviews-v2 - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/reviews-v2 - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 3 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-qvb77 - readOnly: true - dnsPolicy: ClusterFirst - enableServiceLinks: true - initContainers: - - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-qvb77 - readOnly: true - nodeName: istio-testing-control-plane - preemptionPolicy: PreemptLowerPriority - priority: 0 - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: bookinfo-reviews - serviceAccountName: bookinfo-reviews - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 300 - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 300 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: {} - name: istio-data - - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.labels - path: labels - - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - name: istiod-ca-cert - - emptyDir: {} - name: wlp-output - - emptyDir: {} - name: tmp - - name: kube-api-access-qvb77 - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace status: - conditions: - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:55Z" - status: "True" - type: Initialized - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:44Z" - status: "True" - type: Ready - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:44Z" - status: "True" - type: ContainersReady - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:50Z" - status: "True" - type: PodScheduled - containerStatuses: - - containerID: containerd://6f72398d0e5c1386068c143df0524f04c408f57ca6981f864ed534b7ea9234d8 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-proxy - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:42Z" - - containerID: containerd://bb1587841a7fb7fcdf240edcc579ccdc3a3f579af194290c1c3d592b97337ae9 - image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 - imageID: docker.io/istio/examples-bookinfo-reviews-v2@sha256:82497d66ab8cac1ad9506218e4ccc708ec1db59450c6c4c8d645d1b161611a5d - lastState: {} - name: reviews - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:42Z" hostIP: 172.18.0.4 - initContainerStatuses: - - containerID: containerd://f3d5af63417f30b6d445d48729ce6e93a4f8f1d6e0415633a8100f9762a22375 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-init - ready: true - restartCount: 0 - state: - terminated: - containerID: containerd://f3d5af63417f30b6d445d48729ce6e93a4f8f1d6e0415633a8100f9762a22375 - exitCode: 0 - finishedAt: "2021-12-06T13:29:54Z" - reason: Completed - startedAt: "2021-12-06T13:29:53Z" phase: Running podIP: 10.244.0.11 podIPs: - ip: 10.244.0.11 - qosClass: Burstable - startTime: "2021-12-06T13:29:50Z" - apiVersion: v1 kind: Pod metadata: @@ -2240,7 +274,6 @@ items: prometheus.io/port: "15020" prometheus.io/scrape: "true" sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' - creationTimestamp: "2021-12-06T13:29:50Z" generateName: reviews-v3-84779c7bbc- labels: app: reviews @@ -2249,120 +282,6 @@ items: service.istio.io/canonical-name: reviews service.istio.io/canonical-revision: v3 version: v3 - managedFields: - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:metadata: - f:generateName: {} - f:labels: - .: {} - f:app: {} - f:pod-template-hash: {} - f:version: {} - f:ownerReferences: - .: {} - k:{"uid":"2003d1ad-0228-4d8a-87b2-e85315961235"}: - .: {} - f:apiVersion: {} - f:blockOwnerDeletion: {} - f:controller: {} - f:kind: {} - f:name: {} - f:uid: {} - f:spec: - f:containers: - k:{"name":"reviews"}: - .: {} - f:env: - .: {} - k:{"name":"LOG_DIR"}: - .: {} - f:name: {} - f:value: {} - f:image: {} - f:imagePullPolicy: {} - f:name: {} - f:ports: - .: {} - k:{"containerPort":9080,"protocol":"TCP"}: - .: {} - f:containerPort: {} - f:protocol: {} - f:resources: {} - f:securityContext: - .: {} - f:runAsUser: {} - f:terminationMessagePath: {} - f:terminationMessagePolicy: {} - f:volumeMounts: - .: {} - k:{"mountPath":"/opt/ibm/wlp/output"}: - .: {} - f:mountPath: {} - f:name: {} - k:{"mountPath":"/tmp"}: - .: {} - f:mountPath: {} - f:name: {} - f:dnsPolicy: {} - f:enableServiceLinks: {} - f:restartPolicy: {} - f:schedulerName: {} - f:securityContext: {} - f:serviceAccount: {} - f:serviceAccountName: {} - f:terminationGracePeriodSeconds: {} - f:volumes: - .: {} - k:{"name":"tmp"}: - .: {} - f:emptyDir: {} - f:name: {} - k:{"name":"wlp-output"}: - .: {} - f:emptyDir: {} - f:name: {} - manager: kube-controller-manager - operation: Update - time: "2021-12-06T13:29:50Z" - - apiVersion: v1 - fieldsType: FieldsV1 - fieldsV1: - f:status: - f:conditions: - k:{"type":"ContainersReady"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Initialized"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - k:{"type":"Ready"}: - .: {} - f:lastProbeTime: {} - f:lastTransitionTime: {} - f:status: {} - f:type: {} - f:containerStatuses: {} - f:hostIP: {} - f:initContainerStatuses: {} - f:phase: {} - f:podIP: {} - f:podIPs: - .: {} - k:{"ip":"10.244.0.12"}: - .: {} - f:ip: {} - f:startTime: {} - manager: kubelet - operation: Update - time: "2021-12-06T13:30:48Z" name: reviews-v3-84779c7bbc-lfjvk namespace: default ownerReferences: @@ -2372,8 +291,6 @@ items: kind: ReplicaSet name: reviews-v3-84779c7bbc uid: 2003d1ad-0228-4d8a-87b2-e85315961235 - resourceVersion: "1411" - uid: c260e3d9-be4d-4b35-aa8a-9a062952bffb spec: containers: - env: @@ -2398,304 +315,13 @@ items: - mountPath: /var/run/secrets/kubernetes.io/serviceaccount name: kube-api-access-zxn84 readOnly: true - - args: - - proxy - - sidecar - - --domain - - $(POD_NAMESPACE).svc.cluster.local - - --proxyLogLevel=warning - - --proxyComponentLogLevel=misc:error - - --log_output_level=default:info - - --concurrency - - "2" - env: - - name: JWT_POLICY - value: third-party-jwt - - name: PILOT_CERT_PROVIDER - value: istiod - - name: CA_ADDR - value: istiod.istio-system.svc:15012 - - name: POD_NAME - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - - name: INSTANCE_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.podIP - - name: SERVICE_ACCOUNT - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: spec.serviceAccountName - - name: HOST_IP - valueFrom: - fieldRef: - apiVersion: v1 - fieldPath: status.hostIP - - name: PROXY_CONFIG - value: | - {} - - name: ISTIO_META_POD_PORTS - value: |- - [ - {"containerPort":9080,"protocol":"TCP"} - ] - - name: ISTIO_META_APP_CONTAINERS - value: reviews - - name: ISTIO_META_CLUSTER_ID - value: Kubernetes - - name: ISTIO_META_INTERCEPTION_MODE - value: REDIRECT - - name: ISTIO_META_WORKLOAD_NAME - value: reviews-v3 - - name: ISTIO_META_OWNER - value: kubernetes://apis/apps/v1/namespaces/default/deployments/reviews-v3 - - name: ISTIO_META_MESH_ID - value: cluster.local - - name: TRUST_DOMAIN - value: cluster.local - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-proxy - ports: - - containerPort: 15090 - name: http-envoy-prom - protocol: TCP - readinessProbe: - failureThreshold: 30 - httpGet: - path: /healthz/ready - port: 15021 - scheme: HTTP - initialDelaySeconds: 1 - periodSeconds: 2 - successThreshold: 1 - timeoutSeconds: 3 - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - privileged: false - readOnlyRootFilesystem: true - runAsGroup: 1337 - runAsNonRoot: true - runAsUser: 1337 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/istio - name: istiod-ca-cert - - mountPath: /var/lib/istio/data - name: istio-data - - mountPath: /etc/istio/proxy - name: istio-envoy - - mountPath: /var/run/secrets/tokens - name: istio-token - - mountPath: /etc/istio/pod - name: istio-podinfo - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-zxn84 - readOnly: true - dnsPolicy: ClusterFirst - enableServiceLinks: true - initContainers: - - args: - - istio-iptables - - -p - - "15001" - - -z - - "15006" - - -u - - "1337" - - -m - - REDIRECT - - -i - - '*' - - -x - - "" - - -b - - '*' - - -d - - 15090,15021,15020 - image: docker.io/istio/proxyv2:1.12.0 - imagePullPolicy: IfNotPresent - name: istio-init - resources: - limits: - cpu: "2" - memory: 1Gi - requests: - cpu: 10m - memory: 40Mi - securityContext: - allowPrivilegeEscalation: false - capabilities: - add: - - NET_ADMIN - - NET_RAW - drop: - - ALL - privileged: false - readOnlyRootFilesystem: false - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - terminationMessagePath: /dev/termination-log - terminationMessagePolicy: File - volumeMounts: - - mountPath: /var/run/secrets/kubernetes.io/serviceaccount - name: kube-api-access-zxn84 - readOnly: true - nodeName: istio-testing-control-plane - preemptionPolicy: PreemptLowerPriority - priority: 0 - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - serviceAccount: bookinfo-reviews - serviceAccountName: bookinfo-reviews - terminationGracePeriodSeconds: 30 - tolerations: - - effect: NoExecute - key: node.kubernetes.io/not-ready - operator: Exists - tolerationSeconds: 300 - - effect: NoExecute - key: node.kubernetes.io/unreachable - operator: Exists - tolerationSeconds: 300 - volumes: - - emptyDir: - medium: Memory - name: istio-envoy - - emptyDir: {} - name: istio-data - - downwardAPI: - defaultMode: 420 - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.labels - path: labels - - fieldRef: - apiVersion: v1 - fieldPath: metadata.annotations - path: annotations - name: istio-podinfo - - name: istio-token - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - audience: istio-ca - expirationSeconds: 43200 - path: istio-token - - configMap: - defaultMode: 420 - name: istio-ca-root-cert - name: istiod-ca-cert - - emptyDir: {} - name: wlp-output - - emptyDir: {} - name: tmp - - name: kube-api-access-zxn84 - projected: - defaultMode: 420 - sources: - - serviceAccountToken: - expirationSeconds: 3607 - path: token - - configMap: - items: - - key: ca.crt - path: ca.crt - name: kube-root-ca.crt - - downwardAPI: - items: - - fieldRef: - apiVersion: v1 - fieldPath: metadata.namespace - path: namespace status: - conditions: - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:56Z" - status: "True" - type: Initialized - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:48Z" - status: "True" - type: Ready - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:30:48Z" - status: "True" - type: ContainersReady - - lastProbeTime: null - lastTransitionTime: "2021-12-06T13:29:50Z" - status: "True" - type: PodScheduled - containerStatuses: - - containerID: containerd://e161b27e16a0c99a19cef8f75c8c314cc6a254d6eb0027c1b309f90d3041c6b1 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-proxy - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:45Z" - - containerID: containerd://cbd3a41d466e6eb062df6afc7b16cb1b469efa33b3d4de60da6225333d0f3337 - image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.2 - imageID: docker.io/istio/examples-bookinfo-reviews-v3@sha256:f812dcc7ab76dba313ce0a9ae3010d4ae705da3ce4e636ec3d0c50c709d296a4 - lastState: {} - name: reviews - ready: true - restartCount: 0 - started: true - state: - running: - startedAt: "2021-12-06T13:30:44Z" hostIP: 172.18.0.4 - initContainerStatuses: - - containerID: containerd://54a1d670c1071cc93f8eb1faa840b8d378033a545f8e8629faec6911d7ed1001 - image: docker.io/istio/proxyv2:1.12.0 - imageID: docker.io/istio/proxyv2@sha256:6734c59bab78320fcb2f38cc5da0d6c8a40e484a8eaac5fa6709fe1e4ddec25e - lastState: {} - name: istio-init - ready: true - restartCount: 0 - state: - terminated: - containerID: containerd://54a1d670c1071cc93f8eb1faa840b8d378033a545f8e8629faec6911d7ed1001 - exitCode: 0 - finishedAt: "2021-12-06T13:29:55Z" - reason: Completed - startedAt: "2021-12-06T13:29:55Z" phase: Running podIP: 10.244.0.12 podIPs: - ip: 10.244.0.12 - qosClass: Burstable - startTime: "2021-12-06T13:29:50Z" kind: List metadata: resourceVersion: "" - selfLink: "" \ No newline at end of file + selfLink: "" diff --git a/tests/k8s_ingress_test/k8s_ingress_policies.yaml b/tests/k8s_ingress_test/k8s_ingress_policies.yaml index 64fa86ae..56305ad4 100644 --- a/tests/k8s_ingress_test/k8s_ingress_policies.yaml +++ b/tests/k8s_ingress_test/k8s_ingress_policies.yaml @@ -19,4 +19,4 @@ spec: port: number: 9080 path: /details - pathType: Prefix \ No newline at end of file + pathType: Prefix diff --git a/tests/k8s_ingress_test_new/connlist_output.txt b/tests/k8s_ingress_test_new/connlist_output.txt new file mode 100644 index 00000000..2e1d879e --- /dev/null +++ b/tests/k8s_ingress_test_new/connlist_output.txt @@ -0,0 +1,11 @@ +0.0.0.0-255.255.255.255 => default/unicorn[Deployment] : All Connections +default/reviews-v1-545db77b95[ReplicaSet] => default/productpage-v1-6b746f74dc[ReplicaSet] : TCP 9080 +default/reviews-v1-545db77b95[ReplicaSet] => default/ratings-v1-b6994bb9[ReplicaSet] : TCP 9080 +default/reviews-v2-7bf8c9648f[ReplicaSet] => default/productpage-v1-6b746f74dc[ReplicaSet] : TCP 9080 +default/reviews-v2-7bf8c9648f[ReplicaSet] => default/ratings-v1-b6994bb9[ReplicaSet] : TCP 9080 +default/reviews-v3-84779c7bbc[ReplicaSet] => default/productpage-v1-6b746f74dc[ReplicaSet] : TCP 9080 +default/reviews-v3-84779c7bbc[ReplicaSet] => default/ratings-v1-b6994bb9[ReplicaSet] : TCP 9080 +default/unicorn[Deployment] => 0.0.0.0-255.255.255.255 : All Connections +default/unicorn[Deployment] => default/details-v1-79f774bdb9[ReplicaSet] : TCP 9080 +{ingress-controller} => default/details-v1-79f774bdb9[ReplicaSet] : TCP 9080 +{ingress-controller} => default/unicorn[Deployment] : TCP 8080 \ No newline at end of file diff --git a/tests/k8s_ingress_test_new/default_pods_list.yaml b/tests/k8s_ingress_test_new/default_pods_list.yaml new file mode 100644 index 00000000..6a093e49 --- /dev/null +++ b/tests/k8s_ingress_test_new/default_pods_list.yaml @@ -0,0 +1,327 @@ +apiVersion: v1 +items: + - apiVersion: v1 + kind: Pod + metadata: + annotations: + kubectl.kubernetes.io/default-container: details + kubectl.kubernetes.io/default-logs-container: details + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + