Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Explainability with hcs #477

Merged
merged 205 commits into from
Jul 5, 2023
Merged
Show file tree
Hide file tree
Changes from 188 commits
Commits
Show all changes
205 commits
Select commit Hold shift + click to select a range
74ec605
Initial implementation of the optimized TcpLikeProperties (and HyperC…
tanyaveksler Nov 15, 2022
c279de6
Extended testcase3 to produce connectivity_map
tanyaveksler Nov 15, 2022
1b1ebbe
Fixed a problem in HyperCubeSet (wrongly changing self in _and_aux.
tanyaveksler Nov 20, 2022
09cfad1
Small fix
tanyaveksler Nov 21, 2022
94fb117
Further fix of the hyper cube set
tanyaveksler Nov 22, 2022
520377a
Further fix of the hyper cube set
tanyaveksler Nov 22, 2022
af37b10
Merge remote-tracking branch 'origin/Optimized_HC_set' into Optimized…
tanyaveksler Nov 22, 2022
0339215
Avoiding redundant and heavy copy of layers.
tanyaveksler Nov 22, 2022
564d667
Merge branch 'master' into Optimized_HC_set
tanyaveksler Nov 22, 2022
b9810b3
General changes from the Optimized_HC_set branch.
tanyaveksler Nov 22, 2022
e82ac99
General changes from the Optimized_HC_set branch.
tanyaveksler Nov 22, 2022
6b3b364
Avoiding lint warnings
tanyaveksler Nov 22, 2022
cfb5ee7
Avoiding lint warnings
tanyaveksler Nov 22, 2022
01a9d40
Merge branch 'Small-fixes-for-master' into Optimized_HC_set
tanyaveksler Nov 22, 2022
28e211b
Added support of IpBlocks in optimized hyper cube set implementation.
tanyaveksler Nov 27, 2022
d5d97a6
More accurate update of base_peer_set.
tanyaveksler Nov 27, 2022
0a2cb45
Added dedundant fw_rules creation for testing (to be further removed).
tanyaveksler Nov 29, 2022
0800959
Initial implementation of Calico optimized connections handling.
tanyaveksler Dec 4, 2022
05a496c
Fixed the construction of connectivity graph (when some of src_peer o…
tanyaveksler Dec 6, 2022
bb6842c
Multiple fixes:
tanyaveksler Dec 11, 2022
0d4bd28
Properly handling 'False' represented by TcpLikeProperties.
tanyaveksler Dec 18, 2022
47d5bd0
Added support to ICMP data in optimized HC set (handled in TCPLikePro…
tanyaveksler Jan 1, 2023
0a8d53f
Added command line flag optimized_run, having 3 possibilities:
tanyaveksler Jan 3, 2023
183eaeb
Small fixes;
tanyaveksler Jan 8, 2023
8e34573
Small fixes;
tanyaveksler Jan 8, 2023
9957228
Fixed building tcp_like_properties form connectivity graph
tanyaveksler Jan 8, 2023
004742b
Optimized the comparison between original and optimized connections (…
tanyaveksler Jan 8, 2023
a27899d
Implemented optimized Istio policy handling.
tanyaveksler Jan 15, 2023
ebae572
Added Ingress policy support in the optimized solution.
tanyaveksler Jan 15, 2023
25118de
Added Istio Ingress policy support in the optimized solution.
tanyaveksler Jan 15, 2023
9218096
Merge with master.
tanyaveksler Jan 15, 2023
7780876
Further optimization: converting HC set directly to fw rules.
tanyaveksler Jan 24, 2023
8998470
Small bug fix
tanyaveksler Jan 24, 2023
1281b2c
Fixed printing peer sets in FWRules.
tanyaveksler Jan 24, 2023
278b921
More released comparison between original and optimized fw-rules (all…
tanyaveksler Jan 29, 2023
6320d95
Merge with master.
tanyaveksler Jan 29, 2023
c408b49
Splitting istio opt properties to tcp and non-tcp properties.
tanyaveksler Feb 5, 2023
4a187f2
Fixed creation TcpLikeProperties with empty methods or protocols.
tanyaveksler Feb 5, 2023
74234ab
Optimizing sidecar priorities handling by refinement of sidecar.selec…
tanyaveksler Feb 12, 2023
1216778
Merge with master.
tanyaveksler Feb 12, 2023
2c4b1af
Adding newline at the end of connectivity test expected results.
tanyaveksler Feb 14, 2023
9ff9d25
Handling exclude_ipv6 print in optimized calculation.
tanyaveksler Feb 14, 2023
eb763fb
Fixing initialization of MethodSet in HTTPRoute (None means no method…
tanyaveksler Feb 21, 2023
dabbd17
