Skip to content

Commit

Permalink
feedback
Browse files Browse the repository at this point in the history
  • Loading branch information
@Peac36
Peac36 committed Aug 11, 2024
1 parent 33ca86b commit 33629db
Show file tree
Hide file tree
Showing 21 changed files with 246 additions and 299 deletions.
62 changes: 51 additions & 11 deletions cmd/policy-assistant/pkg/cli/analyze.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,6 +5,8 @@ import (
"github.com/mattfenwick/cyclonus/examples"
"github.com/mattfenwick/cyclonus/pkg/kube/netpol"
"golang.org/x/net/context"
"k8s.io/apimachinery/pkg/runtime/schema"
"k8s.io/client-go/kubernetes"
"sigs.k8s.io/network-policy-api/apis/v1alpha1"
"strings"
"time"
Expand Down Expand Up @@ -40,6 +42,8 @@ var AllModes = []string{
ProbeMode,
}

const DefaultTimeout = 180

type AnalyzeArgs struct {
AllNamespaces bool
Namespaces []string
Expand All @@ -58,6 +62,8 @@ type AnalyzeArgs struct {

// synthetic probe
ProbePath string

Timeout int
}

func SetupAnalyzeCommand() *cobra.Command {
Expand Down Expand Up @@ -85,17 +91,19 @@ func SetupAnalyzeCommand() *cobra.Command {
command.Flags().StringVar(&args.TrafficPath, "traffic-path", "", "path to json traffic file, containing of a list of traffic objects")
command.Flags().StringVar(&args.ProbePath, "probe-path", "", "path to json model file for synthetic probe")

command.Flags().IntVar(&args.Timeout, "timeout", DefaultTimeout, "timeout time in seconds")

return command
}

func RunAnalyzeCommand(args *AnalyzeArgs) {
// 1. read policies from kube
var kubePolicies []*networkingv1.NetworkPolicy
var kubeANPs []*v1alpha1.AdminNetworkPolicy
var kubeBANPs *v1alpha1.BaselineAdminNetworkPolicy
var kubeBANP *v1alpha1.BaselineAdminNetworkPolicy
var kubePods []v1.Pod
var kubeNamespaces []v1.Namespace
var netErr, anpErr, banpErr error
var netpolErr, anpErr, banpErr error
if args.AllNamespaces || len(args.Namespaces) > 0 {
kubeClient, err := kube.NewKubernetesForContext(args.Context)
utils.DoOrDie(err)
Expand All @@ -108,20 +116,21 @@ func RunAnalyzeCommand(args *AnalyzeArgs) {
namespaces = []string{v1.NamespaceAll}
}

//TODO: add a flag for the timeout
ctx, cancel := context.WithTimeout(context.TODO(), 15*time.Second)
includeANPS, includeBANPSs := shouldIncludeANPandBANP(kubeClient.ClientSet)

ctx, cancel := context.WithTimeout(context.TODO(), time.Duration(args.Timeout)*time.Second)
defer cancel()

kubePolicies, kubeANPs, kubeBANPs, netErr, anpErr, banpErr = kube.ReadNetworkPoliciesFromKube(ctx, kubeClient, namespaces)
kubePolicies, kubeANPs, kubeBANP, netpolErr, anpErr, banpErr = kube.ReadNetworkPoliciesFromKube(ctx, kubeClient, namespaces, includeANPS, includeBANPSs)

if netErr != nil {
if netpolErr != nil {
logrus.Errorf("unable to read network policies from kube, ns '%s': %+v", namespaces, err)
}
if anpErr != nil {
fmt.Printf("Unable to fetch admin network policies: %s \n", anpErr)
logrus.Errorf("Unable to fetch admin network policies: %s \n", anpErr)
}
if banpErr != nil {
fmt.Printf("Unable to fetch base admin network policies: %s \n", banpErr)
logrus.Errorf("Unable to fetch base admin network policies: %s \n", banpErr)
}
}
// 2. read policies from file
Expand All @@ -130,18 +139,24 @@ func RunAnalyzeCommand(args *AnalyzeArgs) {
utils.DoOrDie(err)
kubePolicies = append(kubePolicies, policiesFromPath...)
kubeANPs = append(kubeANPs, anpsFromPath...)
kubeBANPs = banpFromPath
if banpFromPath != nil && kubeBANP != nil {
logrus.Debugf("More that one banp parsed - setting banp from file")
}
kubeBANP = banpFromPath
}
// 3. read example policies
if args.UseExamplePolicies {
kubePolicies = append(kubePolicies, netpol.AllExamples...)