generateName: details-v1-79f774bdb9- + labels: + app: details + pod-template-hash: 79f774bdb9 + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: details + service.istio.io/canonical-revision: v1 + version: v1 + name: details-v1-79f774bdb9-tw7sj + namespace: default + ownerReferences: + - apiVersion: apps/v1 + blockOwnerDeletion: true + controller: true + kind: ReplicaSet + name: details-v1-79f774bdb9 + uid: b2fab911-9f04-4949-a106-b8f05985fb94 + spec: + containers: + - image: docker.io/istio/examples-bookinfo-details-v1:1.16.2 + imagePullPolicy: IfNotPresent + name: details + ports: + - containerPort: 9080 + protocol: TCP + resources: {} + securityContext: + runAsUser: 1000 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-jnx24 + readOnly: true + status: + hostIP: 172.18.0.4 + phase: Running + podIP: 10.244.0.9 + podIPs: + - ip: 10.244.0.9 + - apiVersion: v1 + kind: Pod + metadata: + annotations: + kubectl.kubernetes.io/default-container: productpage + kubectl.kubernetes.io/default-logs-container: productpage + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + generateName: productpage-v1-6b746f74dc- + labels: + app: productpage + pod-template-hash: 6b746f74dc + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: productpage + service.istio.io/canonical-revision: v1 + version: v1 + name: productpage-v1-6b746f74dc-kkzzk + namespace: default + ownerReferences: + - apiVersion: apps/v1 + blockOwnerDeletion: true + controller: true + kind: ReplicaSet + name: productpage-v1-6b746f74dc + uid: 138e0f27-d290-49a8-b3a0-a9b8ceca1c43 + spec: + containers: + - image: docker.io/istio/examples-bookinfo-productpage-v1:1.16.2 + imagePullPolicy: IfNotPresent + name: productpage + ports: + - containerPort: 9080 + protocol: TCP + resources: {} + securityContext: + runAsUser: 1000 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-r5ld7 + readOnly: true + status: + hostIP: 172.18.0.4 + phase: Running + podIP: 10.244.0.13 + podIPs: + - ip: 10.244.0.13 + - apiVersion: v1 + kind: Pod + metadata: + annotations: + kubectl.kubernetes.io/default-container: ratings + kubectl.kubernetes.io/default-logs-container: ratings + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + generateName: ratings-v1-b6994bb9- + labels: + app: ratings + pod-template-hash: b6994bb9 + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: ratings + service.istio.io/canonical-revision: v1 + version: v1 + name: ratings-v1-b6994bb9-gl27w + namespace: default + ownerReferences: + - apiVersion: apps/v1 + blockOwnerDeletion: true + controller: true + kind: ReplicaSet + name: ratings-v1-b6994bb9 + uid: a7192b2c-1c84-44f2-b178-85e24beb87a5 + spec: + containers: + - image: docker.io/istio/examples-bookinfo-ratings-v1:1.16.2 + imagePullPolicy: IfNotPresent + name: ratings + ports: + - containerPort: 9080 + protocol: TCP + resources: {} + securityContext: + runAsUser: 1000 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-glrct + readOnly: true + status: + hostIP: 172.18.0.4 + podIP: 10.244.0.8 + podIPs: + - ip: 10.244.0.8 + - apiVersion: v1 + kind: Pod + metadata: + annotations: + kubectl.kubernetes.io/default-container: reviews + kubectl.kubernetes.io/default-logs-container: reviews + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + generateName: reviews-v1-545db77b95- + labels: + app: reviews + pod-template-hash: 545db77b95 + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: reviews + service.istio.io/canonical-revision: v1 + version: v1 + name: reviews-v1-545db77b95-2ps7q + namespace: default + ownerReferences: + - apiVersion: apps/v1 + blockOwnerDeletion: true + controller: true + kind: ReplicaSet + name: reviews-v1-545db77b95 + uid: 4002d13e-0feb-4bc1-8ed8-1fd7c0662035 + spec: + containers: + - env: + - name: LOG_DIR + value: /tmp/logs + image: docker.io/istio/examples-bookinfo-reviews-v1:1.16.2 + imagePullPolicy: IfNotPresent + name: reviews + ports: + - containerPort: 9080 + protocol: TCP + resources: {} + securityContext: + runAsUser: 1000 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /opt/ibm/wlp/output + name: wlp-output + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-vkb56 + readOnly: true + status: + hostIP: 172.18.0.4 + podIP: 10.244.0.10 + podIPs: + - ip: 10.244.0.10 + - apiVersion: v1 + kind: Pod + metadata: + annotations: + kubectl.kubernetes.io/default-container: reviews + kubectl.kubernetes.io/default-logs-container: reviews + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + generateName: reviews-v2-7bf8c9648f- + labels: + app: reviews + pod-template-hash: 7bf8c9648f + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: reviews + service.istio.io/canonical-revision: v2 + version: v2 + name: reviews-v2-7bf8c9648f-7v7ps + namespace: default + ownerReferences: + - apiVersion: apps/v1 + blockOwnerDeletion: true + controller: true + kind: ReplicaSet + name: reviews-v2-7bf8c9648f + uid: b7bce5e2-36f3-4835-a13e-de243713825c + spec: + containers: + - env: + - name: LOG_DIR + value: /tmp/logs + image: docker.io/istio/examples-bookinfo-reviews-v2:1.16.2 + imagePullPolicy: IfNotPresent + name: reviews + ports: + - containerPort: 9080 + protocol: TCP + resources: {} + securityContext: + runAsUser: 1000 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /opt/ibm/wlp/output + name: wlp-output + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-qvb77 + readOnly: true + status: + hostIP: 172.18.0.4 + phase: Running + podIP: 10.244.0.11 + podIPs: + - ip: 10.244.0.11 + - apiVersion: v1 + kind: Pod + metadata: + annotations: + kubectl.kubernetes.io/default-container: reviews + kubectl.kubernetes.io/default-logs-container: reviews + prometheus.io/path: /stats/prometheus + prometheus.io/port: "15020" + prometheus.io/scrape: "true" + sidecar.istio.io/status: '{"initContainers":["istio-init"],"containers":["istio-proxy"],"volumes":["istio-envoy","istio-data","istio-podinfo","istio-token","istiod-ca-cert"],"imagePullSecrets":null,"revision":"default"}' + generateName: reviews-v3-84779c7bbc- + labels: + app: reviews + pod-template-hash: 84779c7bbc + security.istio.io/tlsMode: istio + service.istio.io/canonical-name: reviews + service.istio.io/canonical-revision: v3 + version: v3 + name: reviews-v3-84779c7bbc-lfjvk + namespace: default + ownerReferences: + - apiVersion: apps/v1 + blockOwnerDeletion: true + controller: true + kind: ReplicaSet + name: reviews-v3-84779c7bbc + uid: 2003d1ad-0228-4d8a-87b2-e85315961235 + spec: + containers: + - env: + - name: LOG_DIR + value: /tmp/logs + image: docker.io/istio/examples-bookinfo-reviews-v3:1.16.2 + imagePullPolicy: IfNotPresent + name: reviews + ports: + - containerPort: 9080 + protocol: TCP + resources: {} + securityContext: + runAsUser: 1000 + terminationMessagePath: /dev/termination-log + terminationMessagePolicy: File + volumeMounts: + - mountPath: /tmp + name: tmp + - mountPath: /opt/ibm/wlp/output + name: wlp-output + - mountPath: /var/run/secrets/kubernetes.io/serviceaccount + name: kube-api-access-zxn84 + readOnly: true + status: + hostIP: 172.18.0.4 + phase: Running + podIP: 10.244.0.12 + podIPs: + - ip: 10.244.0.12 +kind: List +metadata: + resourceVersion: "" + selfLink: "" diff --git a/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.csv b/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.csv new file mode 100644 index 00000000..5e39ca5b --- /dev/null +++ b/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.csv @@ -0,0 +1,47 @@ +source,destination,dir1,dir2,diff-type +default/reviews-v1-545db77b95[ReplicaSet],default/productpage-v1-6b746f74dc[ReplicaSet],All Connections,TCP 9080,changed +default/reviews-v1-545db77b95[ReplicaSet],default/ratings-v1-b6994bb9[ReplicaSet],All Connections,TCP 9080,changed +default/reviews-v2-7bf8c9648f[ReplicaSet],default/productpage-v1-6b746f74dc[ReplicaSet],All Connections,TCP 9080,changed +default/reviews-v2-7bf8c9648f[ReplicaSet],default/ratings-v1-b6994bb9[ReplicaSet],All Connections,TCP 9080,changed +default/reviews-v3-84779c7bbc[ReplicaSet],default/productpage-v1-6b746f74dc[ReplicaSet],All Connections,TCP 9080,changed +default/reviews-v3-84779c7bbc[ReplicaSet],default/ratings-v1-b6994bb9[ReplicaSet],All Connections,TCP 9080,changed +0.0.0.0-255.255.255.255,default/unicorn[Deployment],No Connections,All Connections,added (workload default/unicorn[Deployment] added) +default/unicorn[Deployment],0.0.0.0-255.255.255.255,No Connections,All Connections,added (workload default/unicorn[Deployment] added) +default/unicorn[Deployment],default/details-v1-79f774bdb9[ReplicaSet],No Connections,TCP 9080,added (workload default/unicorn[Deployment] added) +0.0.0.0-255.255.255.255,default/details-v1-79f774bdb9[ReplicaSet],All Connections,No Connections,removed +0.0.0.0-255.255.255.255,default/productpage-v1-6b746f74dc[ReplicaSet],All Connections,No Connections,removed +0.0.0.0-255.255.255.255,default/ratings-v1-b6994bb9[ReplicaSet],All Connections,No Connections,removed +0.0.0.0-255.255.255.255,default/reviews-v1-545db77b95[ReplicaSet],All Connections,No Connections,removed +0.0.0.0-255.255.255.255,default/reviews-v2-7bf8c9648f[ReplicaSet],All Connections,No Connections,removed +0.0.0.0-255.255.255.255,default/reviews-v3-84779c7bbc[ReplicaSet],All Connections,No Connections,removed +default/details-v1-79f774bdb9[ReplicaSet],0.0.0.0-255.255.255.255,All Connections,No Connections,removed +default/details-v1-79f774bdb9[ReplicaSet],default/productpage-v1-6b746f74dc[ReplicaSet],All Connections,No Connections,removed +default/details-v1-79f774bdb9[ReplicaSet],default/ratings-v1-b6994bb9[ReplicaSet],All Connections,No Connections,removed +default/details-v1-79f774bdb9[ReplicaSet],default/reviews-v1-545db77b95[ReplicaSet],All Connections,No Connections,removed +default/details-v1-79f774bdb9[ReplicaSet],default/reviews-v2-7bf8c9648f[ReplicaSet],All Connections,No Connections,removed +default/details-v1-79f774bdb9[ReplicaSet],default/reviews-v3-84779c7bbc[ReplicaSet],All Connections,No Connections,removed +default/productpage-v1-6b746f74dc[ReplicaSet],0.0.0.0-255.255.255.255,All Connections,No Connections,removed +default/productpage-v1-6b746f74dc[ReplicaSet],default/details-v1-79f774bdb9[ReplicaSet],All Connections,No Connections,removed +default/productpage-v1-6b746f74dc[ReplicaSet],default/ratings-v1-b6994bb9[ReplicaSet],All Connections,No Connections,removed +default/productpage-v1-6b746f74dc[ReplicaSet],default/reviews-v1-545db77b95[ReplicaSet],All Connections,No Connections,removed +default/productpage-v1-6b746f74dc[ReplicaSet],default/reviews-v2-7bf8c9648f[ReplicaSet],All Connections,No Connections,removed +default/productpage-v1-6b746f74dc[ReplicaSet],default/reviews-v3-84779c7bbc[ReplicaSet],All Connections,No Connections,removed +default/ratings-v1-b6994bb9[ReplicaSet],0.0.0.0-255.255.255.255,All Connections,No Connections,removed +default/ratings-v1-b6994bb9[ReplicaSet],default/details-v1-79f774bdb9[ReplicaSet],All Connections,No Connections,removed +default/ratings-v1-b6994bb9[ReplicaSet],default/productpage-v1-6b746f74dc[ReplicaSet],All Connections,No Connections,removed +default/ratings-v1-b6994bb9[ReplicaSet],default/reviews-v1-545db77b95[ReplicaSet],All Connections,No Connections,removed +default/ratings-v1-b6994bb9[ReplicaSet],default/reviews-v2-7bf8c9648f[ReplicaSet],All Connections,No Connections,removed +default/ratings-v1-b6994bb9[ReplicaSet],default/reviews-v3-84779c7bbc[ReplicaSet],All Connections,No Connections,removed +default/reviews-v1-545db77b95[ReplicaSet],0.0.0.0-255.255.255.255,All Connections,No Connections,removed +default/reviews-v1-545db77b95[ReplicaSet],default/details-v1-79f774bdb9[ReplicaSet],All Connections,No Connections,removed +default/reviews-v1-545db77b95[ReplicaSet],default/reviews-v2-7bf8c9648f[ReplicaSet],All Connections,No Connections,removed +default/reviews-v1-545db77b95[ReplicaSet],default/reviews-v3-84779c7bbc[ReplicaSet],All Connections,No Connections,removed +default/reviews-v2-7bf8c9648f[ReplicaSet],0.0.0.0-255.255.255.255,All Connections,No Connections,removed +default/reviews-v2-7bf8c9648f[ReplicaSet],default/details-v1-79f774bdb9[ReplicaSet],All Connections,No Connections,removed +default/reviews-v2-7bf8c9648f[ReplicaSet],default/reviews-v1-545db77b95[ReplicaSet],All Connections,No Connections,removed +default/reviews-v2-7bf8c9648f[ReplicaSet],default/reviews-v3-84779c7bbc[ReplicaSet],All Connections,No Connections,removed +default/reviews-v3-84779c7bbc[ReplicaSet],0.0.0.0-255.255.255.255,All Connections,No Connections,removed +default/reviews-v3-84779c7bbc[ReplicaSet],default/details-v1-79f774bdb9[ReplicaSet],All Connections,No Connections,removed +default/reviews-v3-84779c7bbc[ReplicaSet],default/reviews-v1-545db77b95[ReplicaSet],All Connections,No Connections,removed +default/reviews-v3-84779c7bbc[ReplicaSet],default/reviews-v2-7bf8c9648f[ReplicaSet],All Connections,No Connections,removed +{ingress-controller},default/unicorn[Deployment],No Connections,TCP 8080,added (workload default/unicorn[Deployment] added) diff --git a/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.md b/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.md new file mode 100644 index 00000000..16892cce --- /dev/null +++ b/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.md @@ -0,0 +1,48 @@ +| source | destination | dir1 | dir2 | diff-type | +|--------|-------------|------|------|-----------| +| default/reviews-v1-545db77b95[ReplicaSet] | default/productpage-v1-6b746f74dc[ReplicaSet] | All Connections | TCP 9080 | changed | +| default/reviews-v1-545db77b95[ReplicaSet] | default/ratings-v1-b6994bb9[ReplicaSet] | All Connections | TCP 9080 | changed | +| default/reviews-v2-7bf8c9648f[ReplicaSet] | default/productpage-v1-6b746f74dc[ReplicaSet] | All Connections | TCP 9080 | changed | +| default/reviews-v2-7bf8c9648f[ReplicaSet] | default/ratings-v1-b6994bb9[ReplicaSet] | All