analyze: start parsing anps and banp from kube server or path

kubernetes-sigs · Jul 11, 2024 · 33ca86b · 33ca86b
1 parent 964c353
commit 33ca86b
Show file tree

Hide file tree

Showing 11 changed files with 650 additions and 52 deletions.
diff --git a/cmd/policy-assistant/anps/anp-list.yaml b/cmd/policy-assistant/anps/anp-list.yaml
@@ -0,0 +1,39 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicyList
+Items:
+  - apiVersion: policy.networking.k8s.io/v1alpha1
+    kind: AdminNetworkPolicy
+    metadata:
+      name: egress-sctp
+    spec:
+      priority: 3
+      subject:
+        namespaces:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+      egress:
+        - name: "allow-to-gryffindor-everything"
+          action: "Allow"
+          to:
+            - namespaces:
+                namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+  - apiVersion: policy.networking.k8s.io/v1alpha1
+    kind: AdminNetworkPolicy
+    metadata:
+      name: gress-rules
+    spec:
+      priority: 15
+      subject:
+        namespaces:
+          matchLabels:
+            kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+      egress:
+        - name: "allow-to-ravenclaw-everything"
+          action: "Allow"
+          to:
+            - namespaces:
+                namespaceSelector:
+                  matchLabels:
+                    kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
diff --git a/cmd/policy-assistant/anps/anp.yaml b/cmd/policy-assistant/anps/anp.yaml
@@ -0,0 +1,72 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: AdminNetworkPolicy
+metadata:
+  name: egress-sctp
+spec:
+  priority: 8
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  egress:
+    - name: "allow-to-gryffindor-everything"
+      action: "Allow"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    - name: "deny-to-gryffindor-everything"
+      action: "Deny"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    - name: "pass-to-gryffindor-everything"
+      action: "Pass"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    - name: "deny-to-slytherin-at-port-9003"
+      action: "Deny"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-slytherin
+      ports:
+        - portNumber:
+            protocol: SCTP
+            port: 9003
+    - name: "pass-to-slytherin-at-port-9003"
+      action: "Pass"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-slytherin
+      ports:
+        - portNumber:
+            protocol: SCTP
+            port: 9003
+    - name: "allow-to-hufflepuff-at-port-9003"
+      action: "Allow"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+      ports:
+        - portNumber:
+            protocol: SCTP
+            port: 9003
+    - name: "deny-to-hufflepuff-everything-else"
+      action: "Deny"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
diff --git a/cmd/policy-assistant/banp/banp.yaml b/cmd/policy-assistant/banp/banp.yaml
@@ -0,0 +1,53 @@
+apiVersion: policy.networking.k8s.io/v1alpha1
+kind: BaselineAdminNetworkPolicy
+metadata:
+  name: default
+spec:
+  subject:
+    namespaces:
+      matchLabels:
+        kubernetes.io/metadata.name: network-policy-conformance-ravenclaw
+  egress:
+    - name: "allow-to-gryffindor-everything"
+      action: "Allow"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    - name: "deny-to-gryffindor-everything"
+      action: "Deny"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-gryffindor
+    - name: "deny-to-slytherin-at-port-9003"
+      action: "Deny"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-slytherin
+      ports:
+        - portNumber:
+            protocol: SCTP
+            port: 9003
+    - name: "allow-to-hufflepuff-at-port-9003"
+      action: "Allow"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
+      ports:
+        - portNumber:
+            protocol: SCTP
+            port: 9003
+    - name: "deny-to-hufflepuff-everything-else"
+      action: "Deny"
+      to:
+        - namespaces:
+            namespaceSelector:
+              matchLabels:
+                kubernetes.io/metadata.name: network-policy-conformance-hufflepuff
diff --git a/cmd/policy-assistant/pkg/cli/analyze.go b/cmd/policy-assistant/pkg/cli/analyze.go
@@ -4,8 +4,10 @@ import (
 	"fmt"
 	"github.com/mattfenwick/cyclonus/examples"
 	"github.com/mattfenwick/cyclonus/pkg/kube/netpol"
+	"golang.org/x/net/context"
 	"sigs.k8s.io/network-policy-api/apis/v1alpha1"
 	"strings"
+	"time"
 
