Skip to content

Commit

Permalink
wip
Browse files Browse the repository at this point in the history
  • Loading branch information
Peac36 committed Jul 21, 2024
1 parent 33ca86b commit 3bb6de4
Show file tree
Hide file tree
Showing 20 changed files with 146 additions and 112 deletions.
27 changes: 16 additions & 11 deletions cmd/policy-assistant/pkg/cli/analyze.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,8 @@ var AllModes = []string{
ProbeMode,
}

const DefaultTimeout = 180

type AnalyzeArgs struct {
AllNamespaces bool
Namespaces []string
Expand All @@ -58,6 +60,8 @@ type AnalyzeArgs struct {

// synthetic probe
ProbePath string

Timeout int
}

func SetupAnalyzeCommand() *cobra.Command {
Expand Down Expand Up @@ -85,17 +89,19 @@ func SetupAnalyzeCommand() *cobra.Command {
command.Flags().StringVar(&args.TrafficPath, "traffic-path", "", "path to json traffic file, containing of a list of traffic objects")
command.Flags().StringVar(&args.ProbePath, "probe-path", "", "path to json model file for synthetic probe")

command.Flags().IntVar(&args.Timeout, "timeout", DefaultTimeout, "timeout time in seconds")

return command
}

func RunAnalyzeCommand(args *AnalyzeArgs) {
// 1. read policies from kube
var kubePolicies []*networkingv1.NetworkPolicy
var kubeANPs []*v1alpha1.AdminNetworkPolicy
var kubeBANPs *v1alpha1.BaselineAdminNetworkPolicy
var kubeBANP *v1alpha1.BaselineAdminNetworkPolicy
var kubePods []v1.Pod
var kubeNamespaces []v1.Namespace
var netErr, anpErr, banpErr error
var netpolErr, anpErr, banpErr error
if args.AllNamespaces || len(args.Namespaces) > 0 {
kubeClient, err := kube.NewKubernetesForContext(args.Context)
utils.DoOrDie(err)
Expand All @@ -108,20 +114,19 @@ func RunAnalyzeCommand(args *AnalyzeArgs) {
namespaces = []string{v1.NamespaceAll}
}

//TODO: add a flag for the timeout
ctx, cancel := context.WithTimeout(context.TODO(), 15*time.Second)
ctx, cancel := context.WithTimeout(context.TODO(), time.Duration(args.Timeout)*time.Second)
defer cancel()

kubePolicies, kubeANPs, kubeBANPs, netErr, anpErr, banpErr = kube.ReadNetworkPoliciesFromKube(ctx, kubeClient, namespaces)
kubePolicies, kubeANPs, kubeBANP, netpolErr, anpErr, banpErr = kube.ReadNetworkPoliciesFromKube(ctx, kubeClient, namespaces)

if netErr != nil {
if netpolErr != nil {
logrus.Errorf("unable to read network policies from kube, ns '%s': %+v", namespaces, err)
}
if anpErr != nil {
fmt.Printf("Unable to fetch admin network policies: %s \n", anpErr)
logrus.Errorf("Unable to fetch admin network policies: %s \n", anpErr)
}
if banpErr != nil {
fmt.Printf("Unable to fetch base admin network policies: %s \n", banpErr)
logrus.Errorf("Unable to fetch base admin network policies: %s \n", banpErr)
}
}
// 2. read policies from file
Expand All @@ -130,18 +135,18 @@ func RunAnalyzeCommand(args *AnalyzeArgs) {
utils.DoOrDie(err)
kubePolicies = append(kubePolicies, policiesFromPath...)
kubeANPs = append(kubeANPs, anpsFromPath...)
kubeBANPs = banpFromPath
kubeBANP = banpFromPath
}
// 3. read example policies
if args.UseExamplePolicies {
kubePolicies = append(kubePolicies, netpol.AllExamples...)

kubeANPs = append(kubeANPs, examples.CoreGressRulesCombinedANB...)
kubeBANPs = kubeBANPs
kubeBANP = kubeBANP
}

logrus.Debugf("parsed policies:\n%s", json.MustMarshalToString(kubePolicies))
policies := matcher.BuildV1AndV2NetPols(args.SimplifyPolicies, kubePolicies, kubeANPs, kubeBANPs)
policies := matcher.BuildV1AndV2NetPols(args.SimplifyPolicies, kubePolicies, kubeANPs, kubeBANP)

for _, mode := range args.Modes {
switch mode {
Expand Down
59 changes: 46 additions & 13 deletions cmd/policy-assistant/pkg/kube/ikubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ import (
networkingv1 "k8s.io/api/networking/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"math/rand"
v1alpha12 "sigs.k8s.io/network-policy-api/apis/v1alpha1"
"sigs.k8s.io/network-policy-api/apis/v1alpha1"
)

type IKubernetes interface {
Expand All @@ -30,8 +30,15 @@ type IKubernetes interface {
DeleteService(namespace string, name string) error
GetServicesInNamespace(namespace string) ([]v1.Service, error)

GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error)
GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error)
GetAdminNetworkPolicies(ctx context.Context) ([]v1alpha1.AdminNetworkPolicy, error)
CreateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error)
UpdateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error)
DeleteAdminNetworkPolicy(ctx context.Context, name string) error

GetBaseAdminNetworkPolicies(ctx context.Context) (v1alpha1.BaselineAdminNetworkPolicy, error)
CreateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error)
UpdateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error)
DeleteBaselineAdminNetworkPolicy(ctx context.Context, name string) error