Changed output format of ICMP data.
tanyaveksler Feb 21, 2023
1388a4c
Making default the original (not optimized) implementation in run_all…
tanyaveksler Feb 21, 2023
e45a007
1. Merge with master
tanyaveksler Feb 21, 2023
3882e85
1. Merge with master
tanyaveksler Feb 26, 2023
6350ebd
Simplifying and improving make_tcp_like_properties function.
tanyaveksler Feb 28, 2023
54a1708
Fixing lint errors.
tanyaveksler Feb 28, 2023
a30fc04
Fixing lint errors.
tanyaveksler Feb 28, 2023
ab7dc47
Removed unised classes ConnectivityGraphPrototype and ConnectivityGra…
tanyaveksler Feb 28, 2023
e49ddfb
Avoid using creation of TcpLikeProperties directly with init; using m…
tanyaveksler Feb 28, 2023
254412a
Fixing lint errors.
tanyaveksler Feb 28, 2023
8ec0717
Fixing lint errors.
tanyaveksler Feb 28, 2023
95971c4
Fixing ConnectionSet.__str__ to be accurate, since it is used in sort…
tanyaveksler Mar 5, 2023
b343603
Merge with master.
tanyaveksler Mar 5, 2023
2bba713
Fixed excluding unused ipv6 blocks in the optimized solution.
tanyaveksler Mar 5, 2023
a346c25
Renamed TcpLikeProperties to ConnectivityProperties.
tanyaveksler Mar 5, 2023
0d2661b
Fixing lint errors.
tanyaveksler Mar 5, 2023
64daeed
Fixing lint errors.
tanyaveksler Mar 5, 2023
51b38d5
track expl data
shmfr Mar 6, 2023
464f004
explain connectivity
shmfr Mar 7, 2023
b5c6586
explain connectivity
shmfr Mar 7, 2023
f8243de
Simplified and cleaned interfaces.
tanyaveksler Mar 7, 2023
d77050d
Fixed lint errors.
tanyaveksler Mar 7, 2023
8977f43
Fixed lint errors.
tanyaveksler Mar 7, 2023
dae1bb1
Added a new class ConnectivityCube that manages forth and back transl…
tanyaveksler Mar 14, 2023
ad299fb
Added set_dims method to set multiple dimensions at once.
tanyaveksler Mar 14, 2023
a1c5654
Added get_protocol_set_with_single_protocol function to ProtocolSet.
tanyaveksler Mar 14, 2023
ca0cab9
Fixing lint errors.
tanyaveksler Mar 19, 2023
85ae2ea
Fixed connectivity properties unit tests to match the new API.
tanyaveksler Mar 19, 2023
e72081f
Aligned get_cube_dict to return str for all dimensions.
tanyaveksler Mar 19, 2023
458c373
Removed unused ICMPDAtaSet class and its unit tests.
tanyaveksler Mar 19, 2023
4fdeed5
Cleaner code using the new ConnectivityCube API.
tanyaveksler Mar 19, 2023
13fcaff
Added missing copy() in ConnectionSet.
tanyaveksler Mar 19, 2023
d58118c
Added missing copy() in ConnectionSet.
tanyaveksler Mar 19, 2023
61bcee2
Merge branch 'Optimized_HC_set' of https://github.com/IBM/network-con…
tanyaveksler Mar 19, 2023
52b3ec9
When running with -opt=debug, printing the original results of Connec…
tanyaveksler Mar 19, 2023
e38aff1
Made cleaner interface of ConectivityCube class, using __setitem__, _…
tanyaveksler Mar 21, 2023
f5f579e
explain connectivity
shmfr Mar 21, 2023
5013659
Made cleaner interface of ConectivityCube class, using __setitem__, _…
tanyaveksler Mar 21, 2023
90bbcee
explain connectivity
shmfr Mar 21, 2023
4119c29
Fixed lint error.
tanyaveksler Mar 21, 2023
9fef3ce
Small fix
tanyaveksler Mar 21, 2023
072701d
merge with HC branch
shmfr Mar 21, 2023
e59169f
Added documentation and small code beautifications.
tanyaveksler Mar 21, 2023
26904f8
Improved documentation.
tanyaveksler Mar 21, 2023
3aa9f52
Small fix.
tanyaveksler Mar 21, 2023
4797f3c
Moved empty dimension values to DimensionsManager.
tanyaveksler Mar 21, 2023
484bf2a
Moved empty dimension values to DimensionsManager.
tanyaveksler Mar 21, 2023
c221c3b
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
2cdb462
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
a6d62ff
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
c6ec427
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
495ac1e
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
1d952db
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
6e956bb
Fixed small errors.
tanyaveksler Mar 21, 2023
80613a8