Connections | TCP 9080 | changed | +| default/reviews-v3-84779c7bbc[ReplicaSet] | default/productpage-v1-6b746f74dc[ReplicaSet] | All Connections | TCP 9080 | changed | +| default/reviews-v3-84779c7bbc[ReplicaSet] | default/ratings-v1-b6994bb9[ReplicaSet] | All Connections | TCP 9080 | changed | +| 0.0.0.0-255.255.255.255 | default/unicorn[Deployment] | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | +| default/unicorn[Deployment] | 0.0.0.0-255.255.255.255 | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | +| default/unicorn[Deployment] | default/details-v1-79f774bdb9[ReplicaSet] | No Connections | TCP 9080 | added (workload default/unicorn[Deployment] added) | +| 0.0.0.0-255.255.255.255 | default/details-v1-79f774bdb9[ReplicaSet] | All Connections | No Connections | removed | +| 0.0.0.0-255.255.255.255 | default/productpage-v1-6b746f74dc[ReplicaSet] | All Connections | No Connections | removed | +| 0.0.0.0-255.255.255.255 | default/ratings-v1-b6994bb9[ReplicaSet] | All Connections | No Connections | removed | +| 0.0.0.0-255.255.255.255 | default/reviews-v1-545db77b95[ReplicaSet] | All Connections | No Connections | removed | +| 0.0.0.0-255.255.255.255 | default/reviews-v2-7bf8c9648f[ReplicaSet] | All Connections | No Connections | removed | +| 0.0.0.0-255.255.255.255 | default/reviews-v3-84779c7bbc[ReplicaSet] | All Connections | No Connections | removed | +| default/details-v1-79f774bdb9[ReplicaSet] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | +| default/details-v1-79f774bdb9[ReplicaSet] | default/productpage-v1-6b746f74dc[ReplicaSet] | All Connections | No Connections | removed | +| default/details-v1-79f774bdb9[ReplicaSet] | default/ratings-v1-b6994bb9[ReplicaSet] | All Connections | No Connections | removed | +| default/details-v1-79f774bdb9[ReplicaSet] | default/reviews-v1-545db77b95[ReplicaSet] | All Connections | No Connections | removed | +| default/details-v1-79f774bdb9[ReplicaSet] | default/reviews-v2-7bf8c9648f[ReplicaSet] | All Connections | No Connections | removed | +| default/details-v1-79f774bdb9[ReplicaSet] | default/reviews-v3-84779c7bbc[ReplicaSet] | All Connections | No Connections | removed | +| default/productpage-v1-6b746f74dc[ReplicaSet] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | +| default/productpage-v1-6b746f74dc[ReplicaSet] | default/details-v1-79f774bdb9[ReplicaSet] | All Connections | No Connections | removed | +| default/productpage-v1-6b746f74dc[ReplicaSet] | default/ratings-v1-b6994bb9[ReplicaSet] | All Connections | No Connections | removed | +| default/productpage-v1-6b746f74dc[ReplicaSet] | default/reviews-v1-545db77b95[ReplicaSet] | All Connections | No Connections | removed | +| default/productpage-v1-6b746f74dc[ReplicaSet] | default/reviews-v2-7bf8c9648f[ReplicaSet] | All Connections | No Connections | removed | +| default/productpage-v1-6b746f74dc[ReplicaSet] | default/reviews-v3-84779c7bbc[ReplicaSet] | All Connections | No Connections | removed | +| default/ratings-v1-b6994bb9[ReplicaSet] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | +| default/ratings-v1-b6994bb9[ReplicaSet] | default/details-v1-79f774bdb9[ReplicaSet] | All Connections | No Connections | removed | +| default/ratings-v1-b6994bb9[ReplicaSet] | default/productpage-v1-6b746f74dc[ReplicaSet] | All Connections | No Connections | removed | +| default/ratings-v1-b6994bb9[ReplicaSet] | default/reviews-v1-545db77b95[ReplicaSet] | All Connections | No Connections | removed | +| default/ratings-v1-b6994bb9[ReplicaSet] | default/reviews-v2-7bf8c9648f[ReplicaSet] | All Connections | No Connections | removed | +| default/ratings-v1-b6994bb9[ReplicaSet] | default/reviews-v3-84779c7bbc[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v1-545db77b95[ReplicaSet] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | +| default/reviews-v1-545db77b95[ReplicaSet] | default/details-v1-79f774bdb9[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v1-545db77b95[ReplicaSet] | default/reviews-v2-7bf8c9648f[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v1-545db77b95[ReplicaSet] | default/reviews-v3-84779c7bbc[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v2-7bf8c9648f[ReplicaSet] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | +| default/reviews-v2-7bf8c9648f[ReplicaSet] | default/details-v1-79f774bdb9[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v2-7bf8c9648f[ReplicaSet] | default/reviews-v1-545db77b95[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v2-7bf8c9648f[ReplicaSet] | default/reviews-v3-84779c7bbc[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v3-84779c7bbc[ReplicaSet] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | +| default/reviews-v3-84779c7bbc[ReplicaSet] | default/details-v1-79f774bdb9[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v3-84779c7bbc[ReplicaSet] | default/reviews-v1-545db77b95[ReplicaSet] | All Connections | No Connections | removed | +| default/reviews-v3-84779c7bbc[ReplicaSet] | default/reviews-v2-7bf8c9648f[ReplicaSet] | All Connections | No Connections | removed | +| {ingress-controller} | default/unicorn[Deployment] | No Connections | TCP 8080 | added (workload default/unicorn[Deployment] added) | \ No newline at end of file diff --git a/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.txt b/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.txt new file mode 100644 index 00000000..76bbeea0 --- /dev/null +++ b/tests/k8s_ingress_test_new/diff_output_from_k8s_ingress_test.txt @@ -0,0 +1,47 @@ +Connectivity diff: +source: default/reviews-v1-545db77b95[ReplicaSet], destination: default/productpage-v1-6b746f74dc[ReplicaSet], dir1: All Connections, dir2: TCP 9080, diff-type: changed +source: default/reviews-v1-545db77b95[ReplicaSet], destination: default/ratings-v1-b6994bb9[ReplicaSet], dir1: All Connections, dir2: TCP 9080, diff-type: changed +source: default/reviews-v2-7bf8c9648f[ReplicaSet], destination: default/productpage-v1-6b746f74dc[ReplicaSet], dir1: All Connections, dir2: TCP 9080, diff-type: changed +source: default/reviews-v2-7bf8c9648f[ReplicaSet], destination: default/ratings-v1-b6994bb9[ReplicaSet], dir1: All Connections, dir2: TCP 9080, diff-type: changed +source: default/reviews-v3-84779c7bbc[ReplicaSet], destination: default/productpage-v1-6b746f74dc[ReplicaSet], dir1: All Connections, dir2: TCP 9080, diff-type: changed +source: default/reviews-v3-84779c7bbc[ReplicaSet], destination: default/ratings-v1-b6994bb9[ReplicaSet], dir1: All Connections, dir2: TCP 9080, diff-type: changed +source: 0.0.0.0-255.255.255.255, destination: default/unicorn[Deployment], dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) +source: default/unicorn[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) +source: default/unicorn[Deployment], destination: default/details-v1-79f774bdb9[ReplicaSet], dir1: No Connections, dir2: TCP 9080, diff-type: added (workload default/unicorn[Deployment] added) +source: 0.0.0.0-255.255.255.255, destination: default/details-v1-79f774bdb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: 0.0.0.0-255.255.255.255, destination: default/productpage-v1-6b746f74dc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: 0.0.0.0-255.255.255.255, destination: default/ratings-v1-b6994bb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: 0.0.0.0-255.255.255.255, destination: default/reviews-v1-545db77b95[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: 0.0.0.0-255.255.255.255, destination: default/reviews-v2-7bf8c9648f[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: 0.0.0.0-255.255.255.255, destination: default/reviews-v3-84779c7bbc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/details-v1-79f774bdb9[ReplicaSet], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/details-v1-79f774bdb9[ReplicaSet], destination: default/productpage-v1-6b746f74dc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/details-v1-79f774bdb9[ReplicaSet], destination: default/ratings-v1-b6994bb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/details-v1-79f774bdb9[ReplicaSet], destination: default/reviews-v1-545db77b95[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/details-v1-79f774bdb9[ReplicaSet], destination: default/reviews-v2-7bf8c9648f[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/details-v1-79f774bdb9[ReplicaSet], destination: default/reviews-v3-84779c7bbc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/productpage-v1-6b746f74dc[ReplicaSet], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/productpage-v1-6b746f74dc[ReplicaSet], destination: default/details-v1-79f774bdb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/productpage-v1-6b746f74dc[ReplicaSet], destination: default/ratings-v1-b6994bb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/productpage-v1-6b746f74dc[ReplicaSet], destination: default/reviews-v1-545db77b95[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/productpage-v1-6b746f74dc[ReplicaSet], destination: default/reviews-v2-7bf8c9648f[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/productpage-v1-6b746f74dc[ReplicaSet], destination: default/reviews-v3-84779c7bbc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/ratings-v1-b6994bb9[ReplicaSet], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/ratings-v1-b6994bb9[ReplicaSet], destination: default/details-v1-79f774bdb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/ratings-v1-b6994bb9[ReplicaSet], destination: default/productpage-v1-6b746f74dc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/ratings-v1-b6994bb9[ReplicaSet], destination: default/reviews-v1-545db77b95[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/ratings-v1-b6994bb9[ReplicaSet], destination: default/reviews-v2-7bf8c9648f[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/ratings-v1-b6994bb9[ReplicaSet], destination: default/reviews-v3-84779c7bbc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v1-545db77b95[ReplicaSet], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v1-545db77b95[ReplicaSet], destination: default/details-v1-79f774bdb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v1-545db77b95[ReplicaSet], destination: default/reviews-v2-7bf8c9648f[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v1-545db77b95[ReplicaSet], destination: default/reviews-v3-84779c7bbc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v2-7bf8c9648f[ReplicaSet], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v2-7bf8c9648f[ReplicaSet], destination: default/details-v1-79f774bdb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v2-7bf8c9648f[ReplicaSet], destination: default/reviews-v1-545db77b95[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v2-7bf8c9648f[ReplicaSet], destination: default/reviews-v3-84779c7bbc[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v3-84779c7bbc[ReplicaSet], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v3-84779c7bbc[ReplicaSet], destination: default/details-v1-79f774bdb9[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v3-84779c7bbc[ReplicaSet], destination: default/reviews-v1-545db77b95[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/reviews-v3-84779c7bbc[ReplicaSet], destination: default/reviews-v2-7bf8c9648f[ReplicaSet], dir1: All Connections, dir2: No Connections, diff-type: removed +source: {ingress-controller}, destination: default/unicorn[Deployment], dir1: No Connections, dir2: TCP 8080, diff-type: added (workload default/unicorn[Deployment] added) \ No newline at end of file diff --git a/tests/k8s_ingress_test_new/k8s_ingress_policies.yaml b/tests/k8s_ingress_test_new/k8s_ingress_policies.yaml new file mode 100644 index 00000000..61825bf9 --- /dev/null +++ b/tests/k8s_ingress_test_new/k8s_ingress_policies.yaml @@ -0,0 +1,32 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + creationTimestamp: "2022-01-27T18:20:25Z" + generation: 3 + name: ingress-policy + namespace: default + resourceVersion: "37135" + uid: 85e70fbc-0b4b-462c-9bc1-9a1e7e00db58 +spec: + ingressClassName: nginx + rules: + - host: demo.localdev.me + http: + paths: + - backend: + service: + name: details + port: + number: 9080 + path: /details + pathType: Prefix + - host: demo.unicorn.me # new rule + http: + paths: + - backend: + service: + name: unicorn + port: + number: 8080 + path: /unicorn + pathType: Prefix \ No newline at end of file diff --git a/tests/k8s_ingress_test_new/k8s_netpols.yaml b/tests/k8s_ingress_test_new/k8s_netpols.yaml new file mode 100644 index 00000000..b6c55bee --- /dev/null +++ b/tests/k8s_ingress_test_new/k8s_netpols.yaml @@ -0,0 +1,83 @@ +# new netpols between deployments +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: productpage-netpol +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: reviews + ports: + - port: 9080 + podSelector: + matchLabels: + app: productpage + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: details-netpol +spec: + egress: [] + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 9080 + protocol: TCP + podSelector: + matchLabels: + app: details + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: reviews-netpol +spec: + egress: + - ports: + - port: 9080 + to: + - podSelector: + matchLabels: + app: productpage + - ports: + - port: 9080 + to: + - podSelector: + matchLabels: + app: ratings + podSelector: + matchLabels: + app: reviews + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: ratings-netpol +spec: + ingress: + - from: + - podSelector: + matchLabels: + app: reviews + ports: + - port: 9080 + podSelector: + matchLabels: + app: ratings + policyTypes: + - Ingress + - Egress +--- diff --git a/tests/k8s_ingress_test_new/new_deployment.yaml b/tests/k8s_ingress_test_new/new_deployment.yaml new file mode 100644 index 00000000..2a3a762a --- /dev/null +++ b/tests/k8s_ingress_test_new/new_deployment.yaml @@ -0,0 +1,33 