Merge pull request #241 from huntergregory/display-enhancements

[Policy Assistant] display enhancements from KubeCon demo (PR 1/2)
kubernetes-sigs · Jul 22, 2024 · f4558c8 · f4558c8
2 parents a8b203d + ec80379
commit f4558c8
Show file tree

Hide file tree

Showing 5 changed files with 38 additions and 21 deletions.
diff --git a/cmd/policy-assistant/pkg/connectivity/probe/connectivity.go b/cmd/policy-assistant/pkg/connectivity/probe/connectivity.go
@@ -11,6 +11,8 @@ const (
 	ConnectivityInvalidPortProtocol Connectivity = "invalidportprotocol"
 	ConnectivityBlocked             Connectivity = "blocked"
 	ConnectivityAllowed             Connectivity = "allowed"
+	// ConnectivityUndefined e.g. for loopback traffic
+	ConnectivityUndefined Connectivity = "undefined"
 )
 
 var AllConnectivity = []Connectivity{
@@ -36,6 +38,8 @@ func (p Connectivity) ShortString() string {
 		return "P"
 	case ConnectivityInvalidPortProtocol:
 		return "N"
+	case ConnectivityUndefined:
+		return "#"
 	default:
 		panic(errors.Errorf("invalid Connectivity value: %+v", p))
 	}

diff --git a/cmd/policy-assistant/pkg/connectivity/probe/jobrunner.go b/cmd/policy-assistant/pkg/connectivity/probe/jobrunner.go
@@ -76,6 +76,11 @@ func (s *SimulatedJobRunner) RunJobs(jobs []*Job) []*JobResult {
 }
 
 func (s *SimulatedJobRunner) RunJob(job *Job) *JobResult {
+	if job.FromKey == job.ToKey {
+		connUndefined := ConnectivityUndefined
+		return &JobResult{Job: job, Ingress: &connUndefined, Egress: &connUndefined, Combined: ConnectivityUndefined}
+	}
+
 	allowed := s.Policies.IsTrafficAllowed(job.Traffic())
 	// TODO could also keep the whole `allowed` struct somewhere
 

diff --git a/cmd/policy-assistant/pkg/matcher/explain.go b/cmd/policy-assistant/pkg/matcher/explain.go
@@ -27,7 +27,7 @@ func (p *peerProtocolGroup) Matches(subject, peer *TrafficPeer, portInt int, por
 }
 
 type anpGroup struct {
-	name     string
+	ruleName string
 	priority int
 	effects  []string
 	kind     PolicyKind
@@ -55,8 +55,10 @@ func (p *Policy) ExplainTable() string {
 	ingresses, egresses := p.SortedTargets()
 	builder.TargetsTableLines(ingresses, true)
 
-	builder.Elements = append(builder.Elements, []string{"", "", "", "", "", ""})
-	builder.TargetsTableLines(egresses, false)
+	if len(egresses) > 0 {
+		builder.Elements = append(builder.Elements, []string{"", "", "", "", "", ""})
+		builder.TargetsTableLines(egresses, false)
+	}
 
 	table.AppendBulk(builder.Elements)
 
@@ -132,9 +134,9 @@ func (s *SliceBuilder) peerProtocolGroupTableLines(t *peerProtocolGroup) {
 		})
 		for _, v := range anps {
 			if len(v.effects) > 1 {
-				actions = append(actions, fmt.Sprintf("   pri=%d (%s): %s (ineffective rules: %s)", v.priority, v.name, v.effects[0], strings.Join(v.effects[1:], ", ")))
+				actions = append(actions, fmt.Sprintf("   pri=%d (%s): %s (ineffective rules: %s)", v.priority, v.ruleName, v.effects[0], strings.Join(v.effects[1:], ", ")))
 			} else {
-				actions = append(actions, fmt.Sprintf("   pri=%d (%s): %s", v.priority, v.name, v.effects[0]))
+				actions = append(actions, fmt.Sprintf("   pri=%d (%s): %s", v.priority, v.ruleName, v.effects[0]))
 			}
 		}
 	}
@@ -202,10 +204,10 @@ func groupAnbAndBanp(p []PeerMatcher) []PeerMatcher {
 					policies: map[string]*anpGroup{},
 				}
 			}
-			kg := t.Name
+			kg := t.PolicyName
 			if _, ok := groups[k].policies[kg]; !ok {
 				groups[k].policies[kg] = &anpGroup{
-					name:     t.Name,
+					ruleName: t.RuleName,
 					priority: t.effectFromMatch.Priority,
 					effects:  []string{},
 					kind:     t.effectFromMatch.PolicyKind,

diff --git a/cmd/policy-assistant/pkg/matcher/peermatcherv2.go b/cmd/policy-assistant/pkg/matcher/peermatcherv2.go
@@ -10,16 +10,19 @@ import (
 // This is because ANP and BANP only deal with Pod to Pod traffic, and do not deal with external IPs.
 type PeerMatcherAdmin struct {
 	*PodPeerMatcher
-	Name            string
+	PolicyName      string
+	RuleName        string
 	effectFromMatch Effect
 }
 
