Merge branch 'master' into bug_in_HC_set

IBM · Jul 11, 2023 · eba391c · eba391c
2 parents 0efbbe6 + f896f2e
commit eba391c
Show file tree

Hide file tree

Showing 10 changed files with 143 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,7 +4,7 @@
 #
 
 # Using python:3.9-slim
-FROM python@sha256:1fc44d17b4ca49a8715af80786f21fa5ed8cfd257a1e14e24f4a79b4ec329388
+FROM python@sha256:1981920906ec577fb1a83bffca080ad659692688e80aee4cfe58d4642ac108e8
 
 COPY requirements.txt /nca/
 RUN python -m pip install -U pip wheel setuptools && pip install -r /nca/requirements.txt

diff --git a/Dockerfile.ubi b/Dockerfile.ubi
@@ -3,7 +3,7 @@
 # SPDX-License-Identifier: Apache2.0
 #
 
-FROM registry.access.redhat.com/ubi8/ubi-minimal@sha256:6910799b75ad41f00891978575a0d955be2f800c51b955af73926e7ab59a41c3
+FROM registry.access.redhat.com/ubi8/ubi-minimal@sha256:e52fc1de73dc2879516431ff1865e0fb61b1a32f57b6f914bdcddb13c62f84e6
 
 USER 0
 

diff --git a/nca/NetworkConfig/NetworkConfigQuery.py b/nca/NetworkConfig/NetworkConfigQuery.py
@@ -2033,17 +2033,12 @@ def exec(self):
         self.output_config.fullExplanation = True  # assign true for this query - it is always ok to compare its results
         # get_all_peers_group() does not require getting dnsEntry peers, since they are not ClusterEP (pods)
         existing_pods = self.config.peer_container.get_all_peers_group()
-        if not self.config:
+        if not self.config or self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.Ingress):
             return QueryAnswer(bool_result=False,
                                output_result=f'There are no network policies in {self.config.name}. '
                                              f'All workload resources are non captured',
                                numerical_result=len(existing_pods))
 
-        if self.config.policies_container.layers.does_contain_single_layer(NetworkLayerName.Ingress):
-            return QueryAnswer(bool_result=False,
-                               output_result='AllCapturedQuery cannot be applied using Ingress resources only',
-                               query_not_executed=True)
-
         k8s_calico_pods_list_explanation, k8s_calico_res = self._compute_uncaptured_pods_by_layer(NetworkLayerName.K8s_Calico)
         istio_pods_list_explanation, istio_res = self._compute_uncaptured_pods_by_layer(NetworkLayerName.Istio, True)
 

diff --git a/nca/Parsers/IngressPolicyYamlParser.py b/nca/Parsers/IngressPolicyYamlParser.py
@@ -94,7 +94,11 @@ def parse_backend(self, backend, is_default=False):
 
         service_port = srv.get_port_by_name(port_name) if port_name else srv.get_port_by_number(port_number)
         if not service_port:
-            self.syntax_error(f'Missing port {port_name if port_name else port_number} in the service', service)
+            port_str = f'{port_name if port_name else port_number}'
+            warning_msg = f'Ingress rule redirects traffic to {service_name}:{port_str}, '
+            warning_msg += f' but port {port_str} is not exposed by Service {service_name}'
+            self.warning(warning_msg, service)
+            return None, None, False
 
         rule_ports = PortSet()
         rule_ports.add_port(service_port.target_port)  # may be either a number or a named port

diff --git a/nca/VERSION.txt b/nca/VERSION.txt
@@ -1 +1 @@
-1.9.2
+1.9.3
diff --git a/tests/expected_runtime/k8s_tests_expected_runtime.csv b/tests/expected_runtime/k8s_tests_expected_runtime.csv
@@ -139,3 +139,5 @@ k8s_testcases/example_policies/withIpBlock2/withIpBlock2-scheme.yaml,5.51
 k8s_testcases/example_policies/workload-resources-test/file-system-resource-test-scheme.yaml,0.07
 k8s_testcases/example_policies/workload-resources-test/git-resource-test-scheme.yaml,7.66
 k8s_testcases/network-policy-checks-bad-path/network-policy-check-bad-path-scheme.yaml,0.80
+k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml,0.06
+k8s_testcases/example_policies/sample-app/sample-all-captured-scheme.yaml,0.08
diff --git a/tests/k8s_testcases/example_policies/sample-app/sample-all-captured-scheme.yaml b/tests/k8s_testcases/example_policies/sample-app/sample-all-captured-scheme.yaml
@@ -0,0 +1,10 @@
+resourceList: []
+networkConfigList:
+  - name: sample
+    resourceList:
+      - ./**
+queries:
+  - name: sample-all-captured
+    allCaptured:
+      - sample
+    expected: 2
diff --git a/tests/k8s_testcases/example_policies/sample-app/sample.yaml b/tests/k8s_testcases/example_policies/sample-app/sample.yaml
@@ -0,0 +1,56 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-service-ingress
+  namespace: sample
+spec:
+  rules:
+  - host: my-app.domain
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-service
+            port:
+              number: 8080
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+  namespace: sample
+  labels:
+    app: my-app
+spec:
+  type: ClusterIP
+  ports:
+    - port: 8080
+      targetPort: 8080
+  selector:
+    app: my-app
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-app
+  namespace: sample
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      serviceAccountName: sample
+      containers:
+      - name: my-app
+        image: webapp:1
+        ports:
+        - containerPort: 8080
diff --git a/tests/k8s_testcases/ingress-bad-path-test/sample-app/sample.yaml b/tests/k8s_testcases/ingress-bad-path-test/sample-app/sample.yaml
@@ -0,0 +1,56 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: my-service-ingress
+  namespace: sample
+spec:
+  rules:
+  - host: my-app.domain
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: my-service
+            port:
+              number: 8080
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: my-service
+  namespace: sample
+  labels:
+    app: my-app
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: 8080
+  selector:
+    app: my-app
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: my-app
+  namespace: sample
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: my-app
+  template:
+    metadata:
+      labels:
+        app: my-app
+    spec:
+      serviceAccountName: sample
+      containers:
+      - name: my-app
+        image: webapp:1
+        ports:
+        - containerPort: 8080
diff --git a/tests/k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml b/tests/k8s_testcases/ingress-bad-path-test/test-ingress-bad-port-scheme.yaml
@@ -0,0 +1,10 @@
+resourceList: []
+networkConfigList:
+  - name: sample
+    resourceList:
+      - ./sample-app/**
+    expectedWarnings: 1  #  Warning: Ingress rule redirects traffic to my-service:8080,  but port 8080 is not exposed by Service my-service
+queries:
+  - name: connectivity_map
+    connectivityMap:
+      - sample