kubeANPs = append(kubeANPs, examples.CoreGressRulesCombinedANB...)
kubeBANPs = kubeBANPs
if kubeBANP != nil {
logrus.Debugf("More that onew banp parsed - setting banp from the examples")
}
kubeBANP = examples.CoreGressRulesCombinedBANB
}

logrus.Debugf("parsed policies:\n%s", json.MustMarshalToString(kubePolicies))
policies := matcher.BuildV1AndV2NetPols(args.SimplifyPolicies, kubePolicies, kubeANPs, kubeBANPs)
policies := matcher.BuildV1AndV2NetPols(args.SimplifyPolicies, kubePolicies, kubeANPs, kubeBANP)

for _, mode := range args.Modes {
switch mode {
Expand Down Expand Up @@ -316,3 +331,28 @@ func ProbeSyntheticConnectivity(explainedPolicies *matcher.Policy, modelPath str
fmt.Printf("Egress:\n%s\n", simulatedProbe.RenderEgress())
fmt.Printf("Combined:\n%s\n\n\n", simulatedProbe.RenderTable())
}

func shouldIncludeANPandBANP(client *kubernetes.Clientset) (bool, bool) {
var includeANP, includeBANP bool
_, resources, _, err := client.DiscoveryClient.GroupsAndMaybeResources()
if err != nil {
logrus.Errorf("Unable to fetch all registered resources: %s", err)
return includeANP, includeBANP
}
gv := schema.GroupVersion{Group: "policy.networking.k8s.io", Version: "v1alpha1"}

if groupResources, ok := resources[gv]; ok {
for _, res := range groupResources.APIResources {
switch res.Kind {
case "AdminNetworkPolicy":
includeANP = true
case "BaselineAdminNetworkPolicy":
includeBANP = true
default:
panic(fmt.Sprintf("unexpected resource kind %s", res.Kind))
}
}
}

return includeANP, includeBANP
}
88 changes: 53 additions & 35 deletions cmd/policy-assistant/pkg/kube/ikubernetes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"math/rand"
v1alpha12 "sigs.k8s.io/network-policy-api/apis/v1alpha1"
"sigs.k8s.io/network-policy-api/apis/v1alpha1"
)

type IKubernetes interface {
Expand All @@ -30,8 +30,15 @@ type IKubernetes interface {
DeleteService(namespace string, name string) error
GetServicesInNamespace(namespace string) ([]v1.Service, error)

GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error)
GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error)
GetAdminNetworkPolicies(ctx context.Context) ([]v1alpha1.AdminNetworkPolicy, error)
CreateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error)
UpdateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error)
DeleteAdminNetworkPolicy(ctx context.Context, name string) error

GetBaseAdminNetworkPolicies(ctx context.Context) ([]v1alpha1.BaselineAdminNetworkPolicy, error)
CreateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error)
UpdateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error)
DeleteBaselineAdminNetworkPolicy(ctx context.Context, name string) error

CreatePod(kubePod *v1.Pod) (*v1.Pod, error)
GetPod(namespace string, pod string) (*v1.Pod, error)
Expand Down Expand Up @@ -88,12 +95,12 @@ func GetServicesInNamespaces(kubernetes IKubernetes, namespaces []string) ([]v1.
return allServices, nil
}

func GetAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) ([]v1alpha12.AdminNetworkPolicy, error) {
return kubernetes.GetAdminNetworkPoliciesInNamespace(ctx)
func GetAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) ([]v1alpha1.AdminNetworkPolicy, error) {
return kubernetes.GetAdminNetworkPolicies(ctx)
}

func GetBaseAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) (v1alpha12.BaselineAdminNetworkPolicy, error) {
return kubernetes.GetBaseAdminNetworkPoliciesInNamespace(ctx)
func GetBaseAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) ([]v1alpha1.BaselineAdminNetworkPolicy, error) {
return kubernetes.GetBaseAdminNetworkPolicies(ctx)
}

type MockNamespace struct {
Expand All @@ -104,12 +111,14 @@ type MockNamespace struct {
}

type MockKubernetes struct {
AdminNetworkPolicies func() ([]v1alpha12.AdminNetworkPolicy, error)
BaseNetworkPolicies func() (v1alpha12.BaselineAdminNetworkPolicy, error)
NetworkPolicies func() ([]networkingv1.NetworkPolicy, error)
Namespaces map[string]*MockNamespace
passRate float64
podID int
AdminNetworkPolicies []v1alpha1.AdminNetworkPolicy
AdminNetworkPolicyError error
BaseNetworkPolicies []v1alpha1.BaselineAdminNetworkPolicy
BaseAdminNetworkPolicyError error
Namespaces map[string]*MockNamespace
NetworkPolicyError error
passRate float64
podID int
}