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: unicorn +spec: + selector: + matchLabels: + app: unicorn + template: + metadata: + labels: + app: unicorn + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/unicorn:v0.1.3 + ports: + - containerPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: unicorn +spec: + type: ClusterIP + selector: + app: unicorn + ports: + - name: grpc + port: 5000 + targetPort: 8080 +--- diff --git a/tests/k8s_ingress_test_new/services.yaml b/tests/k8s_ingress_test_new/services.yaml new file mode 100644 index 00000000..0bc5ce49 --- /dev/null +++ b/tests/k8s_ingress_test_new/services.yaml @@ -0,0 +1,101 @@ +apiVersion: v1 +kind: Service +metadata: + name: details + labels: + app: details + service: details +spec: + ports: + - port: 9080 + name: http + selector: + app: details +--- +apiVersion: v1 +kind: Service +metadata: + name: ratings + labels: + app: ratings + service: ratings +spec: + ports: + - port: 9080 + name: http + selector: + app: ratings +--- +apiVersion: v1 +kind: Service +metadata: + name: reviews + labels: + app: reviews + service: reviews +spec: + ports: + - port: 9080 + name: http + selector: + app: reviews +--- +apiVersion: v1 +kind: Service +metadata: + name: productpage + labels: + app: productpage + service: productpage +spec: + ports: + - port: 9080 + name: http + selector: + app: productpage +--- +apiVersion: v1 +kind: Service +metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"name":"ingress-nginx-controller","namespace":"ingress-nginx"},"spec":{"ipFamilies":["IPv4"],"ipFamilyPolicy":"SingleStack","ports":[{"appProtocol":"http","name":"http","port":80,"protocol":"TCP","targetPort":"http"},{"appProtocol":"https","name":"https","port":443,"protocol":"TCP","targetPort":"https"}],"selector":{"app.kubernetes.io/component":"controller","app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"type":"NodePort"}} + creationTimestamp: "2022-01-27T18:07:04Z" + labels: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + name: ingress-nginx-controller + namespace: ingress-nginx + resourceVersion: "674" + uid: c762e0af-2c9f-4a6e-9ced-7353b65a0e4a +spec: + clusterIP: 10.110.86.95 + clusterIPs: + - 10.110.86.95 + externalTrafficPolicy: Cluster + internalTrafficPolicy: Cluster + ipFamilies: + - IPv4 + ipFamilyPolicy: SingleStack + ports: + - appProtocol: http + name: http + nodePort: 30308 + port: 80 + protocol: TCP + targetPort: http + - appProtocol: https + name: https + nodePort: 32135 + port: 443 + protocol: TCP + targetPort: https + selector: + app.kubernetes.io/component: controller + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + sessionAffinity: None + type: NodePort +status: + loadBalancer: {} diff --git a/tests/multiple_ingress_objects_with_different_ports_new/deployment_with_multiple_ports.yaml b/tests/multiple_ingress_objects_with_different_ports_new/deployment_with_multiple_ports.yaml new file mode 100644 index 00000000..39fd1e52 --- /dev/null +++ b/tests/multiple_ingress_objects_with_different_ports_new/deployment_with_multiple_ports.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: ingressworld +spec: {} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ingress-world-multiple-ports + namespace: ingressworld + labels: + app: ingress-world +spec: + replicas: 2 + selector: + matchLabels: + app: ingress-world + template: + metadata: + labels: + app: ingress-world + spec: + containers: + - name: ingressworld + image: quay.io/shfa/ingress-world:latest + ports: + - containerPort: 8000 # containerport1 + - containerPort: 8050 # containerport2 + - containerPort: 8090 # containerport3 +--- +apiVersion: v1 +kind: Service +metadata: + name: ingress-world + namespace: ingressworld +spec: + ports: + - protocol: TCP + port: 8000 + targetPort: 8000 + - protocol: TCP + port: 8050 + targetPort: 8050 + - protocol: TCP + port: 8090 + targetPort: 8090 + selector: + app: ingress-world diff --git a/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.csv b/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.csv new file mode 100644 index 00000000..34b361c3 --- /dev/null +++ b/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.csv @@ -0,0 +1,2 @@ +source,destination,dir1,dir2,diff-type +{ingress-controller},ingressworld/ingress-world-multiple-ports[Deployment],"TCP 8050,8090","TCP 8000,8090",changed diff --git a/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.md b/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.md new file mode 100644 index 00000000..a89e198f --- /dev/null +++ b/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.md @@ -0,0 +1,3 @@ +| source | destination | dir1 | dir2 | diff-type | +|--------|-------------|------|------|-----------| +| {ingress-controller} | ingressworld/ingress-world-multiple-ports[Deployment] | TCP 8050,8090 | TCP 8000,8090 | changed | \ No newline at end of file diff --git a/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.txt b/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.txt new file mode 100644 index 00000000..e43bdec5 --- /dev/null +++ b/tests/multiple_ingress_objects_with_different_ports_new/diff_output_from_multiple_ingress_objects_with_different_ports.txt @@ -0,0 +1,2 @@ +Connectivity diff: +source: {ingress-controller}, destination: ingressworld/ingress-world-multiple-ports[Deployment], dir1: TCP 8050,8090, dir2: TCP 8000,8090, diff-type: changed \ No newline at end of file diff --git a/tests/multiple_ingress_objects_with_different_ports_new/ingress-1.yaml b/tests/multiple_ingress_objects_with_different_ports_new/ingress-1.yaml new file mode 100644 index 00000000..edbd594f --- /dev/null +++ b/tests/multiple_ingress_objects_with_different_ports_new/ingress-1.yaml @@ -0,0 +1,17 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ingress-1 + namespace: ingressworld +spec: + rules: + - host: ingress.nginx.example.com + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: ingress-world + port: + number: 8090 \ No newline at end of file diff --git a/tests/multiple_ingress_objects_with_different_ports_new/route-1.yaml b/tests/multiple_ingress_objects_with_different_ports_new/route-1.yaml new file mode 100644 index 00000000..c24ada0b --- /dev/null +++ b/tests/multiple_ingress_objects_with_different_ports_new/route-1.yaml @@ -0,0 +1,15 @@ +apiVersion: route.openshift.io/v1 +kind: Route +metadata: + name: route-1 + namespace: ingressworld + labels: + app: ingress-world +spec: + to: + kind: Service + name: ingress-world + weight: 100 + port: + targetPort: 8000 + wildcardPolicy: None \ No newline at end of file diff --git a/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.csv b/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.csv new file mode 100644 index 00000000..e298d34f --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.csv @@ -0,0 +1,9 @@ +source,destination,dir1,dir2,diff-type +default/checkoutservice[Deployment],default/cartservice[Deployment],TCP 7070,TCP 8000,changed +default/checkoutservice[Deployment],default/emailservice[Deployment],TCP 8080,"TCP 8080,9555",changed +default/cartservice[Deployment],default/emailservice[Deployment],No Connections,TCP 9555,added +default/checkoutservice[Deployment],default/adservice[Deployment],No Connections,TCP 9555,added +128.0.0.0-255.255.255.255,default/redis-cart[Deployment],All Connections,No Connections,removed +default/checkoutservice[Deployment],default/currencyservice[Deployment],TCP 7000,No Connections,removed +default/frontend[Deployment],default/adservice[Deployment],TCP 9555,No Connections,removed +default/redis-cart[Deployment],0.0.0.0-255.255.255.255,All Connections,No Connections,removed diff --git a/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.md b/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.md new file mode 100644 index 00000000..1f4b93ad --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.md @@ -0,0 +1,10 @@ +| source | destination | dir1 | dir2 | diff-type | +|--------|-------------|------|------|-----------| +| default/checkoutservice[Deployment] | default/cartservice[Deployment] | TCP 7070 | TCP 8000 | changed | +| default/checkoutservice[Deployment] | default/emailservice[Deployment] | TCP 8080 | TCP 8080,9555 | changed | +| default/cartservice[Deployment] | default/emailservice[Deployment] | No Connections | TCP 9555 | added | +| default/checkoutservice[Deployment] | default/adservice[Deployment] | No Connections | TCP 9555 | added | +| 128.0.0.0-255.255.255.255 | default/redis-cart[Deployment] | All Connections | No Connections | removed | +| default/checkoutservice[Deployment] | default/currencyservice[Deployment] | TCP 7000 | No Connections | removed | +| default/frontend[Deployment] | default/adservice[Deployment] | TCP 9555 | No Connections | removed | +| default/redis-cart[Deployment] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | \ No newline at end of file diff --git a/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.txt b/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.txt new file mode 100644 index 00000000..136c98b7 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols/diff_output_from_onlineboutique_workloads.txt @@ -0,0 +1,9 @@ +Connectivity diff: +source: default/checkoutservice[Deployment], destination: default/cartservice[Deployment], dir1: TCP 7070, dir2: TCP 8000, diff-type: changed +source: default/checkoutservice[Deployment], destination: default/emailservice[Deployment], dir1: TCP 8080, dir2: TCP 8080,9555, diff-type: changed +source: default/cartservice[Deployment], destination: default/emailservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added +source: default/checkoutservice[Deployment], destination: default/adservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added +source: 128.0.0.0-255.255.255.255, destination: default/redis-cart[Deployment], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/checkoutservice[Deployment], destination: default/currencyservice[Deployment], dir1: TCP 7000, dir2: No Connections, diff-type: removed +source: default/frontend[Deployment], destination: default/adservice[Deployment], dir1: TCP 9555, dir2: No Connections, diff-type: removed +source: default/redis-cart[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed \ No newline at end of file diff --git a/tests/onlineboutique_workloads_changed_netpols/kubernetes-manifests.yaml b/tests/onlineboutique_workloads_changed_netpols/kubernetes-manifests.yaml new file mode 100644 index 00000000..df4f95d5 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols/kubernetes-manifests.yaml @@ -0,0 +1,678 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ---------------------------------------------------------- +# WARNING: This file is autogenerated. Do not manually edit. +# ---------------------------------------------------------- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailservice +spec: + selector: + matchLabels: + app: emailservice + template: + metadata: + labels: + app: emailservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/emailservice:v0.1.3 + ports: + - containerPort: 8080 + env: + - name: PORT + value: "8080" + - name: ENABLE_PROFILER + value: "0" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: emailservice +spec: + type: ClusterIP + selector: + app: emailservice + ports: + - name: grpc + port: 5000 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkoutservice +spec: + selector: + matchLabels: + app: checkoutservice + template: + metadata: + labels: + app: checkoutservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.1.3 + ports: + - containerPort: 5050 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + env: + - name: PORT + value: "5050" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: PAYMENT_SERVICE_ADDR + value: "paymentservice:50051" + - name: EMAIL_SERVICE_ADDR + value: "emailservice:5000" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: checkoutservice +spec: + type: ClusterIP + selector: + app: checkoutservice + ports: + - name: grpc + port: 5050 + targetPort: 5050 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendationservice +spec: + selector: + matchLabels: + app: recommendationservice + template: + metadata: + labels: + app: recommendationservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: ENABLE_PROFILER + value: "0" + resources: + requests: + cpu: 100m + memory: 220Mi + limits: + cpu: 200m + memory: 450Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: recommendationservice +spec: + type: ClusterIP + selector: + app: recommendationservice + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/frontend:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-readiness-probe" + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-liveness-probe" + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: RECOMMENDATION_SERVICE_ADDR + value: "recommendationservice:8080" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: CHECKOUT_SERVICE_ADDR + value: "checkoutservice:5050" + - name: AD_SERVICE_ADDR + value: "adservice:9555" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend +spec: + type: ClusterIP + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-external +spec: + type: LoadBalancer + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paymentservice +spec: + selector: + matchLabels: + app: paymentservice + template: + metadata: + labels: + app: paymentservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: paymentservice +spec: + type: ClusterIP + selector: + app: paymentservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productcatalogservice +spec: + selector: + matchLabels: + app: productcatalogservice + template: + metadata: + labels: + app: productcatalogservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.1.3 + ports: + - containerPort: 3550 + env: + - name: PORT + value: "3550" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: productcatalogservice +spec: + type: ClusterIP + selector: + app: productcatalogservice + ports: + - name: grpc + port: 3550 + targetPort: 3550 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cartservice +spec: + selector: + matchLabels: + app: cartservice + template: + metadata: + labels: + app: cartservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/cartservice:v0.1.3 + ports: + - containerPort: 7070 + env: + - name: REDIS_ADDR + value: "redis-cart:6379" + - name: PORT + value: "7070" + - name: LISTEN_ADDR + value: "0.0.0.0" + resources: + requests: + cpu: 200m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + readinessProbe: + initialDelaySeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] +--- +apiVersion: v1 +kind: Service +metadata: + name: cartservice +spec: + type: ClusterIP + selector: + app: cartservice + ports: + - name: grpc + port: 7070 + targetPort: 7070 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loadgenerator +spec: + selector: + matchLabels: + app: loadgenerator + replicas: 3 + template: + metadata: + labels: + app: loadgenerator + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + terminationGracePeriodSeconds: 5 + restartPolicy: Always + containers: + - name: main + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.1.3 + env: + - name: FRONTEND_ADDR + value: "frontend:80" + - name: USERS + value: "10" + resources: + requests: + cpu: 300m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: currencyservice +spec: + selector: + matchLabels: + app: currencyservice + template: + metadata: + labels: + app: currencyservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.1.3 + ports: + - name: grpc + containerPort: 7000 + env: + - name: PORT + value: "7000" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: currencyservice +spec: + type: ClusterIP + selector: + app: currencyservice + ports: + - name: grpc + port: 7000 + targetPort: 7000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shippingservice +spec: + selector: + matchLabels: + app: shippingservice + template: + metadata: + labels: + app: shippingservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: shippingservice +spec: + type: ClusterIP + selector: + app: shippingservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + containers: + - name: redis + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: redis + port: 6379 + targetPort: 6379 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adservice +spec: + selector: + matchLabels: + app: adservice + template: + metadata: + labels: + app: adservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/adservice:v0.1.3 + ports: + - containerPort: 9555 + env: + - name: PORT + value: "9555" + #- name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] +--- +apiVersion: v1 +kind: Service +metadata: + name: adservice +spec: + type: ClusterIP + selector: + app: adservice + ports: + - name: grpc + port: 9555 + targetPort: 9555 +--- diff --git a/tests/onlineboutique_workloads_changed_netpols/netpols.yaml b/tests/onlineboutique_workloads_changed_netpols/netpols.yaml new file mode 100644 index 00000000..7cb606ea --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols/netpols.yaml @@ -0,0 +1,384 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: redis-cart-netpol +spec: + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/1 + podSelector: + matchLabels: + app: redis-cart + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: frontend-netpol +spec: + egress: # removed egress to adservice + - ports: + - port: 7070 + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 5050 + to: + - podSelector: + matchLabels: + app: checkoutservice + - ports: + - port: 7000 + to: + - podSelector: + matchLabels: + app: currencyservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: recommendationservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: loadgenerator + ports: + - port: 8080 + podSelector: + matchLabels: + app: frontend + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: adservice-netpol +spec: + egress: [] + ingress: # removed ingress from frontend, added ingress from checkoutservice + - from: # new conn + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 9555 + podSelector: + matchLabels: + app: adservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: checkoutservice-netpol +spec: + egress: + - ports: # added egress to adservice + - port: 9555 + to: + - podSelector: + matchLabels: + app: adservice + - ports: + - port: 8000 # changed egress port to cartservice + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 8080 + - port: 9555 + to: + - podSelector: + matchLabels: + app: emailservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: paymentservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 5050 + podSelector: + matchLabels: + app: checkoutservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cartservice-netpol +spec: + egress: # added egress + - ports: + - port: 9555 + to: + - podSelector: + matchLabels: + app: emailservice + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 8000 # changed port + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7070 + podSelector: + matchLabels: + app: cartservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: currencyservice-netpol +spec: + egress: [] + ingress: # removed ingress + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7000 + podSelector: + matchLabels: + app: currencyservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: emailservice-netpol +spec: + egress: [] + ingress: + - from: # new conn + - podSelector: + matchLabels: + app: cartservice + ports: + - port: 9555 + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 8080 + - port: 9555 # added ingress port to existing conn (changed) + podSelector: + matchLabels: + app: emailservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: loadgenerator-netpol +spec: + egress: + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: frontend + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: [] + podSelector: + matchLabels: + app: loadgenerator + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: paymentservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + podSelector: + matchLabels: + app: paymentservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: productcatalogservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: recommendationservice + ports: + - port: 3550 + podSelector: + matchLabels: + app: productcatalogservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: recommendationservice-netpol +spec: + egress: + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 8080 + podSelector: + matchLabels: + app: recommendationservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: shippingservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 50051 + podSelector: + matchLabels: + app: shippingservice + policyTypes: + - Ingress + - Egress diff --git a/tests/onlineboutique_workloads_changed_netpols/ns.yaml b/tests/onlineboutique_workloads_changed_netpols/ns.yaml new file mode 100644 index 00000000..c4eeab18 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols/ns.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:17Z" + labels: + kubernetes.io/metadata.name: default + name: default + resourceVersion: "206" + uid: 6a88b263-54a8-426d-a524-e9cee3b71601 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"name":"ingress-nginx"}} + creationTimestamp: "2022-08-01T16:58:26Z" + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + resourceVersion: "352" + uid: 29353afa-051f-45d7-a571-8bce2199d25b + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-node-lease + name: kube-node-lease + resourceVersion: "51" + uid: 326c32f3-2032-417f-8a81-968ce5a496bd + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-public + name: kube-public + resourceVersion: "47" + uid: 19efc4d6-0a27-4791-b14e-7833ee5b0d30 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-system + name: kube-system + resourceVersion: "26" + uid: 731388a9-64e5-4cfb-bffe-1ebe85c8b298 + spec: + finalizers: + - kubernetes + status: + phase: Active +kind: List +metadata: + resourceVersion: "" + selfLink: "" diff --git a/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.csv b/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.csv new file mode 100644 index 00000000..8436e407 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.csv @@ -0,0 +1,11 @@ +source,destination,dir1,dir2,diff-type +default/checkoutservice[Deployment],default/cartservice[Deployment],TCP 7070,TCP 8000,changed +default/checkoutservice[Deployment],default/emailservice[Deployment],TCP 8080,"TCP 8080,9555",changed +0.0.0.0-255.255.255.255,default/unicorn[Deployment],No Connections,All Connections,added (workload default/unicorn[Deployment] added) +default/cartservice[Deployment],default/emailservice[Deployment],No Connections,TCP 9555,added +default/checkoutservice[Deployment],default/adservice[Deployment],No Connections,TCP 9555,added +default/unicorn[Deployment],0.0.0.0-255.255.255.255,No Connections,All Connections,added (workload default/unicorn[Deployment] added) +128.0.0.0-255.255.255.255,default/redis-cart[Deployment],All Connections,No Connections,removed +default/checkoutservice[Deployment],default/currencyservice[Deployment],TCP 7000,No Connections,removed +default/frontend[Deployment],default/adservice[Deployment],TCP 9555,No Connections,removed +default/redis-cart[Deployment],0.0.0.0-255.255.255.255,All Connections,No Connections,removed diff --git a/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.md b/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.md new file mode 100644 index 00000000..da9d9dd1 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.md @@ -0,0 +1,12 @@ +| source | destination | dir1 | dir2 | diff-type | +|--------|-------------|------|------|-----------| +| default/checkoutservice[Deployment] | default/cartservice[Deployment] | TCP 7070 | TCP 8000 | changed | +| default/checkoutservice[Deployment] | default/emailservice[Deployment] | TCP 8080 | TCP 8080,9555 | changed | +| 0.0.0.0-255.255.255.255 | default/unicorn[Deployment] | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | +| default/cartservice[Deployment] | default/emailservice[Deployment] | No Connections | TCP 9555 | added | +| default/checkoutservice[Deployment] | default/adservice[Deployment] | No Connections | TCP 9555 | added | +| default/unicorn[Deployment] | 0.0.0.0-255.255.255.255 | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | +| 128.0.0.0-255.255.255.255 | default/redis-cart[Deployment] | All Connections | No Connections | removed | +| default/checkoutservice[Deployment] | default/currencyservice[Deployment] | TCP 7000 | No Connections | removed | +| default/frontend[Deployment] | default/adservice[Deployment] | TCP 9555 | No Connections | removed | +| default/redis-cart[Deployment] | 0.0.0.0-255.255.255.255 | All Connections | No Connections | removed | \ No newline at end of file diff --git a/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.txt b/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.txt new file mode 100644 index 00000000..0d94c4ec --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols_and_workloads/diff_output_from_onlineboutique_workloads.txt @@ -0,0 +1,11 @@ +Connectivity diff: +source: default/checkoutservice[Deployment], destination: default/cartservice[Deployment], dir1: TCP 7070, dir2: TCP 8000, diff-type: changed +source: default/checkoutservice[Deployment], destination: default/emailservice[Deployment], dir1: TCP 8080, dir2: TCP 8080,9555, diff-type: changed +source: 0.0.0.0-255.255.255.255, destination: default/unicorn[Deployment], dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) +source: default/cartservice[Deployment], destination: default/emailservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added +source: default/checkoutservice[Deployment], destination: default/adservice[Deployment], dir1: No Connections, dir2: TCP 9555, diff-type: added +source: default/unicorn[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) +source: 128.0.0.0-255.255.255.255, destination: default/redis-cart[Deployment], dir1: All Connections, dir2: No Connections, diff-type: removed +source: default/checkoutservice[Deployment], destination: default/currencyservice[Deployment], dir1: TCP 7000, dir2: No Connections, diff-type: removed +source: default/frontend[Deployment], destination: default/adservice[Deployment], dir1: TCP 9555, dir2: No Connections, diff-type: removed +source: default/redis-cart[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: All Connections, dir2: No Connections, diff-type: removed \ No newline at end of file diff --git a/tests/onlineboutique_workloads_changed_netpols_and_workloads/kubernetes-manifests.yaml b/tests/onlineboutique_workloads_changed_netpols_and_workloads/kubernetes-manifests.yaml new file mode 100644 index 00000000..602e4349 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols_and_workloads/kubernetes-manifests.yaml @@ -0,0 +1,708 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ---------------------------------------------------------- +# WARNING: This file is autogenerated. Do not manually edit. +# ---------------------------------------------------------- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: unicorn +spec: + selector: + matchLabels: + app: unicorn + template: + metadata: + labels: + app: unicorn + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/unicorn:v0.1.3 + ports: + - containerPort: 8080 + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailservice +spec: + selector: + matchLabels: + app: emailservice + template: + metadata: + labels: + app: emailservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/emailservice:v0.1.3 + ports: + - containerPort: 