 	"github.com/mattfenwick/collections/pkg/json"
 	"github.com/mattfenwick/cyclonus/pkg/connectivity/probe"
@@ -93,6 +95,7 @@ func RunAnalyzeCommand(args *AnalyzeArgs) {
 	var kubeBANPs *v1alpha1.BaselineAdminNetworkPolicy
 	var kubePods []v1.Pod
 	var kubeNamespaces []v1.Namespace
+	var netErr, anpErr, banpErr error
 	if args.AllNamespaces || len(args.Namespaces) > 0 {
 		kubeClient, err := kube.NewKubernetesForContext(args.Context)
 		utils.DoOrDie(err)
@@ -104,27 +107,37 @@ func RunAnalyzeCommand(args *AnalyzeArgs) {
 			kubeNamespaces = nsList.Items
 			namespaces = []string{v1.NamespaceAll}
 		}
-		kubePolicies, err = kube.ReadNetworkPoliciesFromKube(kubeClient, namespaces)
-		if err != nil {
+
+		//TODO: add a flag for the timeout
+		ctx, cancel := context.WithTimeout(context.TODO(), 15*time.Second)
+		defer cancel()
+
+		kubePolicies, kubeANPs, kubeBANPs, netErr, anpErr, banpErr = kube.ReadNetworkPoliciesFromKube(ctx, kubeClient, namespaces)
+
+		if netErr != nil {
 			logrus.Errorf("unable to read network policies from kube, ns '%s': %+v", namespaces, err)
 		}
-		kubePods, err = kube.GetPodsInNamespaces(kubeClient, namespaces)
-		if err != nil {
-			logrus.Errorf("unable to read pods from kube, ns '%s': %+v", namespaces, err)
+		if anpErr != nil {
+			fmt.Printf("Unable to fetch admin network policies: %s \n", anpErr)
+		}
+		if banpErr != nil {
+			fmt.Printf("Unable to fetch base admin network policies: %s \n", banpErr)
 		}
 	}
 	// 2. read policies from file
 	if args.PolicyPath != "" {
-		policiesFromPath, err := kube.ReadNetworkPoliciesFromPath(args.PolicyPath)
+		policiesFromPath, anpsFromPath, banpFromPath, err := kube.ReadNetworkPoliciesFromPath(args.PolicyPath)
 		utils.DoOrDie(err)
 		kubePolicies = append(kubePolicies, policiesFromPath...)
+		kubeANPs = append(kubeANPs, anpsFromPath...)
+		kubeBANPs = banpFromPath
 	}
 	// 3. read example policies
 	if args.UseExamplePolicies {
 		kubePolicies = append(kubePolicies, netpol.AllExamples...)
 
-		kubeANPs = examples.CoreGressRulesCombinedANB
-		kubeBANPs = examples.CoreGressRulesCombinedBANB
+		kubeANPs = append(kubeANPs, examples.CoreGressRulesCombinedANB...)
+		kubeBANPs = kubeBANPs
 	}
 
 	logrus.Debugf("parsed policies:\n%s", json.MustMarshalToString(kubePolicies))

diff --git a/cmd/policy-assistant/pkg/connectivity/testcasestate.go b/cmd/policy-assistant/pkg/connectivity/testcasestate.go
@@ -1,6 +1,7 @@
 package connectivity
 
 import (
+	"context"
 	"time"
 
 	"github.com/mattfenwick/cyclonus/pkg/connectivity/probe"
@@ -140,7 +141,7 @@ func (t *TestCaseState) DeletePod(ns string, pod string) error {
 }
 
 func (t *TestCaseState) ReadPolicies(namespaces []string) error {
-	policies, err := kube.GetNetworkPoliciesInNamespaces(t.Kubernetes, namespaces)
+	policies, err := kube.GetNetworkPoliciesInNamespaces(context.TODO(), t.Kubernetes, namespaces)
 	if err != nil {
 		return err
 	}
@@ -322,7 +323,7 @@ func (t *TestCaseState) VerifyClusterState() error {
 		return err
 	}
 
-	policies, err := kube.GetNetworkPoliciesInNamespaces(t.Kubernetes, t.Resources.NamespacesSlice())
+	policies, err := kube.GetNetworkPoliciesInNamespaces(context.TODO(), t.Kubernetes, t.Resources.NamespacesSlice())
 	if err != nil {
 		return err
 	}

diff --git a/cmd/policy-assistant/pkg/kube/ikubernetes.go b/cmd/policy-assistant/pkg/kube/ikubernetes.go
@@ -1,13 +1,15 @@
 package kube
 
 import (
+	"context"
 	"fmt"
 	"github.com/mattfenwick/cyclonus/pkg/utils"
 	"github.com/pkg/errors"
 	v1 "k8s.io/api/core/v1"
 	networkingv1 "k8s.io/api/networking/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"math/rand"
+	v1alpha12 "sigs.k8s.io/network-policy-api/apis/v1alpha1"
 )
 
 type IKubernetes interface {
@@ -18,7 +20,7 @@ type IKubernetes interface {
 	GetAllNamespaces() (*v1.NamespaceList, error)
 