func NewMockKubernetes(passRate float64) *MockKubernetes {
Expand Down Expand Up @@ -208,14 +217,8 @@ func (m *MockKubernetes) DeleteNetworkPolicy(ns string, name string) error {
}

func (m *MockKubernetes) GetNetworkPoliciesInNamespace(ctx context.Context, namespace string) ([]networkingv1.NetworkPolicy, error) {
select {
case <-ctx.Done():
return nil, ctx.Err()
default:
res, err := m.NetworkPolicies()
if res != nil || err != nil {
return res, err
}
if m.NetworkPolicyError != nil {
return nil, m.NetworkPolicyError
}

nsObject, err := m.getNamespaceObject(namespace)
Expand Down Expand Up @@ -390,21 +393,36 @@ func (m *MockKubernetes) ExecuteRemoteCommand(namespace string, pod string, cont
return "", "", nil, nil
}

func (m *MockKubernetes) GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error) {
select {
default:
return m.AdminNetworkPolicies()
case <-ctx.Done():
return []v1alpha12.AdminNetworkPolicy{}, ctx.Err()
}
func (m *MockKubernetes) GetAdminNetworkPolicies(ctx context.Context) ([]v1alpha1.AdminNetworkPolicy, error) {
return m.AdminNetworkPolicies, m.AdminNetworkPolicyError
}

func (k *MockKubernetes) CreateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (m *MockKubernetes) GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error) {
select {
default:
return m.BaseNetworkPolicies()
case <-ctx.Done():
return v1alpha12.BaselineAdminNetworkPolicy{}, ctx.Err()
}
func (k *MockKubernetes) UpdateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *MockKubernetes) DeleteAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}

func (m *MockKubernetes) GetBaseAdminNetworkPolicies(ctx context.Context) ([]v1alpha1.BaselineAdminNetworkPolicy, error) {
return m.BaseNetworkPolicies, m.BaseAdminNetworkPolicyError
}

func (k *MockKubernetes) CreateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *MockKubernetes) UpdateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *MockKubernetes) DeleteBaselineAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}
38 changes: 31 additions & 7 deletions cmd/policy-assistant/pkg/kube/kubernetes.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import (
"k8s.io/client-go/tools/remotecommand"
)

var ErrNotImplemented = errors.New("Not implemented")

type Kubernetes struct {
ClientSet *kubernetes.Clientset
alphaClientSet *v1alpha1.PolicyV1alpha1Client
Expand Down Expand Up @@ -109,24 +111,46 @@ func (k *Kubernetes) GetNetworkPoliciesInNamespace(ctx context.Context, namespac
return netpolList.Items, nil
}

func (k *Kubernetes) GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error) {
func (k *Kubernetes) GetAdminNetworkPolicies(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error) {
anps, err := k.alphaClientSet.AdminNetworkPolicies().List(ctx, metav1.ListOptions{})
if err != nil {
return nil, err
}
return anps.Items, nil
}

func (k *Kubernetes) GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error) {
func (k *Kubernetes) CreateAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.AdminNetworkPolicy) (*v1alpha12.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) UpdateAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.AdminNetworkPolicy) (*v1alpha12.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) DeleteAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}

func (k *Kubernetes) GetBaseAdminNetworkPolicies(ctx context.Context) ([]v1alpha12.BaselineAdminNetworkPolicy, error) {
banp, err := k.alphaClientSet.BaselineAdminNetworkPolicies().List(ctx, metav1.ListOptions{})
if err != nil {
return v1alpha12.BaselineAdminNetworkPolicy{}, err
}
if len(banp.Items) > 0 {
return banp.Items[0], nil
return nil, err
}
return v1alpha12.BaselineAdminNetworkPolicy{}, errors.New("BANP not found")
return banp.Items, nil
}

func (k *Kubernetes) CreateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.BaselineAdminNetworkPolicy) (*v1alpha12.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) UpdateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.BaselineAdminNetworkPolicy) (*v1alpha12.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) DeleteBaselineAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}

func (k *Kubernetes) UpdateNetworkPolicy(policy *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, error) {
Expand Down
Loading

0 comments on commit 33629db

Please sign in to comment.