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
df3afe1
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
380d379
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
70f1280
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
62bc9b9
Update nca/CoreDS/ConnectivityProperties.py
tanyaveksler Mar 21, 2023
ce3cbda
Update nca/Parsers/CalicoPolicyYamlParser.py
tanyaveksler Mar 21, 2023
66fecd8
Fixed lint errors.
tanyaveksler Mar 21, 2023
7d6a08c
Removed base_peer_set from ConnectivityProperties and ConnectivityCub…
tanyaveksler Mar 26, 2023
0aa712d
Merge branch 'master' into Optimized_HC_set
tanyaveksler Mar 26, 2023
c2ccbfa
Removed base_peer_set from ConnectivityProperties and ConnectivityCub…
tanyaveksler Mar 26, 2023
7e2e571
Added check to BasePeerSet.get_peer_interval_of that all peers are tr…
tanyaveksler Mar 26, 2023
cbcba8e
updates after merge with HC branch
shmfr Mar 27, 2023
ead46b3
updates after merge with HC branch
shmfr Mar 27, 2023
9420f5b
after second merge with HC branch
shmfr Mar 27, 2023
760e1da
removed unused function
shmfr Mar 27, 2023
4cc8de2
added some function descriptions
shmfr Mar 27, 2023
7fbc5ca
txt_no_fe_rules format added
shmfr Mar 28, 2023
75846e3
Added OptimizedPolicyConnections class to hold allowed, denied and pa…
tanyaveksler Apr 2, 2023
dca13d5
Fixed lint errors.
tanyaveksler Apr 2, 2023
17a5fe6
Merge branch 'master' into Optimized_HC_set
tanyaveksler Apr 2, 2023
51d8927
The BasePeerSet singleton should be reset in the main (for the cases …
tanyaveksler Apr 2, 2023
835fa33
Added support to calico PASS rules in optimized solution.
tanyaveksler Apr 2, 2023
ebe4006
Added support to calico PASS rules in optimized solution.
tanyaveksler Apr 2, 2023
10bceb8
Simplified calico parsing method to avoid lint error.
tanyaveksler Apr 2, 2023
5dc62e9
handling ipBlocks and base ip range
shmfr Apr 4, 2023
e200ebd
after merge with HC optimization branch
shmfr Apr 4, 2023
2d4f3c0
Merge with master
tanyaveksler Apr 16, 2023
49a4046
Generalized ServiceEntry implementation for optimized solution.
tanyaveksler Apr 16, 2023
736ea07
Fixing lint errors.
tanyaveksler Apr 16, 2023
9db0f91
xml support for explain_all and default-policy fix
shmfr Apr 18, 2023
fc01aa1
merge with HC branch
shmfr Apr 18, 2023
31ff805
Removed unused functions.
tanyaveksler Apr 18, 2023
2604eb6
Separated ConnectivityCube class to its own file.
tanyaveksler Apr 18, 2023
368bb78
Update nca/NetworkConfig/NetworkConfig.py
tanyaveksler Apr 18, 2023
c39f53f
Update nca/Resources/NetworkPolicy.py
tanyaveksler Apr 18, 2023
f5d1581
Added assertions avoiding incorrect comparisons of "src_peers" and "d…
tanyaveksler Apr 18, 2023
ec12351
Update nca/CoreDS/Peer.py
tanyaveksler Apr 18, 2023
9c8ffca
Update nca/CoreDS/ConnectionSet.py
tanyaveksler Apr 18, 2023
310a81d
Update nca/CoreDS/ConnectionSet.py
tanyaveksler Apr 18, 2023
bbee710
merge with HC branch
shmfr Apr 20, 2023
93a8ffc
Added shortcut function ConnectivityProperties.make_conn_props_from_d…
tanyaveksler Apr 23, 2023
e87c432
Merge branch 'master' into Optimized_HC_set
tanyaveksler Apr 23, 2023
e9edad9
Merge remote-tracking branch 'origin/Optimized_HC_set' into Optimized…
tanyaveksler Apr 23, 2023
0cbee6c
Fixed lint errors.
tanyaveksler Apr 23, 2023
2e70105
Code reuse optimization.
tanyaveksler Apr 23, 2023
1a84d7e
Update nca/NetworkConfig/NetworkLayer.py
tanyaveksler Apr 23, 2023
6d92ca7
Update nca/NetworkConfig/NetworkLayer.py
tanyaveksler Apr 23, 2023
21984e1
Update nca/NetworkConfig/NetworkLayer.py
tanyaveksler Apr 23, 2023
fd7bc60
Update nca/NetworkConfig/NetworkLayer.py
tanyaveksler Apr 23, 2023
64e5684
Removed unused functions and imports.
tanyaveksler Apr 23, 2023
f64b019
Merge remote-tracking branch 'origin/Optimized_HC_set' into Optimized…
tanyaveksler Apr 23, 2023
f3eeeba
Making more accurate default all properties, according to all peers i…