CreatePod(kubePod *v1.Pod) (*v1.Pod, error)
GetPod(namespace string, pod string) (*v1.Pod, error)
Expand Down Expand Up @@ -88,12 +95,12 @@ func GetServicesInNamespaces(kubernetes IKubernetes, namespaces []string) ([]v1.
return allServices, nil
}

func GetAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) ([]v1alpha12.AdminNetworkPolicy, error) {
return kubernetes.GetAdminNetworkPoliciesInNamespace(ctx)
func GetAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) ([]v1alpha1.AdminNetworkPolicy, error) {
return kubernetes.GetAdminNetworkPolicies(ctx)
}

func GetBaseAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) (v1alpha12.BaselineAdminNetworkPolicy, error) {
return kubernetes.GetBaseAdminNetworkPoliciesInNamespace(ctx)
func GetBaseAdminNetworkPoliciesInNamespaces(ctx context.Context, kubernetes IKubernetes) (v1alpha1.BaselineAdminNetworkPolicy, error) {
return kubernetes.GetBaseAdminNetworkPolicies(ctx)
}

type MockNamespace struct {
Expand All @@ -104,8 +111,8 @@ type MockNamespace struct {
}

type MockKubernetes struct {
AdminNetworkPolicies func() ([]v1alpha12.AdminNetworkPolicy, error)
BaseNetworkPolicies func() (v1alpha12.BaselineAdminNetworkPolicy, error)
AdminNetworkPolicies func() ([]v1alpha1.AdminNetworkPolicy, error)
BaseNetworkPolicies func() (v1alpha1.BaselineAdminNetworkPolicy, error)
NetworkPolicies func() ([]networkingv1.NetworkPolicy, error)
Namespaces map[string]*MockNamespace
passRate float64
Expand Down Expand Up @@ -390,21 +397,47 @@ func (m *MockKubernetes) ExecuteRemoteCommand(namespace string, pod string, cont
return "", "", nil, nil
}

func (m *MockKubernetes) GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error) {
func (m *MockKubernetes) GetAdminNetworkPolicies(ctx context.Context) ([]v1alpha1.AdminNetworkPolicy, error) {
select {
default:
return m.AdminNetworkPolicies()
case <-ctx.Done():
return []v1alpha12.AdminNetworkPolicy{}, ctx.Err()
return []v1alpha1.AdminNetworkPolicy{}, ctx.Err()
}

}

func (m *MockKubernetes) GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error) {
func (k *MockKubernetes) CreateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *MockKubernetes) UpdateAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.AdminNetworkPolicy) (*v1alpha1.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *MockKubernetes) DeleteAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}

func (m *MockKubernetes) GetBaseAdminNetworkPolicies(ctx context.Context) (v1alpha1.BaselineAdminNetworkPolicy, error) {
select {
default:
return m.BaseNetworkPolicies()
case <-ctx.Done():
return v1alpha12.BaselineAdminNetworkPolicy{}, ctx.Err()
return v1alpha1.BaselineAdminNetworkPolicy{}, ctx.Err()
}
}

func (k *MockKubernetes) CreateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *MockKubernetes) UpdateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha1.BaselineAdminNetworkPolicy) (*v1alpha1.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *MockKubernetes) DeleteBaselineAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}
32 changes: 30 additions & 2 deletions cmd/policy-assistant/pkg/kube/kubernetes.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,8 @@ import (
"k8s.io/client-go/tools/remotecommand"
)

var ErrNotImplemented = errors.New("Not implemented")

type Kubernetes struct {
ClientSet *kubernetes.Clientset
alphaClientSet *v1alpha1.PolicyV1alpha1Client
Expand Down Expand Up @@ -109,15 +111,28 @@ func (k *Kubernetes) GetNetworkPoliciesInNamespace(ctx context.Context, namespac
return netpolList.Items, nil
}

func (k *Kubernetes) GetAdminNetworkPoliciesInNamespace(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error) {
func (k *Kubernetes) GetAdminNetworkPolicies(ctx context.Context) ([]v1alpha12.AdminNetworkPolicy, error) {
anps, err := k.alphaClientSet.AdminNetworkPolicies().List(ctx, metav1.ListOptions{})
if err != nil {
return nil, err
}
return anps.Items, nil
}

func (k *Kubernetes) GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error) {
func (k *Kubernetes) CreateAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.AdminNetworkPolicy) (*v1alpha12.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) UpdateAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.AdminNetworkPolicy) (*v1alpha12.AdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) DeleteAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}

func (k *Kubernetes) GetBaseAdminNetworkPolicies(ctx context.Context) (v1alpha12.BaselineAdminNetworkPolicy, error) {
banp, err := k.alphaClientSet.BaselineAdminNetworkPolicies().List(ctx, metav1.ListOptions{})
if err != nil {
return v1alpha12.BaselineAdminNetworkPolicy{}, err
Expand All @@ -129,6 +144,19 @@ func (k *Kubernetes) GetBaseAdminNetworkPoliciesInNamespace(ctx context.Context)

}

func (k *Kubernetes) CreateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.BaselineAdminNetworkPolicy) (*v1alpha12.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) UpdateBaselineAdminNetworkPolicy(ctx context.Context, policy *v1alpha12.BaselineAdminNetworkPolicy) (*v1alpha12.BaselineAdminNetworkPolicy, error) {
return nil, ErrNotImplemented
}

func (k *Kubernetes) DeleteBaselineAdminNetworkPolicy(ctx context.Context, name string) error {
//TODO: implement
return ErrNotImplemented
}

func (k *Kubernetes) UpdateNetworkPolicy(policy *networkingv1.NetworkPolicy) (*networkingv1.NetworkPolicy, error) {
logrus.Debugf("updating network policy %s/%s", policy.Namespace, policy.Name)
np, err := k.ClientSet.NetworkingV1().NetworkPolicies(policy.Namespace).Update(context.TODO(), policy, metav1.UpdateOptions{})
Expand Down
Loading

0 comments on commit 3bb6de4

Please sign in to comment.