8080 + env: + - name: PORT + value: "8080" + - name: ENABLE_PROFILER + value: "0" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: emailservice +spec: + type: ClusterIP + selector: + app: emailservice + ports: + - name: grpc + port: 5000 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkoutservice +spec: + selector: + matchLabels: + app: checkoutservice + template: + metadata: + labels: + app: checkoutservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.1.3 + ports: + - containerPort: 5050 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + env: + - name: PORT + value: "5050" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: PAYMENT_SERVICE_ADDR + value: "paymentservice:50051" + - name: EMAIL_SERVICE_ADDR + value: "emailservice:5000" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: checkoutservice +spec: + type: ClusterIP + selector: + app: checkoutservice + ports: + - name: grpc + port: 5050 + targetPort: 5050 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendationservice +spec: + selector: + matchLabels: + app: recommendationservice + template: + metadata: + labels: + app: recommendationservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: ENABLE_PROFILER + value: "0" + resources: + requests: + cpu: 100m + memory: 220Mi + limits: + cpu: 200m + memory: 450Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: recommendationservice +spec: + type: ClusterIP + selector: + app: recommendationservice + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/frontend:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-readiness-probe" + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-liveness-probe" + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: RECOMMENDATION_SERVICE_ADDR + value: "recommendationservice:8080" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: CHECKOUT_SERVICE_ADDR + value: "checkoutservice:5050" + - name: AD_SERVICE_ADDR + value: "adservice:9555" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend +spec: + type: ClusterIP + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-external +spec: + type: LoadBalancer + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paymentservice +spec: + selector: + matchLabels: + app: paymentservice + template: + metadata: + labels: + app: paymentservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: paymentservice +spec: + type: ClusterIP + selector: + app: paymentservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productcatalogservice +spec: + selector: + matchLabels: + app: productcatalogservice + template: + metadata: + labels: + app: productcatalogservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.1.3 + ports: + - containerPort: 3550 + env: + - name: PORT + value: "3550" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: productcatalogservice +spec: + type: ClusterIP + selector: + app: productcatalogservice + ports: + - name: grpc + port: 3550 + targetPort: 3550 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cartservice +spec: + selector: + matchLabels: + app: cartservice + template: + metadata: + labels: + app: cartservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/cartservice:v0.1.3 + ports: + - containerPort: 7070 + env: + - name: REDIS_ADDR + value: "redis-cart:6379" + - name: PORT + value: "7070" + - name: LISTEN_ADDR + value: "0.0.0.0" + resources: + requests: + cpu: 200m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + readinessProbe: + initialDelaySeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] +--- +apiVersion: v1 +kind: Service +metadata: + name: cartservice +spec: + type: ClusterIP + selector: + app: cartservice + ports: + - name: grpc + port: 7070 + targetPort: 7070 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loadgenerator +spec: + selector: + matchLabels: + app: loadgenerator + replicas: 3 + template: + metadata: + labels: + app: loadgenerator + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + terminationGracePeriodSeconds: 5 + restartPolicy: Always + containers: + - name: main + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.1.3 + env: + - name: FRONTEND_ADDR + value: "frontend:80" + - name: USERS + value: "10" + resources: + requests: + cpu: 300m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: currencyservice +spec: + selector: + matchLabels: + app: currencyservice + template: + metadata: + labels: + app: currencyservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.1.3 + ports: + - name: grpc + containerPort: 7000 + env: + - name: PORT + value: "7000" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: currencyservice +spec: + type: ClusterIP + selector: + app: currencyservice + ports: + - name: grpc + port: 7000 + targetPort: 7000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shippingservice +spec: + selector: + matchLabels: + app: shippingservice + template: + metadata: + labels: + app: shippingservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: shippingservice +spec: + type: ClusterIP + selector: + app: shippingservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + containers: + - name: redis + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: redis + port: 6379 + targetPort: 6379 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adservice +spec: + selector: + matchLabels: + app: adservice + template: + metadata: + labels: + app: adservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/adservice:v0.1.3 + ports: + - containerPort: 9555 + env: + - name: PORT + value: "9555" + #- name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] +--- +apiVersion: v1 +kind: Service +metadata: + name: adservice +spec: + type: ClusterIP + selector: + app: adservice + ports: + - name: grpc + port: 9555 + targetPort: 9555 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: shipping-service-config +data: + SHIPPING_ADDR: shipping-service + SHIPPING_PORT: "50051" +--- diff --git a/tests/onlineboutique_workloads_changed_netpols_and_workloads/netpols.yaml b/tests/onlineboutique_workloads_changed_netpols_and_workloads/netpols.yaml new file mode 100644 index 00000000..7cb606ea --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols_and_workloads/netpols.yaml @@ -0,0 +1,384 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: redis-cart-netpol +spec: + ingress: + - from: + - ipBlock: + cidr: 0.0.0.0/1 + podSelector: + matchLabels: + app: redis-cart + policyTypes: + - Ingress + - Egress + +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: frontend-netpol +spec: + egress: # removed egress to adservice + - ports: + - port: 7070 + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 5050 + to: + - podSelector: + matchLabels: + app: checkoutservice + - ports: + - port: 7000 + to: + - podSelector: + matchLabels: + app: currencyservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: recommendationservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: loadgenerator + ports: + - port: 8080 + podSelector: + matchLabels: + app: frontend + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: adservice-netpol +spec: + egress: [] + ingress: # removed ingress from frontend, added ingress from checkoutservice + - from: # new conn + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 9555 + podSelector: + matchLabels: + app: adservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: checkoutservice-netpol +spec: + egress: + - ports: # added egress to adservice + - port: 9555 + to: + - podSelector: + matchLabels: + app: adservice + - ports: + - port: 8000 # changed egress port to cartservice + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 8080 + - port: 9555 + to: + - podSelector: + matchLabels: + app: emailservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: paymentservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 5050 + podSelector: + matchLabels: + app: checkoutservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cartservice-netpol +spec: + egress: # added egress + - ports: + - port: 9555 + to: + - podSelector: + matchLabels: + app: emailservice + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 8000 # changed port + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7070 + podSelector: + matchLabels: + app: cartservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: currencyservice-netpol +spec: + egress: [] + ingress: # removed ingress + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7000 + podSelector: + matchLabels: + app: currencyservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: emailservice-netpol +spec: + egress: [] + ingress: + - from: # new conn + - podSelector: + matchLabels: + app: cartservice + ports: + - port: 9555 + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 8080 + - port: 9555 # added ingress port to existing conn (changed) + podSelector: + matchLabels: + app: emailservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: loadgenerator-netpol +spec: + egress: + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: frontend + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: [] + podSelector: + matchLabels: + app: loadgenerator + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: paymentservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + podSelector: + matchLabels: + app: paymentservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: productcatalogservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: recommendationservice + ports: + - port: 3550 + podSelector: + matchLabels: + app: productcatalogservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: recommendationservice-netpol +spec: + egress: + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 8080 + podSelector: + matchLabels: + app: recommendationservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: shippingservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 50051 + podSelector: + matchLabels: + app: shippingservice + policyTypes: + - Ingress + - Egress diff --git a/tests/onlineboutique_workloads_changed_netpols_and_workloads/ns.yaml b/tests/onlineboutique_workloads_changed_netpols_and_workloads/ns.yaml new file mode 100644 index 00000000..c4eeab18 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_netpols_and_workloads/ns.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:17Z" + labels: + kubernetes.io/metadata.name: default + name: default + resourceVersion: "206" + uid: 6a88b263-54a8-426d-a524-e9cee3b71601 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"name":"ingress-nginx"}} + creationTimestamp: "2022-08-01T16:58:26Z" + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + resourceVersion: "352" + uid: 29353afa-051f-45d7-a571-8bce2199d25b + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-node-lease + name: kube-node-lease + resourceVersion: "51" + uid: 326c32f3-2032-417f-8a81-968ce5a496bd + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-public + name: kube-public + resourceVersion: "47" + uid: 19efc4d6-0a27-4791-b14e-7833ee5b0d30 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-system + name: kube-system + resourceVersion: "26" + uid: 731388a9-64e5-4cfb-bffe-1ebe85c8b298 + spec: + finalizers: + - kubernetes + status: + phase: Active +kind: List +metadata: + resourceVersion: "" + selfLink: "" diff --git a/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.csv b/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.csv new file mode 100644 index 00000000..56ba2e55 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.csv @@ -0,0 +1,5 @@ +source,destination,dir1,dir2,diff-type +0.0.0.0-255.255.255.255,default/unicorn[Deployment],No Connections,All Connections,added (workload default/unicorn[Deployment] added) +default/redis-cart[Deployment],default/unicorn[Deployment],No Connections,All Connections,added (workload default/unicorn[Deployment] added) +default/unicorn[Deployment],0.0.0.0-255.255.255.255,No Connections,All Connections,added (workload default/unicorn[Deployment] added) +default/unicorn[Deployment],default/redis-cart[Deployment],No Connections,All Connections,added (workload default/unicorn[Deployment] added) diff --git a/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.md b/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.md new file mode 100644 index 00000000..d8ed7c54 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.md @@ -0,0 +1,6 @@ +| source | destination | dir1 | dir2 | diff-type | +|--------|-------------|------|------|-----------| +| 0.0.0.0-255.255.255.255 | default/unicorn[Deployment] | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | +| default/redis-cart[Deployment] | default/unicorn[Deployment] | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | +| default/unicorn[Deployment] | 0.0.0.0-255.255.255.255 | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | +| default/unicorn[Deployment] | default/redis-cart[Deployment] | No Connections | All Connections | added (workload default/unicorn[Deployment] added) | \ No newline at end of file diff --git a/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.txt b/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.txt new file mode 100644 index 00000000..93be51aa --- /dev/null +++ b/tests/onlineboutique_workloads_changed_workloads/diff_output_from_onlineboutique_workloads.txt @@ -0,0 +1,5 @@ +Connectivity diff: +source: 0.0.0.0-255.255.255.255, destination: default/unicorn[Deployment], dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) +source: default/redis-cart[Deployment], destination: default/unicorn[Deployment], dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) +source: default/unicorn[Deployment], destination: 0.0.0.0-255.255.255.255, dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) +source: default/unicorn[Deployment], destination: default/redis-cart[Deployment], dir1: No Connections, dir2: All Connections, diff-type: added (workload