tanyaveksler Apr 23, 2023
2a2606b
output_endpoints support.
shmfr Apr 24, 2023
780f0ab
merge with HC
shmfr Apr 24, 2023
99a6b73
support ep modes
shmfr Apr 25, 2023
4f9c0c2
Documentation added
shmfr Apr 25, 2023
8b0e3ac
minor fix
shmfr Apr 25, 2023
802b3fc
use Expl' functions only when activated by user
shmfr Apr 27, 2023
0587e83
some lintings
shmfr Apr 27, 2023
ee4d341
supporting scheme files
shmfr May 9, 2023
7011930
support only text output formats and '[',']' in peer names
shmfr May 9, 2023
65763bf
merged with master
shmfr May 9, 2023
ea226af
linting
shmfr May 9, 2023
697e8ff
small fixes
shmfr May 11, 2023
70458d7
small fixes
shmfr May 12, 2023
6ba1d4f
adding beautifulsoup4 to requirements
shmfr May 14, 2023
429e653
Merge branch 'master' into explainability_with_HCS
shmfr May 14, 2023
42a7588
small fix
shmfr May 16, 2023
3716922
Merge branch 'explainability_with_HCS' of github.com:IBM/network-conf…
shmfr May 16, 2023
41982ec
use TCP conns when istio layer is present
shmfr May 16, 2023
8504efb
some fixes and improvements.
shmfr May 28, 2023
b39146e
extra line
shmfr May 29, 2023
70a9892
Merge remote-tracking branch 'origin/master' into explainability_with…
shmfr May 29, 2023
f0d1b37
adding test
shmfr May 30, 2023
10f0737
adding test
shmfr May 30, 2023
53e0180
changed 'run_all_tests' so opt parameter can be override by tests
shmfr May 30, 2023
f2c3a22
added expected results
shmfr May 30, 2023
c41fdb3
parsing xml without the need of lxml
shmfr Jun 1, 2023
2c0ac6c
parsing xml without the need of lxml
shmfr Jun 1, 2023
b876100
update expected results (for new xml parser)
shmfr Jun 1, 2023
c0f63da
update expected results and make it deterministic
shmfr Jun 1, 2023
793d935
Merge branch 'master' into explainability_with_HCS
shmfr Jun 4, 2023
a35a860
some fixes and new tests
shmfr Jun 6, 2023
857f9fe
Merge branch 'master' into explainability_with_HCS
shmfr Jun 6, 2023
6941aed
temp support in setting peers from the peer container, till fix will …
shmfr Jun 7, 2023
f3212bf
new expected results
shmfr Jun 7, 2023
53a2963
new expected results
shmfr Jun 7, 2023
89789d9
manually adding tests
shmfr Jun 7, 2023
c0b32de
manually updating test times
shmfr Jun 8, 2023
cd9d28f
fixed some testing env agnostic issues
shmfr Jun 8, 2023
92ce374
better handling of ipblocks and some small fixes.
shmfr Jun 8, 2023
c402d73
removing explanation for ipblocks
shmfr Jun 20, 2023
d835df7
adding policies in one place
shmfr Jun 20, 2023
b7ceb53
adding some documentations and test
shmfr Jun 20, 2023
895d75d
after merge with master
shmfr Jun 20, 2023
dea4134
updated expected results
shmfr Jun 21, 2023
c4761fc
fixed run_all_tests path problem
shmfr Jun 22, 2023
fd40627
duplicate line removed
shmfr Jun 22, 2023
cdaa329
updated testes and some docs.
shmfr Jun 26, 2023
658811e
little better explanation
shmfr Jun 27, 2023
7c6ac51
some small fixes
shmfr Jun 27, 2023
a468689
base_name added
shmfr Jul 3, 2023
224e43b
better documentation for using IP-blocks
shmfr Jul 3, 2023
cae6397
added a ip-block test
shmfr Jul 4, 2023
7dcfc67
base_name check
shmfr Jul 4, 2023
c33d88a
base_name check
shmfr Jul 4, 2023
43f494b
Merge remote-tracking branch 'origin/master' into explainability_with…
shmfr Jul 4, 2023
2a6e68f
base_name and sync
shmfr Jul 4, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion docs/SchemeFileFormat.md
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,7 @@ The supported entries in the outputConfiguration object are as follows:
| subset | A dict object with the defined subset elements to display in the output | [subset](#subset) object |
| fullExplanation | Choose if to print all counterexamples causing the query result in the output | bool |
| excludeIPv6Range | If the policies of the config do not contain any IPv6 addresses, do not include IPv6 range in the query results | bool [default: True] |