 // NewPeerMatcherANP creates a PeerMatcherAdmin for an ANP rule
-func NewPeerMatcherANP(peer *PodPeerMatcher, v Verdict, priority int, source string) *PeerMatcherAdmin {
+func NewPeerMatcherANP(peer *PodPeerMatcher, v Verdict, priority int, policyName, ruleName string) *PeerMatcherAdmin {
 	return &PeerMatcherAdmin{
 		PodPeerMatcher: peer,
-		Name:           source,
+		PolicyName:     policyName,
+		RuleName:       ruleName,
 		effectFromMatch: Effect{
+			RuleName:   ruleName,
 			PolicyKind: AdminNetworkPolicy,
 			Priority:   priority,
 			Verdict:    v,
@@ -28,11 +31,13 @@ func NewPeerMatcherANP(peer *PodPeerMatcher, v Verdict, priority int, source str
 }
 
 // NewPeerMatcherBANP creates a new PeerMatcherAdmin for a BANP rule
-func NewPeerMatcherBANP(peer *PodPeerMatcher, v Verdict, source string) *PeerMatcherAdmin {
+func NewPeerMatcherBANP(peer *PodPeerMatcher, v Verdict, policyName, ruleName string) *PeerMatcherAdmin {
 	return &PeerMatcherAdmin{
 		PodPeerMatcher: peer,
-		Name:           source,
+		PolicyName:     policyName,
+		RuleName:       ruleName,
 		effectFromMatch: Effect{
+			RuleName:   ruleName,
 			PolicyKind: BaselineAdminNetworkPolicy,
 			Verdict:    v,
 		},
@@ -41,6 +46,7 @@ func NewPeerMatcherBANP(peer *PodPeerMatcher, v Verdict, source string) *PeerMat
 
 // Effect models the effect of one or more v1/v2 NetPol rules on a peer
 type Effect struct {
+	RuleName string
 	PolicyKind
 	// Priority is only used for ANP (there can only be one BANP)
 	Priority int
@@ -57,9 +63,9 @@ const (
 
 func NewV1Effect(allow bool) Effect {
 	if allow {
-		return Effect{NetworkPolicyV1, 0, Allow}
+		return Effect{"", NetworkPolicyV1, 0, Allow}
 	}
-	return Effect{NetworkPolicyV1, 0, None}
+	return Effect{"", NetworkPolicyV1, 0, None}
 }
 
 type Verdict string

diff --git a/cmd/policy-assistant/pkg/matcher/policy.go b/cmd/policy-assistant/pkg/matcher/policy.go
@@ -120,35 +120,35 @@ func (d DirectionResult) Flow() string {
 	flows := make([]string, 0)
 	if anp != nil {
 		if anp.Verdict == Allow {
-			return "[ANP] Allow"
+			return fmt.Sprintf("[ANP] Allow (%s)", anp.RuleName)
 		}
 
 		if anp.Verdict == Deny {
-			return "[ANP] Deny"
+			return fmt.Sprintf("[ANP] Deny (%s)", anp.RuleName)
 		}
 
 		if anp.Verdict == Pass {
-			flows = append(flows, "[ANP] Pass")
+			flows = append(flows, fmt.Sprintf("[ANP] Pass (%s)", anp.RuleName))
 		} else {
 			flows = append(flows, "[ANP] No-Op")
 		}
 	}
 
 	if npv1 != nil {
 		if npv1.Verdict == Allow {
-			flows = append(flows, "[NPv1] Allow")
+			flows = append(flows, fmt.Sprintf("[NPv1] Allow (%s)", npv1.RuleName))
 		} else {
-			flows = append(flows, "[NPv1] Dropped")
+			flows = append(flows, fmt.Sprintf("[NPv1] Dropped (%s)", npv1.RuleName))
 		}
 
 		return strings.Join(flows, " -> ")
 	}
 
 	if banp != nil {
 		if banp.Verdict == Allow {
-			flows = append(flows, "[BANP] Allow")
+			flows = append(flows, fmt.Sprintf("[BANP] Allow (%s)", banp.RuleName))
 		} else if banp.Verdict == Deny {
-			flows = append(flows, "[BANP] Deny")
+			flows = append(flows, fmt.Sprintf("[BANP] Deny (%s)", banp.RuleName))
 		} else {
 			flows = append(flows, "[BANP] No-Op")
 		}