default/unicorn[Deployment] added) \ No newline at end of file diff --git a/tests/onlineboutique_workloads_changed_workloads/kubernetes-manifests.yaml b/tests/onlineboutique_workloads_changed_workloads/kubernetes-manifests.yaml new file mode 100644 index 00000000..602e4349 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_workloads/kubernetes-manifests.yaml @@ -0,0 +1,708 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ---------------------------------------------------------- +# WARNING: This file is autogenerated. Do not manually edit. +# ---------------------------------------------------------- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: unicorn +spec: + selector: + matchLabels: + app: unicorn + template: + metadata: + labels: + app: unicorn + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/unicorn:v0.1.3 + ports: + - containerPort: 8080 + +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailservice +spec: + selector: + matchLabels: + app: emailservice + template: + metadata: + labels: + app: emailservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/emailservice:v0.1.3 + ports: + - containerPort: 8080 + env: + - name: PORT + value: "8080" + - name: ENABLE_PROFILER + value: "0" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: emailservice +spec: + type: ClusterIP + selector: + app: emailservice + ports: + - name: grpc + port: 5000 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkoutservice +spec: + selector: + matchLabels: + app: checkoutservice + template: + metadata: + labels: + app: checkoutservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.1.3 + ports: + - containerPort: 5050 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + env: + - name: PORT + value: "5050" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: PAYMENT_SERVICE_ADDR + value: "paymentservice:50051" + - name: EMAIL_SERVICE_ADDR + value: "emailservice:5000" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: checkoutservice +spec: + type: ClusterIP + selector: + app: checkoutservice + ports: + - name: grpc + port: 5050 + targetPort: 5050 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendationservice +spec: + selector: + matchLabels: + app: recommendationservice + template: + metadata: + labels: + app: recommendationservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: ENABLE_PROFILER + value: "0" + resources: + requests: + cpu: 100m + memory: 220Mi + limits: + cpu: 200m + memory: 450Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: recommendationservice +spec: + type: ClusterIP + selector: + app: recommendationservice + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/frontend:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-readiness-probe" + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-liveness-probe" + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: RECOMMENDATION_SERVICE_ADDR + value: "recommendationservice:8080" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: CHECKOUT_SERVICE_ADDR + value: "checkoutservice:5050" + - name: AD_SERVICE_ADDR + value: "adservice:9555" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend +spec: + type: ClusterIP + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-external +spec: + type: LoadBalancer + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paymentservice +spec: + selector: + matchLabels: + app: paymentservice + template: + metadata: + labels: + app: paymentservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: paymentservice +spec: + type: ClusterIP + selector: + app: paymentservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productcatalogservice +spec: + selector: + matchLabels: + app: productcatalogservice + template: + metadata: + labels: + app: productcatalogservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.1.3 + ports: + - containerPort: 3550 + env: + - name: PORT + value: "3550" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: productcatalogservice +spec: + type: ClusterIP + selector: + app: productcatalogservice + ports: + - name: grpc + port: 3550 + targetPort: 3550 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cartservice +spec: + selector: + matchLabels: + app: cartservice + template: + metadata: + labels: + app: cartservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/cartservice:v0.1.3 + ports: + - containerPort: 7070 + env: + - name: REDIS_ADDR + value: "redis-cart:6379" + - name: PORT + value: "7070" + - name: LISTEN_ADDR + value: "0.0.0.0" + resources: + requests: + cpu: 200m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + readinessProbe: + initialDelaySeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] +--- +apiVersion: v1 +kind: Service +metadata: + name: cartservice +spec: + type: ClusterIP + selector: + app: cartservice + ports: + - name: grpc + port: 7070 + targetPort: 7070 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loadgenerator +spec: + selector: + matchLabels: + app: loadgenerator + replicas: 3 + template: + metadata: + labels: + app: loadgenerator + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + terminationGracePeriodSeconds: 5 + restartPolicy: Always + containers: + - name: main + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.1.3 + env: + - name: FRONTEND_ADDR + value: "frontend:80" + - name: USERS + value: "10" + resources: + requests: + cpu: 300m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: currencyservice +spec: + selector: + matchLabels: + app: currencyservice + template: + metadata: + labels: + app: currencyservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.1.3 + ports: + - name: grpc + containerPort: 7000 + env: + - name: PORT + value: "7000" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: currencyservice +spec: + type: ClusterIP + selector: + app: currencyservice + ports: + - name: grpc + port: 7000 + targetPort: 7000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shippingservice +spec: + selector: + matchLabels: + app: shippingservice + template: + metadata: + labels: + app: shippingservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: shippingservice +spec: + type: ClusterIP + selector: + app: shippingservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + containers: + - name: redis + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: redis + port: 6379 + targetPort: 6379 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adservice +spec: + selector: + matchLabels: + app: adservice + template: + metadata: + labels: + app: adservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/adservice:v0.1.3 + ports: + - containerPort: 9555 + env: + - name: PORT + value: "9555" + #- name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] +--- +apiVersion: v1 +kind: Service +metadata: + name: adservice +spec: + type: ClusterIP + selector: + app: adservice + ports: + - name: grpc + port: 9555 + targetPort: 9555 +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: shipping-service-config +data: + SHIPPING_ADDR: shipping-service + SHIPPING_PORT: "50051" +--- diff --git a/tests/onlineboutique_workloads_changed_workloads/netpols.yaml b/tests/onlineboutique_workloads_changed_workloads/netpols.yaml new file mode 100644 index 00000000..13e900ce --- /dev/null +++ b/tests/onlineboutique_workloads_changed_workloads/netpols.yaml @@ -0,0 +1,365 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: frontend-netpol +spec: + egress: + - ports: + - port: 9555 + to: + - podSelector: + matchLabels: + app: adservice + - ports: + - port: 7070 + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 5050 + to: + - podSelector: + matchLabels: + app: checkoutservice + - ports: + - port: 7000 + to: + - podSelector: + matchLabels: + app: currencyservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: recommendationservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: loadgenerator + ports: + - port: 8080 + podSelector: + matchLabels: + app: frontend + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: adservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 9555 + podSelector: + matchLabels: + app: adservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: checkoutservice-netpol +spec: + egress: + - ports: + - port: 7070 + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 7000 + to: + - podSelector: + matchLabels: + app: currencyservice + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: emailservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: paymentservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 5050 + podSelector: + matchLabels: + app: checkoutservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cartservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 7070 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7070 + podSelector: + matchLabels: + app: cartservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: currencyservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 7000 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7000 + podSelector: + matchLabels: + app: currencyservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: emailservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 8080 + podSelector: + matchLabels: + app: emailservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: loadgenerator-netpol +spec: + egress: + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: frontend + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: [] + podSelector: + matchLabels: + app: loadgenerator + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: paymentservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + podSelector: + matchLabels: + app: paymentservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: productcatalogservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: recommendationservice + ports: + - port: 3550 + podSelector: + matchLabels: + app: productcatalogservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: recommendationservice-netpol +spec: + egress: + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 8080 + podSelector: + matchLabels: + app: recommendationservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: shippingservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 50051 + podSelector: + matchLabels: + app: shippingservice + policyTypes: + - Ingress + - Egress diff --git a/tests/onlineboutique_workloads_changed_workloads/ns.yaml b/tests/onlineboutique_workloads_changed_workloads/ns.yaml new file mode 100644 index 00000000..c4eeab18 --- /dev/null +++ b/tests/onlineboutique_workloads_changed_workloads/ns.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:17Z" + labels: + kubernetes.io/metadata.name: default + name: default + resourceVersion: "206" + uid: 6a88b263-54a8-426d-a524-e9cee3b71601 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"name":"ingress-nginx"}} + creationTimestamp: "2022-08-01T16:58:26Z" + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + resourceVersion: "352" + uid: 29353afa-051f-45d7-a571-8bce2199d25b + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-node-lease + name: kube-node-lease + resourceVersion: "51" + uid: 326c32f3-2032-417f-8a81-968ce5a496bd + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-public + name: kube-public + resourceVersion: "47" + uid: 19efc4d6-0a27-4791-b14e-7833ee5b0d30 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-system + name: kube-system + resourceVersion: "26" + uid: 731388a9-64e5-4cfb-bffe-1ebe85c8b298 + spec: + finalizers: + - kubernetes + status: + phase: Active +kind: List +metadata: + resourceVersion: "" + selfLink: "" diff --git a/tests/onlineboutique_workloads_with_ingress/diff_output_from_onlineboutique_workloads.csv b/tests/onlineboutique_workloads_with_ingress/diff_output_from_onlineboutique_workloads.csv new file mode 100644 index 00000000..ae5b8656 --- /dev/null +++ b/tests/onlineboutique_workloads_with_ingress/diff_output_from_onlineboutique_workloads.csv @@ -0,0 +1,3 @@ +source,destination,dir1,dir2,diff-type +default/redis-cart[Deployment],default/frontend[Deployment],No Connections,TCP 8080,added +{ingress-controller},default/frontend[Deployment],No Connections,TCP 8080,added diff --git a/tests/onlineboutique_workloads_with_ingress/ingress.yaml b/tests/onlineboutique_workloads_with_ingress/ingress.yaml new file mode 100644 index 00000000..be7a3c33 --- /dev/null +++ b/tests/onlineboutique_workloads_with_ingress/ingress.