 	CreateNetworkPolicy(kubePolicy *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, error)
-	GetNetworkPoliciesInNamespace(namespace string) ([]networkingv1.NetworkPolicy, error)
+	GetNetworkPoliciesInNamespace(ctx context.Context, namespace string) ([]networkingv1.NetworkPolicy, error)
 	UpdateNetworkPolicy(kubePolicy *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, error)
 	DeleteNetworkPolicy(namespace string, name string) error
 	DeleteAllNetworkPoliciesInNamespace(namespace string) error
@@ -28,6 +30,9 @@ type IKubernetes interface {
 	DeleteService(namespace string, name string) error
 	GetServicesInNamespace(namespace string) ([]v1.Service, error)
 
+	GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error)
+	GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error)
+
 	CreatePod(kubePod *v1.Pod) (*v1.Pod, error)
 	GetPod(namespace string, pod string) (*v1.Pod, error)
 	DeletePod(namespace string, pod string) error
@@ -37,10 +42,10 @@ type IKubernetes interface {
 	ExecuteRemoteCommand(namespace string, pod string, container string, command []string) (string, string, error, error)
 }
 
-func GetNetworkPoliciesInNamespaces(kubernetes IKubernetes, namespaces []string) ([]networkingv1.NetworkPolicy, error) {
+func GetNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes, namespaces []string) ([]networkingv1.NetworkPolicy, error) {
 	var allNetpols []networkingv1.NetworkPolicy
 	for _, ns := range namespaces {
-		netpols, err := kubernetes.GetNetworkPoliciesInNamespace(ns)
+		netpols, err := kubernetes.GetNetworkPoliciesInNamespace(ctx, ns)
 		if err != nil {
 			return nil, err
 		}
@@ -83,6 +88,14 @@ func GetServicesInNamespaces(kubernetes IKubernetes, namespaces []string) ([]v1.
 	return allServices, nil
 }
 
+func GetAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) ([]v1alpha12.AdminNetworkPolicy, error) {
+	return kubernetes.GetAdminNetworkPoliciesInNamespace(ctx)
+}
+
+func GetBaseAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) (v1alpha12.BaselineAdminNetworkPolicy, error) {
+	return kubernetes.GetBaseAdminNetworkPoliciesInNamespace(ctx)
+}
+
 type MockNamespace struct {
 	NamespaceObject *v1.Namespace
 	Netpols         map[string]*networkingv1.NetworkPolicy
@@ -91,9 +104,12 @@ type MockNamespace struct {
 }
 
 type MockKubernetes struct {
-	Namespaces map[string]*MockNamespace
-	passRate   float64
-	podID      int
+	AdminNetworkPolicies func() ([]v1alpha12.AdminNetworkPolicy, error)
+	BaseNetworkPolicies  func() (v1alpha12.BaselineAdminNetworkPolicy, error)
+	NetworkPolicies      func() ([]networkingv1.NetworkPolicy, error)
+	Namespaces           map[string]*MockNamespace
+	passRate             float64
+	podID                int
 }
 
 func NewMockKubernetes(passRate float64) *MockKubernetes {
@@ -191,7 +207,17 @@ func (m *MockKubernetes) DeleteNetworkPolicy(ns string, name string) error {
 	return nil
 }
 
-func (m *MockKubernetes) GetNetworkPoliciesInNamespace(namespace string) ([]networkingv1.NetworkPolicy, error) {
+func (m *MockKubernetes) GetNetworkPoliciesInNamespace(ctx context.Context, namespace string) ([]networkingv1.NetworkPolicy, error) {
+	select {
+	case <-ctx.Done():
+		return nil, ctx.Err()
+	default:
+		res, err := m.NetworkPolicies()
+		if res != nil || err != nil {
+			return res, err
+		}
+	}
+
 	nsObject, err := m.getNamespaceObject(namespace)
 	if err != nil {
 		return nil, err
@@ -363,3 +389,22 @@ func (m *MockKubernetes) ExecuteRemoteCommand(namespace string, pod string, cont
 	}
 	return "", "", nil, nil
 }
+
+func (m *MockKubernetes) GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error) {
+	select {
+	default:
+		return m.AdminNetworkPolicies()
+	case <-ctx.Done():
+		return []v1alpha12.AdminNetworkPolicy{}, ctx.Err()
+	}
+
+}
+
+func (m *MockKubernetes) GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error) {
+	select {
+	default:
+		return m.BaseNetworkPolicies()
+	case <-ctx.Done():
+		return v1alpha12.BaselineAdminNetworkPolicy{}, ctx.Err()
+	}
+}