Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: [Policy Assistant] walkthrough mode and a README (KubeCon demo PR 2/2) #245

Merged
merged 8 commits into from
Oct 29, 2024
Merged

feat: [Policy Assistant] walkthrough mode and a README (KubeCon demo PR 2/2) #245

merged 8 commits into from
Oct 29, 2024

Conversation

huntergregory
Copy link
Contributor

@huntergregory huntergregory commented Aug 8, 2024
edited
Loading

Outputs

walkthrough

Fixes #168. NOTE: the traffic is hardcoded right now. Need to fix in a followup PR that leverages #227 to specify traffic for the walkthrough.

./cmd/cyclonus/cyclonus analyze --policy-path examples/demos/kubecon-eu-2024/policies --mode walkthrough
INFO[2024-10-25T15:14:01-07:00] log level set to 'info'                      
verdict walkthrough:
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
|                TRAFFIC                | VERDICT |                     INGRESS WALKTHROUGH                     |      EGRESS WALKTHROUGH      |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+
| demo/[pod=a] -> demo/[pod=b]:80 (TCP) | Allowed | [ANP] Allow (allow-80)                                      | no policies targeting egress |
+---------------------------------------+---------+-------------------------------------------------------------+                              +
| demo/[pod=a] -> demo/[pod=b]:81 (TCP) | Denied  | [ANP] Pass (pass-81) -> [BANP] Deny (baseline-deny)         |                              |
+---------------------------------------+---------+-------------------------------------------------------------+                              +
| demo/[pod=b] -> demo/[pod=a]:80 (TCP) | Allowed | [ANP] Allow (allow-80)                                      |                              |
+---------------------------------------+---------+-------------------------------------------------------------+                              +
| demo/[pod=b] -> demo/[pod=a]:81 (TCP) | Denied  | [ANP] Pass (pass-81) -> [NPv1] Dropped (demo/deny-to-pod-a) |                              |
+---------------------------------------+---------+-------------------------------------------------------------+------------------------------+

probe

Fixes #210

./cmd/cyclonus/cyclonus analyze --mode probe --policy-path examples/demos/kubecon-eu-2024/policies --probe-path examples/dem
os/kubecon-eu-2024/demo-probe.json
INFO[2024-10-25T15:12:22-07:00] log level set to 'info'                      
probe (simulated connectivity):
INFO[2024-10-25T15:12:22-07:00] probe on port 80, protocol TCP               
Ingress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+

Egress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | .      | #      |
+--------+--------+--------+

Combined:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+



INFO[2024-10-25T15:12:22-07:00] probe on port 81, protocol TCP               
Ingress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+

Egress:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | .      | #      |
+--------+--------+--------+

Combined:
+--------+--------+--------+
|        | DEMO/A | DEMO/B |
+--------+--------+--------+
| demo/a | #      | .      |
| demo/b | X      | #      |
+--------+--------+--------+

@k8s-ci-robot k8s-ci-robot added the cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. label Aug 8, 2024
@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files. labels Aug 8, 2024
@netlify Netlify
Copy link

netlify bot commented Aug 8, 2024
edited
Loading

Deploy Preview for kubernetes-sigs-network-policy-api ready!

Name Link
🔨 Latest commit c776b14
🔍 Latest deploy log https://app.netlify.com/sites/kubernetes-sigs-network-policy-api/deploys/67211f4cab52c60008abe1eb
😎 Deploy Preview https://deploy-preview-245--kubernetes-sigs-network-policy-api.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site configuration.

@huntergregory huntergregory force-pushed the walkthrough branch 2 times, most recently from 9668f6a to 9db719b Compare August 8, 2024 02:45
@huntergregory
Copy link
Contributor Author

Also, #239 will give us the power to read policies from file/cluster.

I have a local hack imitating #239 to produce outputs using --policy-path

This was referenced Aug 8, 2024
Merged
Merged
@k8s-ci-robot k8s-ci-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Sep 11, 2024
@huntergregory huntergregory mentioned this pull request Oct 21, 2024
Open
@gabrielggg gabrielggg mentioned this pull request Oct 24, 2024
Open
@k8s-ci-robot k8s-ci-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Oct 25, 2024
@huntergregory
Copy link
Contributor Author

Also, #239 will give us the power to read policies from file/cluster.

I have a local hack imitating #239 to produce outputs using --policy-path

removed the hack

@huntergregory
Copy link
Contributor Author

/lgtm
/approve

@k8s-ci-robot
Copy link
Contributor

@huntergregory: you cannot LGTM your own PR.

In response to this:

/lgtm
/approve

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@huntergregory
Copy link
Contributor Author

Tests are passing via policy-assistant GH action.

These commands work locally:

  1. cyclonus analyze --mode probe --policy-path cmd/policy-assistant/examples/demos/kubecon-eu-2024/policies/ --probe-path cmd/policy-assistant/examples/demos/kubecon-eu-2024/demo-probe.json
  2. cyclonus analyze --mode walkthrough --policy-path cmd/policy-assistant/examples/demos/kubecon-eu-2024/policies/

Want to add these to the GH action once we add walkthrough traffic support in a followup.

@huntergregory
Copy link
Contributor Author

huntergregory commented Oct 25, 2024
edited
Loading

Hey @mattfenwick do you mind adding a lgtm? Thinking to iterate quickly on a few more PRs and cut the first release by ~11/5 for a KubeCon announcement 🎉

Release details: #255

@k8s-ci-robot k8s-ci-robot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 29, 2024
@huntergregory
Copy link
Contributor Author

Hey @danwinship could you approve the GH action change and add a lgtm? Thanks!

@danwinship
Copy link
Contributor

/approve
/lgtm

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Oct 29, 2024
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: danwinship, huntergregory

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Oct 29, 2024
@k8s-ci-robot k8s-ci-robot merged commit d1aa393 into kubernetes-sigs:main Oct 29, 2024
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@danwinship danwinship Awaiting requested review from danwinship

@mattfenwick mattfenwick Awaiting requested review from mattfenwick

Assignees

@danwinship danwinship

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. size/XL Denotes a PR that changes 500-999 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Policy Assistant] Probe Mode [Policy Assistant] Predict Verdict and Flow of Decisions made by Policies
3 participants
@huntergregory @k8s-ci-robot @danwinship