| explain |A pair of node names to explain the policies affecting their connection or lack of it. When 'ALL' is supplied, all the pairs in the topology are explained.| string [ ns/node1,ns/node2 / ALL ] |
adisos marked this conversation as resolved.
Show resolved Hide resolved

#### <a name="subset"></a>Subset object
The supported entries in the subset object are as follows:
Expand Down
2 changes: 1 addition & 1 deletion nca/FWRules/ConnectivityGraph.py
Original file line number Diff line number Diff line change
Expand Up @@ -343,7 +343,7 @@ def get_connectivity_dot_format_str(self, connectivity_restriction=None):

dot_graph = DotGraph(name)
peers_groups = self._get_equals_groups()
# we are going to treat a a peers_group as one peer.
# we are going to treat a peers_group as one peer.
# the first peer in the peers_group is representing the group
# we will add the text of all the peers in the group to this peer
for peers_group, group_connection in peers_groups:
Expand Down
3 changes: 2 additions & 1 deletion nca/FWRules/FWRule.py
Original file line number Diff line number Diff line change
Expand Up @@ -383,7 +383,8 @@ def get_pod_str(self):
"""
:return: string for the field src_pods or dst_pods in representation for txt rule format
"""
return f'[{self._get_pods_names()}]'
sorted_pods_names = ', '.join(sorted(self._get_pods_names().split(', ')))
return f'[{sorted_pods_names}]'

def _get_pods_names(self):
res = ''
Expand Down
2 changes: 1 addition & 1 deletion nca/FWRules/InteractiveConnectivityGraph.py
Original file line number Diff line number Diff line change
Expand Up @@ -127,7 +127,7 @@ def read_input_file(self):
"""
try:
with open(self.input_svg_file) as svg_file:
self.soup = BeautifulSoup(svg_file.read(), 'xml')
self.soup = BeautifulSoup(svg_file.read(), 'html')
except Exception as e:
print(f'Failed to open file: {self.input_svg_file}\n{e} for reading', file=sys.stderr)

