ingress support in the ingress analyzer (#175)

* ingress support in the ingress analyzer
np-guard · Jul 26, 2023 · 9b5ee36 · 9b5ee36
1 parent daf7353
commit 9b5ee36
Show file tree

Hide file tree

Showing 80 changed files with 2,325 additions and 548 deletions.
diff --git a/.golangci.yml b/.golangci.yml
@@ -105,6 +105,7 @@ issues:
  - revive
  - goconst
  - funlen
+ - errcheck
 
 run:
  timeout: 5m
diff --git a/README.md b/README.md
@@ -44,7 +44,8 @@ Global Flags:
 
 ### List command
 ```
-Lists all allowed connections based on the workloads and network policies defined.
+Lists all allowed connections based on the workloads, network policies, and Ingress/Route resources defined.
+
 Connections between workload to itself are excluded from the output.
 
 Usage:
@@ -102,6 +103,8 @@ default/redis-cart[Deployment] => 0.0.0.0-255.255.255.255 : All Connections
 
 ```
 
+Additional details about the connectivity analysis and its output is specified [here](docs/connlist_output.md).
+
 ## Build the project
 
 Make sure you have golang 1.19+ on your platform

diff --git a/cmd/netpolicy/cmd/list.go b/cmd/netpolicy/cmd/list.go
@@ -59,7 +59,7 @@ func newCommandList() *cobra.Command {
  c := &cobra.Command{
  Use: "list",
  Short: "Lists all allowed connections",
- Long: `Lists all allowed connections based on the workloads and network policies
+ Long: `Lists all allowed connections based on the workloads, network policies, and Ingress/Route resources
 defined`,
  Example: ` # Get list of allowed connections from resources dir path
  k8snetpolicy list --dirpath ./resources_dir/ 

diff --git a/docs/connlist_output.md b/docs/connlist_output.md
@@ -0,0 +1,16 @@
+# List command - connectivity analysis output
+
+Resource manifests considered for a connectivity analysis:
+- workload resources (such as Kubernetes Pod / Deployment)
+- Kubernetes NetworkPolicy
+- Kubernetes Ingress
+- Openshift Route
+
+The connectivity output consists of lines of the form: `src` => `dst` : `connections`
+
+For connections inferred from network policy resources only, the `src` and `dst` are workloads or external IP-blocks.
+
+For Ingress/Route analysis, the `src` is specified as `{ingress-controller}`, representing the cluster's ingress controller Pod.
+Its connectivity lines are of the form: `{ingress-controller}` => `dst` : `connections`, where `dst` is a workload in the cluster.
+This analysis is currently activated only with `--dir-path` flag, and not on a live cluster.
+It assumes that the ingress controller Pod is unknown, and thus using this notation of `{ingress-controller}`.
diff --git a/...eval/internal/k8s/CanonicalIntervalSet.go → pkg/netpol/common/CanonicalIntervalSet.go b/...eval/internal/k8s/CanonicalIntervalSet.go → pkg/netpol/common/CanonicalIntervalSet.go
@@ -1,4 +1,4 @@
-package k8s
+package common
 
 import (
  "fmt"

diff --git a/pkg/netpol/common/connection.go b/pkg/netpol/common/connection.go
@@ -0,0 +1,26 @@
+package common
+
+import (
+ v1 "k8s.io/api/core/v1"
+)
+
+// Connection represents a set of allowed connections between two peers
+type Connection interface {
+ // ProtocolsAndPortsMap returns the set of allowed connections
+ ProtocolsAndPortsMap() map[v1.Protocol][]PortRange
+ // AllConnections returns true if all ports are allowed for all protocols
+ AllConnections() bool
+ // IsEmpty returns true if no connection is allowed
+ IsEmpty() bool
+}
+
+// PortRange describes a port or a range of ports for allowed traffic
+// If start port equals end port, it represents a single port
+type PortRange interface {
+ // Start is the start port
+ Start() int64
+ // End is the end port
+ End() int64
+ // String returns a string representation of the PortRange object
+ String() string
+}
diff --git a/...netpol/eval/internal/k8s/connectionset.go → pkg/netpol/common/connectionset.go b/...netpol/eval/internal/k8s/connectionset.go → pkg/netpol/common/connectionset.go
@@ -11,7 +11,7 @@
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.
-package k8s
+package common
 
 import (
  "fmt"
@@ -23,21 +23,22 @@ import (
 )
 