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: onlineboutique-ingress + namespace: default +spec: + rules: + - host: demo.localdev.me + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: frontend-external + port: + number: 8080 + diff --git a/tests/onlineboutique_workloads_with_ingress/kubernetes-manifests.yaml b/tests/onlineboutique_workloads_with_ingress/kubernetes-manifests.yaml new file mode 100644 index 00000000..df4f95d5 --- /dev/null +++ b/tests/onlineboutique_workloads_with_ingress/kubernetes-manifests.yaml @@ -0,0 +1,678 @@ +# Copyright 2018 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +# ---------------------------------------------------------- +# WARNING: This file is autogenerated. Do not manually edit. +# ---------------------------------------------------------- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: emailservice +spec: + selector: + matchLabels: + app: emailservice + template: + metadata: + labels: + app: emailservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/emailservice:v0.1.3 + ports: + - containerPort: 8080 + env: + - name: PORT + value: "8080" + - name: ENABLE_PROFILER + value: "0" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: emailservice +spec: + type: ClusterIP + selector: + app: emailservice + ports: + - name: grpc + port: 5000 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: checkoutservice +spec: + selector: + matchLabels: + app: checkoutservice + template: + metadata: + labels: + app: checkoutservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/checkoutservice:v0.1.3 + ports: + - containerPort: 5050 + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:5050"] + env: + - name: PORT + value: "5050" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: PAYMENT_SERVICE_ADDR + value: "paymentservice:50051" + - name: EMAIL_SERVICE_ADDR + value: "emailservice:5000" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: checkoutservice +spec: + type: ClusterIP + selector: + app: checkoutservice + ports: + - name: grpc + port: 5050 + targetPort: 5050 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: recommendationservice +spec: + selector: + matchLabels: + app: recommendationservice + template: + metadata: + labels: + app: recommendationservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/recommendationservice:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + livenessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:8080"] + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: ENABLE_PROFILER + value: "0" + resources: + requests: + cpu: 100m + memory: 220Mi + limits: + cpu: 200m + memory: 450Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: recommendationservice +spec: + type: ClusterIP + selector: + app: recommendationservice + ports: + - name: grpc + port: 8080 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: frontend +spec: + selector: + matchLabels: + app: frontend + template: + metadata: + labels: + app: frontend + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/frontend:v0.1.3 + ports: + - containerPort: 8080 + readinessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-readiness-probe" + livenessProbe: + initialDelaySeconds: 10 + httpGet: + path: "/_healthz" + port: 8080 + httpHeaders: + - name: "Cookie" + value: "shop_session-id=x-liveness-probe" + env: + - name: PORT + value: "8080" + - name: PRODUCT_CATALOG_SERVICE_ADDR + value: "productcatalogservice:3550" + - name: CURRENCY_SERVICE_ADDR + value: "currencyservice:7000" + - name: CART_SERVICE_ADDR + value: "cartservice:7070" + - name: RECOMMENDATION_SERVICE_ADDR + value: "recommendationservice:8080" + - name: SHIPPING_SERVICE_ADDR + value: "shippingservice:50051" + - name: CHECKOUT_SERVICE_ADDR + value: "checkoutservice:5050" + - name: AD_SERVICE_ADDR + value: "adservice:9555" + # - name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend +spec: + type: ClusterIP + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: v1 +kind: Service +metadata: + name: frontend-external +spec: + type: LoadBalancer + selector: + app: frontend + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paymentservice +spec: + selector: + matchLabels: + app: paymentservice + template: + metadata: + labels: + app: paymentservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/paymentservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: paymentservice +spec: + type: ClusterIP + selector: + app: paymentservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: productcatalogservice +spec: + selector: + matchLabels: + app: productcatalogservice + template: + metadata: + labels: + app: productcatalogservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/productcatalogservice:v0.1.3 + ports: + - containerPort: 3550 + env: + - name: PORT + value: "3550" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:3550"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: productcatalogservice +spec: + type: ClusterIP + selector: + app: productcatalogservice + ports: + - name: grpc + port: 3550 + targetPort: 3550 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cartservice +spec: + selector: + matchLabels: + app: cartservice + template: + metadata: + labels: + app: cartservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/cartservice:v0.1.3 + ports: + - containerPort: 7070 + env: + - name: REDIS_ADDR + value: "redis-cart:6379" + - name: PORT + value: "7070" + - name: LISTEN_ADDR + value: "0.0.0.0" + resources: + requests: + cpu: 200m + memory: 64Mi + limits: + cpu: 300m + memory: 128Mi + readinessProbe: + initialDelaySeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] + livenessProbe: + initialDelaySeconds: 15 + periodSeconds: 10 + exec: + command: ["/bin/grpc_health_probe", "-addr=:7070", "-rpc-timeout=5s"] +--- +apiVersion: v1 +kind: Service +metadata: + name: cartservice +spec: + type: ClusterIP + selector: + app: cartservice + ports: + - name: grpc + port: 7070 + targetPort: 7070 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: loadgenerator +spec: + selector: + matchLabels: + app: loadgenerator + replicas: 3 + template: + metadata: + labels: + app: loadgenerator + annotations: + sidecar.istio.io/rewriteAppHTTPProbers: "true" + spec: + terminationGracePeriodSeconds: 5 + restartPolicy: Always + containers: + - name: main + image: gcr.io/google-samples/microservices-demo/loadgenerator:v0.1.3 + env: + - name: FRONTEND_ADDR + value: "frontend:80" + - name: USERS + value: "10" + resources: + requests: + cpu: 300m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: currencyservice +spec: + selector: + matchLabels: + app: currencyservice + template: + metadata: + labels: + app: currencyservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/currencyservice:v0.1.3 + ports: + - name: grpc + containerPort: 7000 + env: + - name: PORT + value: "7000" + readinessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:7000"] + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: currencyservice +spec: + type: ClusterIP + selector: + app: currencyservice + ports: + - name: grpc + port: 7000 + targetPort: 7000 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: shippingservice +spec: + selector: + matchLabels: + app: shippingservice + template: + metadata: + labels: + app: shippingservice + spec: + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/shippingservice:v0.1.3 + ports: + - containerPort: 50051 + env: + - name: PORT + value: "50051" + readinessProbe: + periodSeconds: 5 + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] + livenessProbe: + exec: + command: ["/bin/grpc_health_probe", "-addr=:50051"] +# env: +# - name: JAEGER_SERVICE_ADDR +# value: "jaeger-collector:14268" + resources: + requests: + cpu: 100m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: shippingservice +spec: + type: ClusterIP + selector: + app: shippingservice + ports: + - name: grpc + port: 50051 + targetPort: 50051 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis-cart +spec: + selector: + matchLabels: + app: redis-cart + template: + metadata: + labels: + app: redis-cart + spec: + containers: + - name: redis + image: redis:alpine + ports: + - containerPort: 6379 + readinessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + livenessProbe: + periodSeconds: 5 + tcpSocket: + port: 6379 + volumeMounts: + - mountPath: /data + name: redis-data + resources: + limits: + memory: 256Mi + cpu: 125m + requests: + cpu: 70m + memory: 200Mi + volumes: + - name: redis-data + emptyDir: {} +--- +apiVersion: v1 +kind: Service +metadata: + name: redis-cart +spec: + type: ClusterIP + selector: + app: redis-cart + ports: + - name: redis + port: 6379 + targetPort: 6379 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: adservice +spec: + selector: + matchLabels: + app: adservice + template: + metadata: + labels: + app: adservice + spec: + terminationGracePeriodSeconds: 5 + containers: + - name: server + image: gcr.io/google-samples/microservices-demo/adservice:v0.1.3 + ports: + - containerPort: 9555 + env: + - name: PORT + value: "9555" + #- name: JAEGER_SERVICE_ADDR + # value: "jaeger-collector:14268" + resources: + requests: + cpu: 200m + memory: 180Mi + limits: + cpu: 300m + memory: 300Mi + readinessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] + livenessProbe: + initialDelaySeconds: 20 + periodSeconds: 15 + exec: + command: ["/bin/grpc_health_probe", "-addr=:9555"] +--- +apiVersion: v1 +kind: Service +metadata: + name: adservice +spec: + type: ClusterIP + selector: + app: adservice + ports: + - name: grpc + port: 9555 + targetPort: 9555 +--- diff --git a/tests/onlineboutique_workloads_with_ingress/netpols.yaml b/tests/onlineboutique_workloads_with_ingress/netpols.yaml new file mode 100644 index 00000000..efc68d1f --- /dev/null +++ b/tests/onlineboutique_workloads_with_ingress/netpols.yaml @@ -0,0 +1,369 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: frontend-netpol +spec: + egress: + - ports: + - port: 9555 + to: + - podSelector: + matchLabels: + app: adservice + - ports: + - port: 7070 + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 5050 + to: + - podSelector: + matchLabels: + app: checkoutservice + - ports: + - port: 7000 + to: + - podSelector: + matchLabels: + app: currencyservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: recommendationservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - namespaceSelector: {} + ports: + - port: 8080 + - from: + - podSelector: + matchLabels: + app: loadgenerator + ports: + - port: 8080 + podSelector: + matchLabels: + app: frontend + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: adservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 9555 + podSelector: + matchLabels: + app: adservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: checkoutservice-netpol +spec: + egress: + - ports: + - port: 7070 + to: + - podSelector: + matchLabels: + app: cartservice + - ports: + - port: 7000 + to: + - podSelector: + matchLabels: + app: currencyservice + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: emailservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: paymentservice + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 50051 + to: + - podSelector: + matchLabels: + app: shippingservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 5050 + podSelector: + matchLabels: + app: checkoutservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: cartservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 7070 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7070 + podSelector: + matchLabels: + app: cartservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: currencyservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 7000 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 7000 + podSelector: + matchLabels: + app: currencyservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: emailservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 8080 + podSelector: + matchLabels: + app: emailservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: loadgenerator-netpol +spec: + egress: + - ports: + - port: 8080 + to: + - podSelector: + matchLabels: + app: frontend + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: [] + podSelector: + matchLabels: + app: loadgenerator + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: paymentservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + podSelector: + matchLabels: + app: paymentservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: productcatalogservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 3550 + - from: + - podSelector: + matchLabels: + app: recommendationservice + ports: + - port: 3550 + podSelector: + matchLabels: + app: productcatalogservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: recommendationservice-netpol +spec: + egress: + - ports: + - port: 3550 + to: + - podSelector: + matchLabels: + app: productcatalogservice + - ports: + - port: 53 + protocol: UDP + to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ingress: + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 8080 + podSelector: + matchLabels: + app: recommendationservice + policyTypes: + - Ingress + - Egress +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: shippingservice-netpol +spec: + egress: [] + ingress: + - from: + - podSelector: + matchLabels: + app: checkoutservice + ports: + - port: 50051 + - from: + - podSelector: + matchLabels: + app: frontend + ports: + - port: 50051 + podSelector: + matchLabels: + app: shippingservice + policyTypes: + - Ingress + - Egress diff --git a/tests/onlineboutique_workloads_with_ingress/ns.yaml b/tests/onlineboutique_workloads_with_ingress/ns.yaml new file mode 100644 index 00000000..c4eeab18 --- /dev/null +++ b/tests/onlineboutique_workloads_with_ingress/ns.yaml @@ -0,0 +1,81 @@ +apiVersion: v1 +items: +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:17Z" + labels: + kubernetes.io/metadata.name: default + name: default + resourceVersion: "206" + uid: 6a88b263-54a8-426d-a524-e9cee3b71601 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + annotations: + kubectl.kubernetes.io/last-applied-configuration: | + {"apiVersion":"v1","kind":"Namespace","metadata":{"annotations":{},"labels":{"app.kubernetes.io/instance":"ingress-nginx","app.kubernetes.io/name":"ingress-nginx"},"name":"ingress-nginx"}} + creationTimestamp: "2022-08-01T16:58:26Z" + labels: + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + kubernetes.io/metadata.name: ingress-nginx + name: ingress-nginx + resourceVersion: "352" + uid: 29353afa-051f-45d7-a571-8bce2199d25b + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-node-lease + name: kube-node-lease + resourceVersion: "51" + uid: 326c32f3-2032-417f-8a81-968ce5a496bd + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-public + name: kube-public + resourceVersion: "47" + uid: 19efc4d6-0a27-4791-b14e-7833ee5b0d30 + spec: + finalizers: + - kubernetes + status: + phase: Active +- apiVersion: v1 + kind: Namespace + metadata: + creationTimestamp: "2022-08-01T16:58:16Z" + labels: + kubernetes.io/metadata.name: kube-system + name: kube-system + resourceVersion: "26" + uid: 731388a9-64e5-4cfb-bffe-1ebe85c8b298 + spec: + finalizers: + - kubernetes + status: + phase: Active +kind: List +metadata: + resourceVersion: "" + selfLink: ""