Expand Down
3 changes: 3 additions & 0 deletions nca/FileScanners/GenericTreeScanner.py
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,7 @@ class YamlFile:

class ObjectWithLocation:
line_number = 0
path = ''
column_number = 0


Expand All @@ -36,13 +37,15 @@ def to_yaml_objects(yaml_node):
if isinstance(yaml_node, yaml.SequenceNode):
res = YamlList()
res.line_number = yaml_node.start_mark.line
res.path = yaml_node.start_mark.name
res.column_number = yaml_node.start_mark.column
for obj in yaml_node.value:
res.append(to_yaml_objects(obj))
return res
if isinstance(yaml_node, yaml.MappingNode):
res = YamlDict()
res.line_number = yaml_node.start_mark.line + 1
res.path = yaml_node.start_mark.name
res.column_number = yaml_node.start_mark.column + 1
for obj in yaml_node.value:
res[obj[0].value] = to_yaml_objects(obj[1])
Expand Down
3 changes: 3 additions & 0 deletions nca/NetworkConfig/NetworkConfig.py
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
from nca.CoreDS.ConnectivityProperties import ConnectivityProperties
from nca.Resources.NetworkPolicy import NetworkPolicy, OptimizedPolicyConnections
from .NetworkLayer import NetworkLayersContainer, NetworkLayerName
from nca.Utils.ExplTracker import ExplTracker


@dataclass
Expand Down Expand Up @@ -275,6 +276,8 @@ def allowed_connections_optimized(self, layer_name=None):
:return: allowed_conns: all allowed connections for relevant peers.
:rtype: OptimizedPolicyConnections
"""
if ExplTracker().is_active():
ExplTracker().set_peers(self.peer_container.peer_set)
if layer_name is not None:
if layer_name not in self.policies_container.layers:
return self.policies_container.layers.empty_layer_allowed_connections_optimized(self.peer_container,
Expand Down
30 changes: 28 additions & 2 deletions nca/NetworkConfig/NetworkConfigQuery.py
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@
PoliciesAndRulesExplanations, PodsListsExplanations, ConnectionsDiffExplanation, IntersectPodsExplanation, \
PoliciesWithCommonPods, PeersAndConnections, ComputedExplanation
from .NetworkLayer import NetworkLayerName
from nca.Utils.ExplTracker import ExplTracker


class QueryType(Enum):
Expand Down Expand Up @@ -833,11 +834,15 @@ def compute_connectivity_output_optimized(self):
ConnectivityProperties.make_conn_props_from_dict({"dst_peers": subset_peers})
all_conns_opt &= subset_conns
all_conns_opt = self.filter_conns_by_peer_types(all_conns_opt, opt_peers_to_compare)
expl_conns = all_conns_opt
if self.config.policies_container.layers.does_contain_layer(NetworkLayerName.Istio):
output_res, opt_fw_rules_tcp, opt_fw_rules_non_tcp = \
self.get_props_output_split_by_tcp(all_conns_opt, opt_peers_to_compare)
expl_conns, _ = self.convert_props_to_split_by_tcp(all_conns_opt)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about non-tcp conns?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

At this phase, when Istio is present, we 'explain' only the tcp connections.

else:
output_res, opt_fw_rules = self.get_props_output_full(all_conns_opt, opt_peers_to_compare)
if ExplTracker().is_active():
ExplTracker().set_connections_and_peers(expl_conns, subset_peers)
return output_res, opt_fw_rules, opt_fw_rules_tcp, opt_fw_rules_non_tcp

def exec(self):
Expand Down Expand Up @@ -922,7 +927,9 @@ def get_props_output_full(self, props, peers_to_compare):
if self.output_config.outputFormat in ['dot', 'jpg']:
dot_full = self.dot_format_from_props(props, peers_to_compare)
return dot_full, None
# TODO - handle 'txt_no_fw_rules' output format
if self.output_config.outputFormat == 'txt_no_fw_rules':
conns_wo_fw_rules = self.txt_no_fw_rules_format_from_props(props, peers_to_compare)
return conns_wo_fw_rules, None
# handle other formats
formatted_rules, fw_rules = self.fw_rules_from_props(props, peers_to_compare)
return formatted_rules, fw_rules
Expand Down Expand Up @@ -988,7 +995,12 @@ def get_props_output_split_by_tcp(self, props, peers_to_compare):
# concatenate the two graphs into one dot file
res_str = dot_tcp + dot_non_tcp
return res_str, None, None
# TODO - handle 'txt_no_fw_rules' output format
if self.output_config.outputFormat in ['txt_no_fw_rules']:
txt_no_fw_rules_tcp = self.txt_no_fw_rules_format_from_props(props_tcp, peers_to_compare, connectivity_tcp_str)
txt_no_fw_rules_non_tcp = self.txt_no_fw_rules_format_from_props(props_non_tcp, peers_to_compare,
connectivity_non_tcp_str)
res_str = txt_no_fw_rules_tcp + txt_no_fw_rules_non_tcp
return res_str, None, None
# handle formats other than dot and txt_no_fw_rules
formatted_rules_tcp, fw_rules_tcp = self.fw_rules_from_props(props_tcp, peers_to_compare, connectivity_tcp_str)
formatted_rules_non_tcp, fw_rules_non_tcp = self.fw_rules_from_props(props_non_tcp, peers_to_compare,
Expand Down Expand Up @@ -1055,6 +1067,20 @@ def dot_format_from_props(self, props, peers, connectivity_restriction=None):
conn_graph.add_edges_from_cube_dict(props.get_connectivity_cube(cube), self.config.peer_container)
return conn_graph.get_connectivity_dot_format_str(connectivity_restriction)