 // ConnectionSet represents a set of allowed connections between two peers on a k8s env
+// and implements Connection interface
 type ConnectionSet struct {
  AllowAll bool
  AllowedProtocols map[v1.Protocol]*PortSet // map from protocol name to set of allowed ports
 }
 
-// MakeConnectionSet returns a ConnectionSet object with all connections or no connections
-func MakeConnectionSet(all bool) ConnectionSet {
+// MakeConnectionSet returns a pointer to ConnectionSet object with all connections or no connections
+func MakeConnectionSet(all bool) *ConnectionSet {
  if all {
- return ConnectionSet{AllowAll: true, AllowedProtocols: map[v1.Protocol]*PortSet{}}
+ return &ConnectionSet{AllowAll: true, AllowedProtocols: map[v1.Protocol]*PortSet{}}
  }
- return ConnectionSet{AllowedProtocols: map[v1.Protocol]*PortSet{}}
+ return &ConnectionSet{AllowedProtocols: map[v1.Protocol]*PortSet{}}
 }
 
 // Intersection updates ConnectionSet object to be the intersection result with other ConnectionSet
-func (conn *ConnectionSet) Intersection(other ConnectionSet) {
+func (conn *ConnectionSet) Intersection(other *ConnectionSet) {
  if other.AllowAll {
  return
  }
@@ -92,7 +93,7 @@ func (conn *ConnectionSet) checkIfAllConnections() {
 }
 
 // Union updates ConnectionSet object to be the union result with other ConnectionSet
-func (conn *ConnectionSet) Union(other ConnectionSet) {
+func (conn *ConnectionSet) Union(other *ConnectionSet) {
  if conn.AllowAll || other.IsEmpty() {
  return
  }
@@ -133,7 +134,7 @@ func (conn *ConnectionSet) Contains(port, protocol string) bool {
 }
 
 // ContainedIn returns true if current ConnectionSet is conatained in the input ConnectionSet object
-func (conn *ConnectionSet) ContainedIn(other ConnectionSet) bool {
+func (conn *ConnectionSet) ContainedIn(other *ConnectionSet) bool {
  if other.AllowAll {
  return true
  }
@@ -181,7 +182,7 @@ func (conn *ConnectionSet) String() string {
 }
 
 // Equal returns true if the current ConnectionSet object is equal to the input object
-func (conn *ConnectionSet) Equal(other ConnectionSet) bool {
+func (conn *ConnectionSet) Equal(other *ConnectionSet) bool {
  if conn.AllowAll != other.AllowAll {
  return false
  }
@@ -200,7 +201,7 @@ func (conn *ConnectionSet) Equal(other ConnectionSet) bool {
  return true
 }
 
-// portRange implements the eval.PortRange interface
+// portRange implements the PortRange interface
 type portRange struct {
  start int64
  end int64
@@ -222,10 +223,10 @@ func (p *portRange) String() string {
 }
 
 // ProtocolsAndPortsMap() returns a map from allowed protocol to list of allowed ports ranges.
-func (conn *ConnectionSet) ProtocolsAndPortsMap() map[v1.Protocol][]*portRange {
- res := map[v1.Protocol][]*portRange{}
+func (conn *ConnectionSet) ProtocolsAndPortsMap() map[v1.Protocol][]PortRange {
+ res := make(map[v1.Protocol][]PortRange, 0)
  for protocol, portSet := range conn.AllowedProtocols {
- res[protocol] = []*portRange{}
+ res[protocol] = make([]PortRange, 0)
  // TODO: consider leave the slice of ports empty if portSet covers the full range
  for i := range portSet.Ports.IntervalSet {
  startPort := portSet.Ports.IntervalSet[i].Start
@@ -236,3 +237,8 @@ func (conn *ConnectionSet) ProtocolsAndPortsMap() map[v1.Protocol][]*portRange {
  }
  return res
 }
+
+// AllConnections returns true if all ports are allowed for all protocols
+func (conn *ConnectionSet) AllConnections() bool {
+ return conn.AllowAll
+}
diff --git a/...etpol/eval/internal/k8s/intervals_test.go → pkg/netpol/common/intervals_test.go b/...etpol/eval/internal/k8s/intervals_test.go → pkg/netpol/common/intervals_test.go
@@ -1,4 +1,4 @@
-package k8s
+package common
 
 import (
  "testing"

diff --git a/pkg/netpol/eval/internal/k8s/portset.go → pkg/netpol/common/portset.go b/pkg/netpol/eval/internal/k8s/portset.go → pkg/netpol/common/portset.go
@@ -1,4 +1,4 @@
-package k8s
+package common
 
 import (
  "reflect"