def txt_no_fw_rules_format_from_props(self, props, peers, connectivity_restriction=None):
"""
:param ConnectivityProperties props: properties describing allowed connections
:param PeerSet peers: the peers to consider for dot output
:param Union[str,None] connectivity_restriction: specify if connectivity is restricted to
TCP / non-TCP , or not
:rtype str
:return the connectivity map in txt_no_fw_rules format, considering connectivity_restriction if required
"""
conn_graph = ConnectivityGraph(peers, self.config.get_allowed_labels(), self.output_config)
for cube in props:
conn_graph.add_edges_from_cube_dict(props.get_connectivity_cube(cube), self.config.peer_container)
return conn_graph.get_connections_without_fw_rules_txt_format(connectivity_restriction)

def fw_rules_from_connections_dict(self, connections, peers_to_compare, connectivity_restriction=None):
"""
:param dict connections: the connections' dict (map from connection-set to peer pairs)
Expand Down
14 changes: 10 additions & 4 deletions nca/NetworkConfig/NetworkConfigQueryRunner.py
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
from nca.Resources.NetworkPolicy import NetworkPolicy
from .NetworkConfig import NetworkConfig
from . import NetworkConfigQuery
from nca.Utils.ExplTracker import ExplTracker


@dataclass
Expand Down Expand Up @@ -40,9 +41,9 @@ def compute_final_results(self, output_format):
extracts the final query results from self variables
from self.query_iterations_output computes the final str output of the query,
other results returned as is from query_result.
:param str output_format: the output format to form the final output
if output format is json, dumps the output list into one-top-leveled string
if output format is yaml, dumps the output list into str of a list of yaml objects
:param str output_format: the output format to form the final output.
if output format is json, dumps the output list into one-top-leveled string.
if output format is yaml, dumps the output list into str of a list of yaml objects.
otherwise, writes the output list items split by \n
:return the results: numerical result, output - str , num of not executed
:rtype: int, str, int
Expand Down Expand Up @@ -169,7 +170,12 @@ def _run_query_for_each_config(self):
query_result = QueryResult()
for config in self.configs_array:
query_result.update(self._execute_one_config_query(self.query_name, self._get_config(config)))
return query_result.compute_final_results(self.output_configuration.outputFormat)
expl_out = ''
if ExplTracker().is_active() and self.output_configuration.explain and \
ExplTracker().is_output_format_supported(self.output_configuration.outputFormat):
expl_out = ExplTracker().explain(self.output_configuration.explain.split(','))
numerical_result, output, num_not_executed = query_result.compute_final_results(self.output_configuration.outputFormat)
return numerical_result, output + expl_out, num_not_executed

def _run_query_on_configs_vs_base_config(self, cmd_line_flag):
query_result = QueryResult()
Expand Down
35 changes: 35 additions & 0 deletions nca/NetworkConfig/NetworkLayer.py
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@
from nca.CoreDS.ProtocolSet import ProtocolSet
from nca.Resources.IstioNetworkPolicy import IstioNetworkPolicy
from nca.Resources.NetworkPolicy import PolicyConnections, OptimizedPolicyConnections, NetworkPolicy
from nca.Utils.ExplTracker import ExplTracker


# TODO: add a layer for connectivity based on service type (culsterIP / LB / NodePort)? / containers ports?
Expand Down Expand Up @@ -252,6 +253,17 @@ def collect_policies_conns_optimized(self, is_ingress, captured_func=lambda poli
"""
res_conns = OptimizedPolicyConnections()
for policy in self.policies_list:
# Track the peers that were affected by this policy
if ExplTracker().is_active():
for peer in policy.selected_peers:
src_peers, _ = ExplTracker().extract_peers(policy.optimized_allow_ingress_props)
_, dst_peers = ExplTracker().extract_peers(policy.optimized_allow_egress_props)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about policy.optimized_deny_ingress_props and policy.optimized_deny_egress_props? They may also explain a lack of connections between certain peers

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the case of lack of connectivity we show all the policies that affects the queried peers, since also a typo in a 'non deny' policy may cause the lack of connectivity.

adisos marked this conversation as resolved.
Show resolved Hide resolved
peer_name = peer.full_name()
ExplTracker().add_peer_policy(peer_name,
policy.name,
dst_peers,
src_peers,
)
policy_conns = policy.allowed_connections_optimized(is_ingress)
if policy_conns.captured: # not empty
if captured_func(policy):
Expand Down Expand Up @@ -309,6 +321,12 @@ def _allowed_xgress_conns_optimized(self, is_ingress, peer_container):
else:
conn_cube.update({"src_peers": not_captured_not_hep, "dst_peers": all_peers_and_ips})
not_captured_not_hep_conns = ConnectivityProperties.make_conn_props(conn_cube)
if ExplTracker().is_active():
src_peers, dst_peers = ExplTracker().extract_peers(not_captured_not_hep_conns)
ExplTracker().add_default_policy(src_peers,
dst_peers,
is_ingress
)
res_conns.all_allowed_conns |= not_captured_not_hep_conns

captured_not_hep = base_peer_set_no_hep & res_conns.captured
Expand Down Expand Up @@ -370,12 +388,14 @@ def _allowed_xgress_conns_optimized(self, is_ingress, peer_container):
"dst_peers": non_captured_peers})
res_conns.all_allowed_conns |= all_nc_conns - res_conns.denied_conns
non_captured_dns_entries = dns_entries - res_conns.captured
non_captured_conns = all_nc_conns - res_conns.denied_conns
if non_captured_dns_entries:
# update allowed non-captured conns to DNSEntry dst with TCP only
all_nc_dns_conns = \
ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_peers_and_ips,
"dst_peers": non_captured_dns_entries,
"protocols": tcp_protocol})
non_captured_conns |= all_nc_dns_conns
res_conns.all_allowed_conns |= all_nc_dns_conns
else:
nc_all_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": non_captured_peers,
Expand All @@ -385,7 +405,15 @@ def _allowed_xgress_conns_optimized(self, is_ingress, peer_container):
nc_dns_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": non_captured_peers,
"dst_peers": dns_entries,
"protocols": tcp_protocol})
non_captured_conns = nc_all_conns - res_conns.denied_conns
non_captured_conns |= nc_dns_conns
res_conns.all_allowed_conns |= nc_dns_conns
if ExplTracker().is_active():
src_peers, dst_peers = ExplTracker().extract_peers(non_captured_conns)
ExplTracker().add_default_policy(src_peers,
dst_peers,
is_ingress
)
return res_conns


Expand All @@ -406,6 +434,7 @@ def _allowed_xgress_conns_optimized(self, is_ingress, peer_container):
res_conns = OptimizedPolicyConnections()
all_peers_and_ips = peer_container.get_all_peers_group(True)
all_peers_no_ips = peer_container.get_all_peers_group()
non_captured_conns = None
if is_ingress:
# everything is allowed and non captured
non_captured_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": all_peers_and_ips,
Expand All @@ -418,4 +447,10 @@ def _allowed_xgress_conns_optimized(self, is_ingress, peer_container):
non_captured_conns = ConnectivityProperties.make_conn_props_from_dict({"src_peers": non_captured_peers,
"dst_peers": all_peers_and_ips})
res_conns.all_allowed_conns = res_conns.allowed_conns | non_captured_conns
if non_captured_conns and ExplTracker().is_active():
src_peers, dst_peers = ExplTracker().extract_peers(non_captured_conns)
ExplTracker().add_default_policy(src_peers,
dst_peers,
is_ingress
)
return res_conns
Loading